CMMC Levels Explained: A Guide to CMMC 2.0 Certification Levels

The US Department of Defense (DoD) announced the release of the Cybersecurity Maturity Model Certification (CMMC) 2.0 on July 17, 2021, bringing changes to the tiered model of CMMC levels of certification.

The CMMC framework is designed to help contractors in the Defense Industrial Base (DIB) better assess and improve their cybersecurity posture by ensuring all DoD contractors implement appropriate cybersecurity practices and procedures to protect controlled unclassified information (CUI) and federal contract information (FCI).

This guide provides an overview of the Cybersecurity Maturity Model Certification, a breakdown of the updated CMMC certification levels, how to tell what level you need, and the next steps on your journey toward CMMC 2.0 compliance.

Get DFARS/NIST 800-171 Compliant With Cuick Trac — a private hosted, virtual enclave

How many CMMC levels are there?

The latest CMMC 2.0 model has three levels (replacing the five-tier system in CMMC 1.02). Announced on July 17, 2021, the three CMMC levels are Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). CMMC assessment requirements vary based on the level of certification needed.

What are the CMMC levels?

CMMC levels are a set of cybersecurity practices, standards, and processes published by the Department of Defense as part of the CMMC program designed to protect national security by aligning how defense contractors and subcontractors handle FCI and CUI. All CMMC levels have processes, practices, and assessment procedures for DoD contractors.

cmmc levels

CMMC 2.0, Level 1: Foundational

Level 1 requires organizations to perform basic cybersecurity practices; however, they may perform these practices in an ad hoc manner without relying on documentation and may reach certification through an annual self-assessment.

As a result, C3PAOs don’t assess process maturity for level 1. Practices at this level focus on protecting FCI, so level 1 only includes practices that meet the basic safeguarding requirements described in 48 CFR 52.204-21.

Who needs CMMC level 1? DoD contractors and subcontractors that handle Federal Contract Information (FCI), or “Information not intended for public release [that] is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government” will need CMMC level 1 certification.

CUICK PODCAST banner

CMMC 2.0, Level 2: Advanced

Level 2 requires organizations to document their processes to guide their efforts to achieve CMMC Level 2 maturity. This documentation must also allow users to repeat these processes. Organizations must perform their processes as documented to achieve this maturity level.

Level 2 practices are classified as advanced cyber-hygiene practices (often referred to as intermediate cyber hygiene), which is a progression between level 1 and level 3.

CMMC 2.0 Level 2 is equivalent to CMMC 1.02 Level 3, based on NIST SP 800-171. It includes all 14 domains and 110 security controls of CMMC 1.02 that come from NIST 800-171 but eliminates all 20 Level 3 practices and processes unique to CMMC 1.02.

Assessment requirements for level 2 compliance differ based on whether the CUI data is critical or non-critical to national security. Organizations with prioritized acquisitions that handle data that is critical to national security must pass a higher-level third-party assessment (C3PAOs) every 3 years, while non-prioritized acquisitions with data not critical to national security must conduct an annual self-assessment.

Who needs CMMC level 2? DoD contractors and subcontractors that handle the same type of controlled unclassified information must meet level 2 compliance. A lower CMMC level may apply to the subcontractor if the prime only flows down select information.

CMMC 2.0, Level 3: Expert

The level 3 CMMC model reduces a system’s vulnerability to advanced persistent threats (APTs) by requiring an organization to establish, maintain, and resource a plan to manage the activities needed to implement its cybersecurity practices.

This plan can include information on various specific topics, including goals, missions, projects, resourcing, training, and the involvement of organizational stakeholders.

The cybersecurity practices at this level qualify as good cyber-hygiene practices and focus on protecting CUI. However, they also encompass all the security requirements that NIST SP 800-171 specifies and the other 20 practices added for CMMC level 2.

DFARS clause 252.204-7012 still applies, adding requirements beyond NIST SP 800-171 such as reporting security incidents.

