5 Certification Levels
The CMMC encompasses 5 maturity levels that range from Basic Cybersecurity Hygiene to Advanced/Progressive, with each level building on the other’s requirements. The certification level required for a company will be based on the type of work and data they store for the DoD. Once certified the CMMC certificate should be valid for 3 years.
The 5 CMMC levels are:
Level 1 – Basic Cyber Hygiene – This includes 17 controls covering very basic security such as using antivirus software, regular employee password changes, and employee cyber security training. This level is intended to protect Federal Contract Information (FCI).
Level 2 – Intermediate Cyber Hygiene – Includes 72 controls covering basic and moderate security such as enabling audit trails, enforcing password complexity, routine maintenance for security patches and documentation of practices to start protecting Controlled Unclassified Information (CUI), meeting some NIST 800 171 r2 requirements.
Level 3 – Good Cyber Hygiene – Includes 130 controls covering basic through advanced security and proactive monitoring. A company must have an institutionalized management plan that includes all the security controls to protect CUIs and fully meet NIST 800 171 r2 requirements.
Level 4 – Proactive – Includes 156 controls covering basic through advanced security, proactive monitoring, and proactive security management. A company must be proactive in measuring, detecting and defeating threats. It requires that a company can respond to APTs (advanced persistent threats) including their changing tactics, processes and capabilities.
Level 5 – Advanced/Progressive – Includes 171 controls covering basic through advanced security, proactive monitoring, and advanced security management. A company must be advanced, progressive and state of the art in cybersecurity at this level. This includes additional security controls that allow a company to detect and respond to changing APTs.
How will you know which level of CMMC is required? The DoD will specify the required CMMC level in each RFI and RFP.