Understanding CMMC Compliance: A Deep Dive into the Five Maturity Levels

By Eli Newman –

The Cybersecurity Maturity Model Certification (CMMC) is a fairly new IT security framework that was developed to standardize the security controls utilized by government contractors to safeguard controlled unclassified information (CUI). Achieving complete CMMC compliance involves the implementation of 171 security controls, which is far above and beyond what most organizations can effectively implement at one time. Because of this, the CMMC uses five different maturity levels to evaluate the progress of a contractor’s security posture so that they can put the required security practices into place more gradually. Knowing the details of each of these levels can help you to better understand how to navigate the process of becoming CMMC compliant, so keep reading as we delve into the ins and outs of the five maturity levels of CMMC.

Level 1: Basic Cyber Hygiene

Level 1 of CMMC compliance requires the least amount of security controls that a government contractor must have in place to become CMMC certified. This is because the primary purpose of level 1 is to protect federal contract information (also known as FCI, which is information that is not intended for public release), so you only need to implement basic security controls in order to qualify for this particular maturity level. Level 1 can be thought of as the foundation that the next four levels build upon. To achieve this level, there are 17 practices that government contractors need to meet.

Level 2: Intermediate Cyber Hygiene

Level 2 is considered to be a transitional phase between basic security measures and complete protection of CUI. In other words, level 2 is the bridge between baseline cybersecurity requirements and the authorization to manage sensitive data. When a company reaches this level, it means that they are still working towards good cyber hygiene, but they have yet to establish the necessary processes for protecting CUI. To reach level 2, contractors are required to implement 48 cybersecurity practices that are listed in the NIST SP 800-171, along with 7 additional practices that aim to support intermediate cyber hygiene. After achieving level 2, businesses should be following a total of 72 specific security practices.

Level 3: Good Cyber Hygiene

Contractors that reach level 3 have the minimum number of security controls in place to protect sensitive data. Obtaining this particular level indicates that your organization has now implemented a total of 130 security practices, including the ones outlined in FAR, all of the ones outlined in NIST SP 800-171, and 20 more practices that are designed to promote good cyber hygiene. While CMMC level 3 does indicate significant progress in cybersecurity maturity, contractors that are at this level may not be ideal for government agencies that work with extremely sensitive information. This is because these contractors might still have vulnerabilities in their security program.

Level 4: Proactive

Organizations who reach CMMC level 4 have demonstrated that they have achieved cybersecurity best practices and are now working to proactively evaluate and adjust those practices to safeguard sensitive data against any cyber threats more effectively. To achieve level 4, contractors are required to have 156 security practices in place.

Level 5: Advanced / Progressive

Level 5 is the final (and most advanced) level of the CMMC framework. To achieve this level, contractors must have a grand total of 171 security practices in place. This demonstrates that they have successfully developed and implemented an advanced cybersecurity program, which typically indicates that an organization is suited to handle even the most sensitive data.

With the U.S. Department of Defense (DoD) planning to fully migrate to this new framework by 2025, it is likely a wise decision to get a head-start on becoming compliant, especially given the complexity of the entire process. If your organization is seeking CMMC compliance, we can help you get there. Currently, Contigo is on track to be the first registered provider organization (RPO) in the Austin, Texas area so that we can help your organization prepare for the CMMC assessment. Interested in learning more? Speak with a registered practitioner by contacting us today.