CMMC Levels Explained: A Guide to CMMC 2.0 Certification Levels
For the latest information on CMMC 2.0, please click here.
The US Department of Defense (DoD) announced the release of the Cybersecurity Maturity Model Certification (CMMC) 2.0 on July 17, 2021, bringing changes to the tiered model of CMMC certification levels.
The CMMC framework is designed to help contractors in the Defense Industrial Base (DIB) better assess and improve their cyber security posture by ensuring all DoD contractors implement appropriate cyber security practices and procedures to protect controlled unclassified information (CUI) and federal contract information (FCI).
This guide provides an overview of the Cybersecurity Maturity Model Certification, a breakdown of the updated CMMC certification levels, how to tell what level you need, and the next steps on your journey toward CMMC 2.0 compliance.
How many CMMC levels are there?
The latest CMMC 2.0 model has three levels (replacing the five-tier system in CMMC 1.02). Announced on July 17, 2021, the three CMMC levels are Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). CMMC assessment requirements vary based on the level of certification needed.
What are the CMMC levels?
CMMC levels are a set of cybersecurity practices, standards, and processes published by the Department of Defense (DoD) as part of the CMMC program designed to protect national security by aligning how Defense contractors and subcontractors handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC 2.0 contains 3 security levels; Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). The CMMC maturity level your organization must meet, and its compliance and assessment requirements will depend on the sensitivity of the data you’ll be working with.
Each CMMC certification level has its processes, practices, and assessment procedures for DoD contractors.
CMMC 2.0, Level 1: Foundational
Level 1 requires organizations to perform basic cybersecurity practices. However, they may be able to perform these practices in an ad-hoc manner without relying on documentation and are allowed to reach certification through an annual self-assessment.
As a result, C3PAOs don't assess process maturity for level 1. Practices at this level focus on the protection of FCI, so level 1 only includes practices that meet the basic safeguarding requirements described in 48 CFR 52.204-21.
Who needs CMMC level 1? DoD contractors and subcontractors that handle Federal Contract Information (FCI), or “Information not intended for public release. [that] is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government” will need CMMC level 1 certification.
CMMC 2.0, Level 2: Advanced
Level 2 requires organizations to document their processes to guide their efforts to achieve CMMC Level 2 maturity. This documentation must also allow users to repeat these processes.
Organizations must perform their processes as documented to achieve this maturity level.
Level 2 practices are classified as advanced cyber hygiene practices (often referred to as intermediate cyber hygiene), which is a progression between level 1 and level 3.
CMMC 2.0 Level 2 is equivalent to CMMC 1.02 Level 3, based on NIST SP 800-171. It includes all 14 domains and 110 security controls of CMMC 1.02 that come from NIST 800-171 but eliminates all 20 Level 3 practices and processes unique to CMMC 1.02.
Assessment requirements for level 2 compliance differ based on whether the CUI data handles if critical or non-critical to national security. Organizations with prioritized acquisitions that handle data critical to national security must pass a higher level third-party assessment (C3PAOs) every 3 years, while non-prioritized acquisitions with data not critical to national security must conduct an annual self-assessment.
Who needs CMMC level 2? DoD contractors and subcontractors that handle the same type of controlled unclassified information (CUI)must meet level 2 compliance. A lower CMMC level may apply to the subcontractor if the prime only flows down select information.
CMMC 2.0, Level 3: Expert
The level 3 CMMC model reduces a system’s vulnerability to advanced persistent threats (APTs) by requiring an organization to establish, maintain and resource a plan to manage the activities needed to implement its cyber security practices.
This plan can include information on various specific topics, including goals, missions, projects, resourcing, training, and the involvement of organization stakeholders.
The cybersecurity practices at this level qualify as good cyber hygiene practices and focus on protecting CUI. However, they also encompass all the security requirements that NIST SP 800-171 specifies and the other 20 practices added for CMMC level 2.
DFARS clause 252.204-7012 still applies, adding requirements beyond NIST SP 800-171 such as reporting security incidents.
CMMC 2.0 Level 3 applies to companies that handle CUI for DoD programs with the highest priority.
It’s comparable to CMMC 1.02 Level 5, although the DoD is still developing its specific security requirements.
However, it has already been indicated that the requirements of Level 3 will be based on NIST SP 800-171’s 110 controls in addition to a subset of NIST SP 800-172 controls.
CMMC domains: The 17 core security domains of CMMC 2.0
CMMC 2.0 incorporates existing federal regulations regarding cyber security such as 48 CFR 52.204-21, DFARS clause 252.204-7012, NIST SP 800-171, and NIST SP 800-172 into a single set of best practices in cyber security.
It categorizes these practices into 17 domains with 43 capabilities that were created to simplify the design of a CMMC cybersecurity program. The capabilities a contractor must demonstrate depend on their required CMMC level.
