The Cybersecurity Maturity Model Certification (CMMC) combines several discrete compliance processes into one, including NIST SP 800-171, NIST SP 800-53 and ISO 27001. An overview of each CMMC certification level, along with a detailed description is provided below:
CMMC Level 1
Level 1 – Safeguard Federal Contract Information
Level 1 requires that an organization performs the specified practices. Because the organization may be able to perform these practices only in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
Practices: Basic Cyber Hygiene
Level 1 focuses on the protection of Federal Contract Information (“FCI”) and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.
CMMC Level 2
Level 2 – Serve as a transition step in cybersecurity maturity progression to protect CUI
Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and practicing them as documented.
Practices: Intermediate Cyber Hygiene
Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level is a transitional stage, a subset of the practices references the protection of Controlled Unclassified Information (“CUI”).
CMMC Level 3
Level 3 – Protect Controlled Unclassified Information
Level 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Practices: Good Cyber Hygiene
Level 3 focuses on the protection of CUI and encompasses all the security requirements specified in NIST SP 800-171 as well as additional practices to mitigate threats. Note that DFARS clause 252.204-7012 applies and specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting.
CMMC Level 4
Level 4 – Protect CUI and reduce risk of APTs
Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level can take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
Level 4 focuses on the protection of CUI from Advanced Persistent Threats (“APTs”) and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures (“TTPs”) used by APTs.
CMMC Level 5
Level 5 – Protect CUI and reduce risk of APTs
Level 5 requires an organization to standardize and optimize process implementation across the organization.
Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.
Sensei can help defense contractors prepare their cybersecurity processes and systems for the upcoming audit process. Each CMMC level has its own requirements that must be met in order to achieve the certification. With an understanding of the level that you need to achieve, Sensei can get your cybersecurity protections up-to-date and ready for the assessment.
Questions? Need Help?
Please contact CEO/Director of Cybersecurity and Digital Forensics Michael Maschke at or at 703.359.0700.