CMMC levels are put forth by the DoD and range from Level 1 (basic cyber hygiene) to Level 5 (advanced and progressive cybersecurity hygiene). The CMMC levels are cumulative, meaning that in order for an organization to reach a certain level, they must also establish achievement in the lower levels. Along with the processes and practices for each level, they also align with the type of sensitivity of information to be protected and the associated range of threats.
The first step in figuring out what CMMC level your organization is in. For organizations handling very basic information, you likely only need to get to Level 1. If you are handling Controlled Unclassified Information (CUI), the process is more involved. The higher the level your organization needs to obtain, more security measures need to be put into place. Each level has a focus, which is outlined below:
- Level 1: Basic Cyber Hygiene. Safeguard Federal Contract Information. This level requires basic cybersecurity hygiene practices for any organization requiring CMMC certification but is appropriate for smaller companies that only handle FCI.
- Level 2: Intermediate Cyber Hygiene. Serve as transition step in cybersecurity maturity progression to protect CUI with universally accepted cybersecurity best practices that would be well-documented.
- Level 3: Good Cyber Hygiene. Protect Controlled Unclassified Information (CUI). All of the NIST SP 800-171 practices are required at this level as well as 20 additional requirements from other compliance frameworks.
- Levels 4: Proactive. Protect CUI and reduce risk of Advanced Persistent Threats (APTs). 26 additional cybersecurity practices based largely on the CMMC adaptation of NIST SP 800-171B are required.
- Levels 5: Advanced. Protect CUI and reduce risk of Advanced Persistent Threats (APTs). 44 additional security practices, most of which are CMMC adaptations of NIST SP 800-171B. Highly advanced cybersecurity practices are required to be implemented, documented and reviewed across your organization.