CMMC 2.0 Level 3 applies to companies that handle CUI for DoD programs with the highest priority. It’s comparable to CMMC 1.02 Level 5, although the DoD is still developing its specific security requirements. However, it has already been indicated that the requirements of Level 3 will be based on NIST SP 800-171’s 110 controls in addition to a subset of NIST SP 800-172 controls.

CMMC domains: The 17 core security domains of CMMC 2.0

CMMC 2.0 incorporates existing federal regulations regarding cybersecurity such as 48 CFR 52.204-21, DFARS clause 252.204-7012, NIST SP 800-171, and NIST SP 800-172 into a single set of best practices in cybersecurity. It categorizes these practices into 17 domains with 43 capabilities that were created to simplify the design of a CMMC cybersecurity program. The capabilities a contractor must demonstrate depend on their required CMMC level.

The data below itemizes the 43 CMMC capabilities and their association with the 17 domains of the CMMC 2.0 model:

Access Control (AC)

  • Establish system access requirements
  • Control internal system access
  • Control remote system access
  • Limit data access to authorized users and processes

Asset Management (AM)

  • Identify and document assets

Audit and Accountability (AU)

  • Define audit requirements
  • Perform auditing
  • Identify and protect audit information
  • Review and manage audit logs

Awareness and Training (AT)

  • Conduct security awareness activities
  • Conduct training

Configuration Management (CM)

  • Establish configuration baselines
  • Perform configuration and change management

Identification and Authentication (IA)

  • Grant access to authenticated entities

Incident Response (IR)

  • Plan incident response
  • Detect and report events
  • Develop and implement a response to a declared incident
  • Perform post-incident reviews
  • Test incident response

Maintenance (MA)

  • Manage maintenance

Media Protection (MP)

  • Identify and mark media
  • Protect and control media
  • Sanitize media
  • Protect media during transport

Personnel Security (PS)

  • Screen personnel
  • Protect CUI during personnel actions

Physical Protection (PE)

  • Limit physical access

Recovery (RE)

  • Manage back-ups

Risk Management (RM)

  • Identify and evaluate risk
  • Manage risk

Security Assessment (CA)

  • Develop and manage a system security plan
  • Define and manage controls
  • Perform code review

Situational Awareness (SA)

  • Implement threat monitoring

System and Communications Protection (SC)

  • Define security requirements for systems and communications
  • Control communications at system boundaries

System and Information Integrity (SI)

  • Identify and manage information system flaws
  • Identify malicious content
  • Perform network and system monitoring
  • Implement advanced email protections

Organizations can demonstrate compliance with the above capabilities by adhering to a range of practices and processes. Practices are the technical activities of each capability and consist of 171 practices mapped across the three CMMC levels. Processes measure an organization’s maturity in implementing cybersecurity procedures, which include nine practices mapped across the maturity levels.

The figure below illustrates the distribution of the 171 practices across the 17 domains. The domains are listed on the left, with the number of practices in each maturity level according to color. Six domains account for 105 out of 171 practices, including the following:

  • Access Control
  • Audit and Accountability
  • Incident Response
  • Risk Management
  • System and Communications Protection
  • System and Information Integrity

Note: Chart illustrates the domains and practices associated with CMMC 1.02 Maturity Models

Who needs CMMC certification?

Under DFARS 252.204-7012, DoD contractors were responsible for implementing their own cybersecurity practices and monitoring their compliance with those practices before the release of CMMC. Audits of contractors were rare, and they were often allowed to attest to their own level of security, resulting in inconsistent compliance with security requirements. CMMC 2.0 changes this paradigm by requiring all CMMC level 3 (and many CMMC level 2) DoD contractors to be independently audited by a certified third party.

What CMMC level do I need?

According to a statement from the OUS A&S, the “DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.

By 2026, all contractors that do business with the DoD must comply with CMMC except those who only handle commercial, off-the-shelf software (COTS). This requirement applies to prime contractors, their subcontractors, and every supplier the prime contractor works with across their entire supply chain. Each DoD contract will specify the CMMC maturity level that each contractor must meet, so contractors on the same contract may have different CMMC requirements.