The data below itemizes the 43 CMMC capabilities and their association with the 17 domains of the CMMC 2.0 model:
Access Control (AC)
- Establish system access requirements
- Control internal system access
- Control remote system access
- Limit data access to authorized users and processes
Asset Management (AM)
- Identify and document assets
Audit and Accountability (AU)
- Define audit requirements
- Perform auditing
- Identify and protect audit information
- Review and manage audit logs
Awareness and Training (AT)
- Conduct security awareness activities
- Conduct training
Configuration Management (CM)
- Establish configuration baselines
- Perform configuration and change management
Identification and Authentication (IA)
- Grant access to authenticated entities
Incident Response (IR)
- Plan incident response
- Detect and report events
- Develop and implement a response to a declared incident
- Perform post-incident reviews
- Test incident response
- Manage maintenance
Media Protection (MP)
- Identify and mark media
- Protect and control media
- Sanitize media
- Protect media during transport
Personnel Security (PS)
- Screen personnel
- Protect CUI during personnel actions
Physical Protection (PE)
- Limit physical access
- Manage back-ups
Risk Management (RM)
- Identify and evaluate risk
- Manage risk
Security Assessment (CA)
- Develop and manage a system security plan
- Define and manage controls
- Perform code review
Situational Awareness (SA)
- Implement threat monitoring
System and Communications Protection (SC)
- Define security requirements for systems and communications
- Control communications at system boundaries
System and Information Integrity (SI)
- Identify and manage information system flaws
- Identify malicious content
- Perform network and system monitoring
- Implement advanced email protections
Organizations can demonstrate compliance with the above capabilities by adhering to a range of practices and processes. Practices are the technical activities of each capability and consist of 171 practices mapped across the three CMMC levels.
Processes measure an organization's maturity in implementing cyber security procedures, which include nine practices mapped across the maturity levels.
The figure below illustrates the distribution of the 171 practices across the 17 domains.
The domains are listed on the left, with the number of practices in each maturity level according to color. Six domains account for 105 out of 171 practices, including the following:
- Access Control
- Audit and Accountability
- Incident Response
- Risk Management
- System and Communications Protection
- System and Information Integrity
Note: Chart illustrated the domains and practices associated with CMMC 1.02 Maturity Models
Who needs CMMC certification?
Under DFARS 252.204-7012, DoD contractors were responsible for implementing their own cyber security practices and monitoring their compliance with those practices before the release of CMMC.
Audits of contractors were rare, and they were often allowed to attest to their own level of security, resulting in inconsistent compliance with security requirements.
CMMC 2.0 changes this paradigm by requiring all CMMC level 3 (and many CMMC level 2) DoD contractors to be independently audited by a certified third party.
What CMMC level do I need?
According to a statement from the OUS A&S, the “DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.”
By 2026, all contractors that do business with the DoD must comply with CMMC except those who only handle commercial off-the-shelf software (COTS).
This requirement applies to prime contractors, their subcontractors, and every supplier the prime contractor works with across their entire supply chain.
Each DoD contract will specify the CMMC maturity level that each contractor must meet, so contractors on the same contract may have different CMMC requirements.
For example, some parts of a contract may require the prime contractor for that section to meet CMMC Level 3, while only requiring its subcontractors to meet Level 1.
The CMMC Accreditation Body (CMMC-AB) is working with the DoD to ensure that independent, third-party assessors are available for contractors at each CMMC level.
Want to learn more about “What CMMC level do I need?”
Check out this recent guide: Who needs CMMC compliance?
Differences Between CMMC 2.0 and NIST 800-171
The passage of the DFARS general rule in December 2020 allowed the DOD to introduce CMMC and solidify its importance in DOD contracts.
CMMC level 2 is based mostly on NIST 800-171, which specified the cyber security standards for DIB contractors handling CUI before the deployment of CMMC. Contractors can still refer to DFARS clause 252.204-7012 for guidance on self-assessing their cyber security capabilities until CMMC is more widely enforced.
With the addition of DFARS 252.204-7019, which requires contractors to upload a self-assessment score, at a basic level, to the Supplier Performance Risk System (SPRS), accountability and accuracy by the contractor are far more important than in the past.
Contractors must also meet all 110 security controls in NIST SP 800-171 or provide a Plan of Actions and Milestones (POAM) indicating their plan.
A POAM describes the measures a DIB contractor will take to correct the deficiencies discovered during a security control assessment. This plan should identify the tasks the contractor needs to perform in addition to the resources those tasks will require.
The shift from self-assessments to independent assessments for cyber security compliance is one of the most significant differences between NIST 800-171 and CMMC.
Third-Party Assessment Organizations (C3PAOs) will now conduct assessments for most organizations that require Level 2 compliance, which won’t accept non-compliance with DOD cybersecurity regulations.
Under NIST 800-171, noncompliance was acceptable, provided the contractor prepared a POAM and made progress in closing their remaining gaps.
CMMC and NIST SP 800-171 mandates will continue to coexist until the DOD completes the CMMC roll-out according to its existing timeline.
The number of DoD contractors subject to CMMC will gradually increase over the next few years to include all of these contractors, while the number of defense contractors still subject to NIST SP 800-171 will eventually drop to zero.
How to enable CMMC compliance
Contractors that only need to handle FCI information with a low level of sensitivity may only be required to demonstrate the basic cyber hygiene requirements of CMMC Level 1.
