​​​​CMMC Certification Levels

last changes March 9th 2021

CMMC Certification Levels

This page is intended to provide a quick overview of what each level consists of. For the full details please see the official CMMC program.

All CMMC Certification Levels above Level 1 consist of two measurements; Processes and Practices. Processes are things such as creating policies and plans for each of the 17 domains covered by the CMMC. In contrast, Practices are the actual implementation of controls such as Access Control and Configuration Management.

CMMC certification levels and requirements - preliminary

Level 1:

CMMC Level 1 is the base level of certification and consists of practices that correspond to basic safeguarding requirements in Federal Acquisition Regulation (FAR) clause 52.204-21. This lowest level consists of 17 basic cyber security practices such as implementing Identity and Authentication and basic Access Controls. Level 1 is all about protecting Federal Contract Information (FCI) and will be required for anyone who obtains a DoD contract but does not produce solely Commercial Off the Shelf products. The vast majority of DOD contracts will require this level of certification.

Level 2:

The purpose of Level 2 seems to be to create a base level of cyber security for any organization who has Controlled Unclassified Information (CUI) in their organization and as such requires a higher level of security than those who only have FCI. CMMC Level 2 certification will require written policies for each of the 17 domains covered by the CMMC as well as documented practices for implementing the policies for each domain. It will also be a more extensive set of security practices that are a subset of the security requirements listed in NIST SP 800-171 with a total of 55 additional practices to put in place in addition to those listed in Level 1. We see this Level as a transitionary step in preparation to Level 3 which will not make business sense for most organizations as it does not allow for the handling of CUI yet.

Level 3:

At Level 3 the focus is on protecting CUI, fleshing out the base security practices established in Levels 1 & 2, and increasing the overall security of the organization. CMMC Level 3 certification will require that the organizations establish, maintain, and resource a plan that demonstrates the management of activities for the implementation of CMMC. The practices encompass all the security requirements in NIST SP 800-171 as well as additional practices and standards for a total of 58 new practices on top of those required for a Level 2 implementation. If your organization handles both – FCI and CUI – you will have to meet CMMC LEvel 3 requirements or higher. This is why we expect this to be the second most frequently required CMMC Level.

Level 4:

If an organization is required to achieve Level 4 certification then the main focus shifts to enhancing the organizations effectiveness of protecting CUI from Advanced Persistent Threats (APTs). While it does not have as many new practices to implement as Levels 2 and 3 did, the practices listed are much more complex and time consuming to both implement and maintain. CMMC Level 4 will require that an organization review and measure practices for effectiveness as well as implement a subset of enhanced security practices from DRAFT NIST SP 800-171B and other security best practices for a total of 26 additional practices on top of those required for Level 3. Ecuron estimates that less than 100 companies will be required to become CMMC Level 4 compliant.

Level 5:

CMMC Level 5 will require that organizations standardize and optimize process implementation across the organization. This level is again focused on the protection of CUI from APTs and as such implements many more advanced security practices for the organization. The additional practices will increase the depth and sophistication of cybersecurity abilities for the organization and consists of an additional 15 practices above CMMC Level 4. As for Level 4, we expect less than 100 organizations to fall into this category.

How to Get There:

Ecuron is a CMMC Registered Provider Organization

For a general overview of the CMMC certification process and rough time estimates see this flowchart.

Due to our status as a CMMC Registered Provider Organization™ (CMMC-RPO), Ecuron can perform pre-assessment services which include CMMC gap analysis, implementation help, CMMC pre-assessments. We do not conduct the final Certified Assessments.

Ecuron offers the following CMMC Services:

If you would like to speak to our team to discuss your CMMC requirements and schedule a complimentary 15-30 min consultation, email us at cmmc@ecuron.com or give us a call.

Join Our CMMC Notification List

Sign up below and we will notify you about CMMC related news, updates, and services.