CMMC Levels Guide
This page presents an in-depth guide to the three levels of CMMC 2.0, including their key features, their requirements and practices, their assessment processes, and how to know which level your company falls into.
When the Cybersecurity Maturity Model Certification (CMMC) was first proposed in 2020, there were five suggested certification levels. However, the update to CMMC 2.0, which officially entered the federal register with the publication of the final rule for 32 CFR, has three certification levels:
- Level 1 (Foundational)
- Level 2 (Advanced)
- Level 3 (Expert)
CMMC Level 1 (Foundational)
Level 1 is the foundational tier of the Cybersecurity Maturity Model Certification (CMMC). It ensures that contractors meet basic cybersecurity standards necessary to protect Federal Contract Information (FCI). Unlike higher levels, it’s geared toward simple practices that establish cybersecurity hygiene rather than advanced measures.
Key Features:
- Protects Federal Contract Information (FCI) but does not involve Controlled Unclassified Information (CUI).
- Requires adherence to 17 basic practices drawn from FAR 52.204-21 (Federal Acquisition Regulation clause).
- Allows for self-assessment rather than requiring third-party audits, making it less resource-intensive than higher levels.
Who Needs CMMC Level 1 Certification?
CMMC Level 1 is for DoD contractors—both prime and subcontractors—who handle FCI but not CUI. If you don’t handle CUI but are contractually obligated to be able to, you would fall under Level 2, not Level 1.
CMMC Level 1 Requirements and Practices
CMMC Level 1 focuses on basic safeguarding practices across 7 domains with 17 distinct safety controls. These practices are straightforward and designed to ensure contractors meet a minimal standard of cybersecurity.
- Access Control (AC)
- Awareness and Training (AT)
- Identification and Authentication (IA)
- Media Protection (MP)
- Physical Protection (PE)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
The Level 1 Assessment Process
CMMC Level 1 requires an annual self-assessment and annual affirmation. It’s unique in allowing contractors to self-assess their compliance rather than relying on third-party evaluations. This approach reduces the financial and administrative burden for smaller contractors while maintaining a baseline of cybersecurity.
Key Steps in Level 1 Self-Assessment
- Review Requirements
- Implement Necessary Controls
- Complete the DoD Assessment Methodology
- Submit Your Self-Assessment Score to the SPRS (Supplier Performance Risk System)
- Maintain Compliance
CMMC Level 2 (Advanced)
The vast majority of DoD contractors will fall under CMMC Level 2. It’s designed specifically to ensure that CUI is protected from unauthorized access and advanced threats. Level 2 requires full implementation of the 110 practices across 14 domains outlined in NIST SP 800-171.
Key Features:
- Level 2 is designed to protect CUI and applies to all companies handling CUI or contractually required to be able to handle CUI.
- Unlike Level 1, which allows self-assessments, Level 2 requires evaluations by Certified Third-Party Assessment Organizations (C3PAOs) to ensure compliance.
- Contractors must maintain robust documentation, including a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M), to demonstrate compliance and address gaps.
Who Needs Level 2 Certification?
CMMC Level 2 certification is required for DoD contractors and subcontractors that handle CUI, which includes sensitive but unclassified data such as technical specifications and procurement details. This certification applies to all companies within the DIB working on or bidding on contracts that specify CUI protection requirements.
CMMC Level 2 Requirements and Practices
CMMC Level 2 is closely aligned with the NIST SP 800-171. It requires contractors to implement and maintain 110 security controls and 320 objectives across 14 domains.
The 14 domains are:
- Access Control (AC): Limit access to systems, resources, and data to authorized users only.
- Awareness and Training (AT): Train employees to recognize and respond to cybersecurity threats.
- Audit and Accountability (AU): Maintain records of cybersecurity incidents and system activities.
- Configuration Management (CM): Standardize and monitor configurations for security settings.
- Identification and Authentication (IA): Verify the identity of users and devices accessing systems.
- Incident Response (IR): Plan for detecting, responding to, and recovering from cybersecurity events.
- Maintenance (MA): Protect maintenance activities and personnel access to systems.
- Media Protection (MP): Secure sensitive data on removable and electronic media.
- Personnel Security (PS): Screen and secure personnel with access to sensitive systems.
- Physical Protection (PE): Limit physical access to IT infrastructure.
- Risk Assessment (RA): Regularly assess and manage risks to systems and data.
- Security Assessment (CA): Periodically evaluate the effectiveness of security measures.
- System and Communications Protection (SC): Secure data in transit and within systems.
- System and Information Integrity (SI): Detect and protect against malware and unauthorized changes.
For a fuller account of all 14 domains of NIST 800-171’s security controls included in CMMC Level 2, see this post.
The Level 2 Assessment Process
To achieve Level 2 certification, most companies will have to undergo an audit by a Cyber AB-certified CMMC Third Party Assessor Organization (C3PAO). At least two CMMC Certified Assessors (CCAs) review your security processes along with all relevant documentation, interview key personnel at your company about implementation and procedures, and then test your cybersecurity tech and protocols themselves to determine whether they meet the standards set by NIST 800-171.
Key Steps in Preparing for Level 2 Assessment
- Establish a System Security Plan (SSP): An SSP outlines an information system’s security requirements, and lays out a plan for meeting those requirements. To stay on track for CMMC compliance, develop your business SSP to formally document your organization’s cybersecurity practices, policies, and procedures. It should detail how your organization implements the required CMMC practices and controls so you have a detailed account and comprehensive overview of your cybersecurity framework.