The cybersecurity requirements become more complex for contractors who need to handle CUI since they need to achieve CMMC Level 2 or higher. Achieving this level requires a proactive, comprehensive approach to security that includes the following three steps:
1. Adopt a platform that can securely exchange CUI
Companies that work with CUI frequently contain this type of information in e-mails and files, which must be protected as required by CMMC. These capabilities include end-to-end encryption and easy deployment of that encryption, to protect CUI, FCI, and International Traffic in Arms Regulations (ITAR) data. cuick trac™ can help contractors navigate their best path to satisfy this.
2. Develop a robust System Security Play (SSP)
This document indicates the contractor's process of implementing the policies and procedures that CMMC Level 3 requires. C3PAOs use the SSP to understand how contractors will implement these security controls.
The SSP must provide detailed information, as general summaries of the methods for implementing controls won't allow the contractor to pass an audit. Working with subject matter experts from cuick trac™, can help contractors develop a strong SSP to expedite their journey towards CMMC compliance.
3. Obtain a CMMC consulting partner
Contractors will often need a partner to guide them through the compliance process for CMMC. In particular, Level 3 compliance is usually too big a requirement for most companies to achieve without help. Partnering with cuick trac™, who can help facilitate this process and minimize costs, is critical.
For example, we can connect you to our network of experienced Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), Provisional Assessors (PAs) and Registered Provider Organizations (RPOs).
What do CMMC 2.0 levels mean for DoD contractors?
CMMC will affect DoD contractors and the number of ways as its roll-out continues. For example, POAMs will no longer be accepted once the CMMC implementation is complete, phasing out the DFARS Interim Rule. At this point, all DoD contractors will need to meet all 130 security controls described in NIST SP 800-171 and CMMC Level 3.
Prime contractors for the DoD must ensure their subcontractors meet the requirements appropriate to their CMMC level, which depends on the type of data they will handle. Assume for this example that a prime contractor has CMMC Level 5, but it only shares FCI with one of its subcontractors. The DoD would only require that subcontractor to achieve CMMC Level 1.
Contractors must also meet the requirements for the level they're seeking in both practices and processes. For example, a contractor could achieve Level 3 for practices and Level 2 on processes. In this case, the contractor will be certified at the lower level, CMMC Level 2.
Contractors need to begin repairing for CMMC now rather than waiting until they receive a contract with an actual CMMC requirement.
This preparation requires significant time, so failure to prepare now could result in the loss of a contract later.
Timeline for CMMC implementation
The DoD is currently planning to begin adding CMMC level requirements to DOD Requests for Information (RFIs). These requirements will initially be added to about 15 procurements for critical programs and technologies in the DoD, including those related to nuclear and missile defense. CMMC certification will be used as a basis for approving or disapproving competitors for these contracts.
The data below shows the estimated number of contracts that will contain CMMC level requirements by fiscal year, although this timeline will likely change:
Estimated CMMC procurements by fiscal year:
- FY 2021: 15
- FY 2022: 75
- FY 2023: 250
- FY 2024: 325
- FY 2025: 475
Initially, the DoD estimated that the first round of CMMC implementation would affect about 1,500 primes and subcontractors, which was going to require CMMC certification by Fall 2021.
Although this pilot program has taken longer than expected, C3PAOs are now being authorized and prime contractors are starting to look at their supply chain in a very specific manner.
The rollout will continue over the next five years, with the expectation that all new DoD contracts will contain CMMC requirements by Fall 2026.
CMMC 2.0 Compliance Checklist
No two paths to CMMC compliance are the same, but consultants and MSPs do recommend a number of best practices.
These practices may be categorized by phase, including baselining, implementation, enactment and assessment.
- Develop a plan with a consultant for achieving your desired level of compliance.
- Determine if you manage CUI and how you will protect it.
- Create a gap assessment between your company's current capabilities and where they need to be.
- Create POAMs for the controls you don’t currently meet.
- Implement the action items identified in the POAMs.
- Implement the procedures, training and tools needed to close the gaps identified in the gap assessment.
- Implement necessary monitoring of systems.
- Train your employees on the new security requirements.
- Resolve outstanding issues. Work through the SSP and adjust your time table accordingly.
- Undergo an audit by a C3PAO.
- Prepare to present audit proof/evidence that required controls have been met and are documented correctly
- Prepare for continuous improvement.
Take the hassle out of managing CMMC 2.0 maturity processes with cuick trac™
Do you have questions about how the new CMMC 2.0 compliance levels will impact your organization? Want the cheat code to DFARS 252.204-7012, 7019, and 7020 compliance? We can help.
Our team of cyber security experts has spent years engineering cuick trac™ — the best privately hosted, managed, and secure virtual enclave that helps DoD contractors reach CMMC level 2 compliance in as little as 14 days.
Cuick trac™ is a cost-effective, practical solution that makes implementing and managing controlled unclassified information (CUI) easy, saving the average DoD contractor a massive amount time, money, and internal resources.
Call 612-428-3008 today to learn more or get a free 30-minute cuick trac™ demo.
Get a 30-minute demo from a cuick trac™ product expert
You've made it this far, now let us show you why cuick trac™ will be the smartest decision you'll make this year.