​​​​CMMC Certification Levels

last changes October 6th 2020

CMMC Certification Levels

As of the time of this writing the Cybersecurity Maturity Model Certification Framework is still under development and as such the actual requirements that must be completed in order to achieve the different CMMC certification levels are still not finalized. This page currently represents our best estimate of what each level will consist of based upon the current working draft and stated goals of the CMMC program. Please keep in mind that these requirements are subject to change and we will update the page when the final version of the CMMC has been published.

All CMMC Certification Levels above Level 1 will consist of two measurements; Processes and Practices. Processes are things such as creating policies and plans for each of the 17 domains covered by the CMMC. In contrast, Practices are the actual implementation of controls such as Access Control and Configuration Management.

CMMC certification levels and requirements - preliminary


Level 1:

CMMC Level 1 will be the base level of certification and at this point will consist of practices that correspond to basic safeguarding requirements in Federal Acquisition Regulation (FAR) clause 52.204-21. Currently that consists of 17 basic cyber security practices such as implementing Identity and Authentication and basic Access Controls. Level 1 is all about protecting Federal Contract Information (FCI) and is most likely to be required for anyone who obtains a DoD contract but does not produce solely Commercial Off the Shelf products. The vast majority of DOD contracts will require this level of certification.

Level 2:

The purpose of Level 2 seems to be to create a base level of cyber security for any organization who has Controlled Unclassified Information (CUI) in their organization and as such requires a higher level of security than those who only have FCI and not CUI. CMMC Level 2 certification will require written policies for each of the 17 domains covered by the CMMC as well as documented practices for implementing the policies for each domain. It will also be a more extensive set of security practices that are a subset of the security requirements listed in NIST SP 800-171 with a total of 55 additional practices to put in place in addition to those listed in Level 1.

Level 3:

At Level 3 the focus seems to be on fleshing out the base security practices established in Levels 1 & 2 and increasing the overall security of the organization. CMMC Level 3 certification will require that the organization establish, maintain, and resource a plan that demonstrates the management of activities for the implementation of CMMC. Currently the practices will encompass all the security requirements in NIST SP 800-171 as well as additional practices and standards for a total of 58 new practices on top of those required for a Level 2 implementation. Apart from CMMC Level 1 we expect this to be the most frequently required CMMC Level.

Level 4:

If an organization is required to achieve Level 4 certification then the main focus shifts to enhancing the organizations effectiveness of protecting CUI from Advanced Persistent Threats (APTs). While it does not have as many new practices to implement as Levels 2 and 3 did, the practices currently listed are much more complex and time consuming to both implement and maintain. Currently CMMC Level 4 will require that an organization review and measure practices for effectiveness as well as implement a subset of enhanced security practices from DRAFT NIST SP 800-171B and other security best practices for a total of 26 additional practices more than those required for Level 3.

Level 5:

CMMC Level 5 will require that organizations standardize and optimize process implementation across the organization. This level is again focused on the protection of CUI from APTs and as such implements many more advanced security practices for the organization. The additional practices will increase the depth and sophistication of cybersecurity abilities for the organization and currently consists of an additional 15 practices above CMMC Level 4.

How to Get There:

Ecuron offers the following CMMC Services:

If you would like to speak to our team to discuss your CMMC requirements and schedule a complimentary 15-30 min consultation, email us at cmmc@ecuron.com or give us a call.


Join Our CMMC Notification List

Sign up below and we will notify you when the Standard is finalized and how we can help you.


We’d Love to Talk About Your Cybersecurity Strategy.

- ​None of the information you provide in the form below will be used for marketing purposes -