What Are the CMMC Levels?

What are the CMMC Levels?

If your business is a subcontractor in the defense industrial base, you have, no doubt, been hearing a lot over the past year about Cybersecurity Maturity Model Certification. Still the definition of each level and  the path to your desired CMMC level may be unclear. This article provides a high-level overview of each of the five levels.

First: What is a maturity model?

In their document Cybersecurity Maturity Model Certification (CMMC) Version 1.02, the Office of the Under Secretary of Defense for Acquisition & Sustainment defines a maturity model as “a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline.”

In that sense, the CMMC levels describe a progression from basic cyber hygiene through intermediate to good cyber hygiene; and then (if appropriate) on to proactive, progressive, and advanced cybersecurity postures. At the highest maturity levels, organizations demonstrate that processes are ingrained and embedded in the organization’s operations, and that practices are sufficient to protect controlled unclassified information (CUI) against advanced persistent threats by sophisticated adversaries attempting to exploit multiple attack vectors.

There are five levels of Cybersecurity Maturity Model Certification. Most small and medium-sized businesses in the defense industrial base will be seeking certification at CMMC Level 3. This is the minimum level of certification required of all organizations that work with CUI.

CMMC Levels 1-5
Most small and medium-sized businesses will seek CMMC Level 3 certification.

The CMMC Hierarchical Framework

The CMMC model framework encompasses 17 domains. Cybersecurity processes are specified and will be subject to CMMC audits at levels 2-5. With each domain there are capabilities that span all 5 levels. Across the five levels there are 171 practices. Each level includes the practices and processes of lower levels.

CMMC Model Hierarchy

Cybersecurity Maturity Level 1 (CMMC Level 1) -- Basic Cyber Hygiene

The focus of this level in on ensuring that Federal Contract Information (FCI) remains secure. CMMC Level 1 is characterized as “Basic Cyber Hygiene.”

Practices—Basic Cyber Hygiene

Level 1 requires than an organization engage in 17 practices. These practices correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 and address six domains: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communication Protection, System and Information Integrity.


Cybersecurity processes are performed at least in an ad-hoc manner at this level. There are no maturity processes assessed at CMMC Level 1.

CMMC Level 1 is a standard that is achievable for small businesses; equivalent to all of the requirements from FAR Clause 52.204-21. This level of cybersecurity maturity will be required for all organizations that work with federal contract information (FCI).

Cybersecurity Maturity Level 2 (CMMC Level 2) -- Intermediate Cyber Hygiene


This level is intended to be an intermediate stage for organizations planning to progress to CMMC Level 3 certification.


CMMC Level 2 includes all the practices of level 1 and adds an additional 48 practices from the NIST SP 800-171 framework. Organizations at this level have a cybersecurity posture that is resilient against unskilled threat actors.


CMMC Level 2 requires establishment and documentation of cybersecurity practices and policies to guide implementation of cybersecurity efforts. The processes must be documented for the assessment at this level.

Cybersecurity Maturity Level 3 (CMMC Level 3) -- Good Cyber Hygiene


CMMC Level 3 will be required for all organizations that create, store, or receive Controlled Unclassified Information (CUI).

This level builds on levels 1 and 2. The focus at this level is establishing good cyber hygiene in order to protect CUI. Organizations at CMMC Level 3 will be able to protect CUI against threats from moderately skilled adversaries.

Practices: Good Cyber Hygiene

CMMC Level 3 includes all 110 security requirements from NIST SP 800-171 plus 20 additional practices to establish good cyber hygiene.

Processes: Managed

This level requires organizations establish, resource, and maintain a plan demonstrating the management of activities for practice implementation.

The requirements at this level are rigorous (Security Information and Event Management, Business Continuity/Disaster Recovery Plan and Procedures)  but not unattainable for small and medium-sized businesses. The challenge is that 100% compliance with the standard is necessary in order to achieve certification. Organizations that do not meet this standard completely will not be awarded contracts where they might handle CUI.

Small and medium sized businesses might find particular challenge not only in meeting this standard but in the journey that leads from basic cyber hygiene to good cyber hygiene in a practical and cost-effective way. To address that concern, we have put together a free webinar that focuses on Right-Sized Solutions to NIST/CMMC Compliance.


Cybersecurity Maturity Levels 4 and 5 (CMMC Level 4, CMMC Level 5) – Protecting CUI and Reducing the Risk of Advanced Persistent Threats

CMMC Levels 4 and 5 build upon the practices and processes of levels 1-3. Levels 4 and 5 focus on increasing the protection of CUI and reducing the risk of advanced persistent threats by sophisticated adversaries.

Level 4 includes an additional 11 practices selected from Draft NIST SP 800-171B as well as 15 additional practices to demonstrate a proactive cybersecurity program. At this level, processes are periodically reviewed and measured for effectiveness. Organizations seeking CMMC Level 4 certification are able to take corrective action and keep higher level management apprised of status or issues on a recurring basis.

Level 5 is characterized by highly advanced practices that are resilient against the most advanced attacks from sophisticated adversaries. This level includes a total of all 171 practices. Processes at this level are optimizing through continuous improvement.

Typical organizations seeking CMMC Level 4 or Level 5 certification would be prime contractors or others with enterprise computing environments and sophisticated layers of security to protect sensitive data.

Making Sense of it All

The journey for a small or medium-sized business from basic cyber hygiene to CMMC Level 3 compliance will be challenging. There may not be quick fix, all-in-one solutions to CMMC compliance.

EXP Technical offers CIO level cybersecurity and IT governance consulting services. Our recommendations are backed by decades of experience ensuring that organizations in highly-regulated industries (HIPAA, PCI, ITAR, DFARS, NIST, and CMMC) meet the rigorous standards required of them. Our goal is serving people through technology. We offer pragmatic guidance toward right-sized solutions. If you are not sure how to prepare for your CMMC audit, contact EXP Technical today for a no-charge consultation.

Related Posts