For example, some parts of a contract may require the prime contractor for that section to meet CMMC Level 3, while only requiring its subcontractors to meet Level 1.

The CMMC Accreditation Body (CMMC-AB) is working with the DoD to ensure that independent, third-party assessors are available for contractors at each CMMC level.

Want to learn more about CMMC levels? Check out this recent guide: Who needs CMMC certification?

Differences Between CMMC 2.0 and NIST 800-171

The passage of the DFARS general rule in December 2020 allowed the DoD to introduce CMMC and solidify its importance in DoD contracts. CMMC level 2 is based mostly on NIST 800-171, which specified the cybersecurity standards for DIB contractors handling CUI before the deployment of CMMC. Contractors can still refer to DFARS clause 252.204-7012 for guidance on self-assessing their cybersecurity capabilities until CMMC is more widely enforced.

With the addition of DFARS 252.204-7019, which requires contractors to upload a SPRS score based on a self-assessment, accountability and accuracy by the contractor are far more important than in the past. Contractors must also meet all 110 security controls in NIST SP 800-171 or provide a Plan of Actions and Milestones (POAM) indicating their plan. This POAM describes the measures a DIB contractor will take to correct the deficiencies discovered during a security control assessment. This plan should identify the tasks the contractor needs to perform in addition to the resources those tasks will require.

The shift from self-assessments to independent assessments for cybersecurity compliance is one of the most significant differences between NIST 800-171 and CMMC. Third-Party Assessment Organizations (C3PAOs) will now conduct assessments for most organizations that require Level 2 compliance, which won’t accept non-compliance with DoD cybersecurity regulations. Under NIST 800-171, noncompliance was acceptable, provided the contractor prepared a POAM and made progress in closing their remaining gaps. CMMC and NIST SP 800-171 mandates will continue to coexist until the DoD completes the CMMC roll-out according to its existing timeline.

The number of DoD contractors subject to CMMC will gradually increase over the next few years to include all of these contractors, while the number of defense contractors still subject to NIST SP 800-171 will eventually drop to zero.

How to enable CMMC compliance

Contractors that only need to handle FCI information with a low level of sensitivity may only be required to demonstrate the basic cyber-hygiene requirements of CMMC Level 1.

The cybersecurity requirements become more complex for contractors who need to handle CUI since they need to achieve CMMC Level 2 or higher. Achieving this level requires a proactive, comprehensive approach to security that includes the following three steps:

1. Adopt a platform that can securely exchange CUI

Companies that work with CUI frequently contain this type of information in emails and files, which must be protected as required by CMMC. These capabilities include end-to-end encryption and easy deployment of that encryption, to protect CUI, FCI, and International Traffic in Arms Regulations (ITAR) data. A CUI enclave such as Cuick Trac can help contractors navigate their best path to satisfy this.

2. Develop a robust System Security Play (SSP)

This document indicates the contractor’s process of implementing the policies and procedures that CMMC Level 3 requires. C3PAOs use the SSP to understand how contractors will implement these security controls.

The SSP must provide detailed information, as general summaries of the methods for implementing controls won’t allow the contractor to pass an audit. Working with subject matter experts from Cuick Trac can help contractors develop a strong SSP to expedite their journey towards CMMC compliance.

3. Obtain a CMMC consulting partner

Contractors will often need a partner to guide them through the compliance process for CMMC. In particular, Level 3 compliance is usually too big a requirement for most companies to achieve without help. Partnering with experts in the field who can help facilitate this process and minimize costs is critical.

What do CMMC 2.0 levels mean for DoD contractors?

CMMC levels will affect DoD contractors in a number of ways as its rollout continues. For example, POAMs will no longer be accepted once the CMMC implementation is complete, phasing out the DFARS Interim Rule. At this point, all DoD contractors will need to meet all 130 security controls described in NIST SP 800-171 and CMMC Level 3.