- Conduct a NIST 800-171A Self-Assessment to Identify Gaps: Perform a self-assessment based on NIST SP 800-171A, which outlines methods and procedures for evaluating the implementation of security requirements.
- Build a Plan of Action and Milestones (POA&M): Create a POA&M to address any gaps identified during your self-assessment. A POA&M outlines the steps needed to achieve full compliance in your organization. If your organization struggles to meet certain security controls, a POA&M can help identify these gaps and outline the necessary technologies or procedures to address them.
- Implement Improvements Based on POA&M and Set a Timeline for Full CMMC Compliance: Assess your organization’s progress toward CMMC compliance and establish a realistic timeline for achieving full certification. Consider factors such as the complexity of the required controls, resource availability, and contractual deadlines. You might also consider partnering with a Registered Provider Organization (RPO), which can help with a variety of performance metrics and assist you through the compliance process.
- Conduct a CMMC Self-Assessment: Perform a CMMC self-assessment to verify that your organization meets the required practices and processes for Level 2 maturity. This assessment should mirror the official certification process and help identify any remaining areas for improvement. Thoroughly evaluate your current practices and identify specific vulnerabilities (if there are any) before undergoing the official assessment. This approach ensures that your company will be well-prepared for future assessments and increases your likelihood of achieving the desired certification level.
- Choose a CMMC Third Party Assessor Organization (C3PAO): For organizations falling into CMMC level 2, you will select a C3PAO for your official CMMC assessment. The C3PAO will evaluate your organization’s compliance with Level 2 requirements and issue a certification based on your demonstrated cybersecurity practices. Choosing a reputable and experienced C3PAO is crucial for a successful assessment.
See this post for more in-depth information about the Level 2 audit process.
CMMC Level 3 (Expert)
Level 3 represents the most advanced tier of CMMC. It’s designed for DoD contractors and subcontractors handling highly sensitive CUI that could impact national security if compromised. Level 3 requires advanced, comprehensive cybersecurity measures to protect against Advanced Persistent Threats (APTs).
Key Features:
- Encompasses 130 practices, including all 110 controls from NIST SP 800-171 and an additional 24 practices drawn from NIST SP 800-172.
- Focuses on advanced threat detection, response, and recovery mechanisms.
- A DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) assessment is required every three years for Level 3 certification, along with an annual affirmation.
Who Needs Level 3 Certification?
Of the over 80,000 contractors in the DIB, only around 1% are expected to require Level 3 certification. This group encompasses companies working with unclassified data critical to classified operations; companies that produce weapons systems, aerospace technologies, or intelligence-related projects; and companies working on research and development, advanced manufacturing, or supply chain management for mission-critical technologies.
CMMC Level 3 Requirements and Practices
Level 3 includes the 110 security controls from NIST SP 800-171 but adds another 24 enhanced practices from NIST 800-172 for advanced security measures. Below are some key domains with selected advanced practices:
- Access Control (AC): Enforce fine-grained access controls based on roles, sensitivity, and user behavior. User permissions are to be adjusted dynamically in response to security events.
- Awareness and Training (AT): Level 3 implements role-specific training programs for advanced cybersecurity tasks and mandates threat awareness programs to mitigate risks from trusted individuals.
- Audit and Accountability (AU): Enable automated log correlation and analysis for real-time threat detection. Use tamper-proof audit mechanisms to protect and verify the integrity of logs.
- Incident Response (IR): Establish advanced incident response playbooks tailored to APT scenarios. Conduct red team/blue team exercises to simulate attacks and test response capabilities.
- Risk Management (RM): Perform continuous risk assessments using automated tools to identify evolving threats. Integrate supply chain risk management practices to evaluate and secure third-party vendors.
- System and Communications Protection (SC): Use advanced encryption standards to protect sensitive data in transit and at rest. Deploy network segmentation to isolate critical systems and limit the spread of attacks.
- System and Information Integrity (SI): Implement behavior-based anomaly detection to identify malicious activities. Use automated patch management systems to address vulnerabilities in real-time.
The Level 3 Assessment Process
The Level 3 assessment process is significantly more rigorous and complex than Level 2, reflecting the DIBCAC’s enhanced requirements for advanced threat protection and continuous compliance. After receiving Level 2 certification through a C3PAO, contractors seeking to attain Level 3 must demonstrate not just the presence of controls but their effectiveness in real-world, high-risk scenarios. Additional documentation—such as supply chain risk management plans, continuous monitoring reports, and a more comprehensive SSP—are required, and the evaluation examines the OSA’s ability to respond dynamically to real-world attack scenarios and conduct continuous monitoring and real-time incident response through automated systems. Furthermore, assessment is performed by DIBCAC, rather than by a C3PAO of the organization’s choosing.
Master Your CMMC Level with ISI
Whichever CMMC certification level your organization needs to achieve, ISI has the industry expertise you need to set your organization up for success. As the DoD rolls out requirements in new contracts, being ahead of the game at CMMC compliance gives your organization a competitive edge and demonstrates your commitment to advanced, thorough cybersecurity. Schedule a discovery call to find out how ISI can become your trusted partner in the process.