Prime contractors for the DoD must ensure their subcontractors meet the requirements appropriate to their CMMC level, which depends on the type of data they will handle. Assume for this example that a prime contractor has CMMC Level 5, but it only shares FCI with one of its subcontractors. The DoD would only require that subcontractor to achieve CMMC Level 1.

Contractors must also meet the requirements for the level they’re seeking in both practices and processes. For example, a contractor could achieve Level 3 for practices and Level 2 on processes. In this case, the contractor will be certified at the lower level, CMMC Level 2.

Contractors need to begin preparing for CMMC now rather than waiting until they receive a contract with an actual CMMC requirement. This preparation requires significant time, so failure to prepare now could result in the loss of a contract later.

Timeline for CMMC implementation

The DoD is currently planning to begin adding CMMC level requirements to DoD Requests for Information (RFIs). These requirements will initially be added to about 15 procurements for critical programs and technologies in the DoD, including those related to nuclear and missile defense. CMMC certification will be used as a basis for approving or disapproving competitors for these contracts.

The data below shows the estimated number of contracts that will contain CMMC level requirements by fiscal year, although this timeline will likely change:

Estimated CMMC procurements by fiscal year:

  • FY 2021: 15
  • FY 2022: 75
  • FY 2023: 250
  • FY 2024: 325
  • FY 2025: 475

Initially, the DoD estimated that the first round of CMMC implementation would affect about 1,500 primes and subcontractors, which was going to require CMMC certification by Fall 2021.

Although this pilot program has taken longer than expected, C3PAOs are now being authorized and prime contractors are starting to look at their supply chain in a very specific manner.

The rollout will continue over the next five years with the expectation that all new DoD contracts will contain CMMC requirements by Fall 2026.

CMMC 2.0 Compliance Checklist

No two paths to CMMC compliance are the same, but consultants and MSPs do recommend a number of best practices. These practices may be categorized by phase, including baselining, implementation, enactment, and assessment.

Baselining

  • Develop a plan with a consultant for achieving your desired level of compliance.
  • Determine if you manage CUI and how you will protect it.
  • Create a gap assessment between your company’s current capabilities and where they need to be.
  • Create POAMs for the controls you don’t currently meet.

Implementation

  • Implement the action items identified in the POAMs.
  • Implement the procedures, training and tools needed to close the gaps identified in the gap assessment.

Enactment

  • Implement necessary monitoring of systems.
  • Train your employees on the new security requirements.
  • Resolve outstanding issues. Work through the SSP and adjust your time table accordingly.

Assessment

  • Undergo an audit by a C3PAO.
  • Prepare to present audit proof/evidence that required controls have been met and are documented correctly
  • Prepare for continuous improvement.

Take the hassle out of managing CMMC 2.0 maturity processes with Cuick Trac

Our team of cybersecurity experts has spent years engineering Cuick Trac — the best privately hosted, managed, and secure virtual enclave that helps DoD contractors reach CMMC level 2 compliance in as little as 14 days. Cuick Trac is a cost-effective, practical solution that makes implementing and managing CUI easy, saving the average DoD contractor a massive amount of time, money, and internal resources.

Call 612-428-3008 today to learn more or get a free 30-minute Cuick Trac demo.

Learn more about CMMC 2.0

CMMC

QUIZ: Which of the Following is CUI?

Do you know all the intricacies of handling CUI? Can you pick out which of the following is true?
CMMC

Who is Responsible for CUI Markings?  

Properly marking CUI information is crucial for protecting sensitive information, but you may wonder, who is responsible for CUI markings?
CMMC

GRC Tools: What to Look For  

Choosing the right GRC tools is about creating a framework that supports both immediate certification needs and long-term strategic success.

Part of the most relevant industry groups and committees

department of defense badge
ndia partnership badge
cmmc certification badge
defense alliance badge
infragard partnership badge

Get a 30-minute demo from a
Cuick Trac product expert

You've made it this far, now let us show you why Cuick Trac will be the smartest decision you'll make this year.

Schedule a quick product tour

Learn how Cuick Trac can secure your CUI in less time, with less effort, and with more features than any other DFARS-compliant product on the market.