CMMC Levels Explained: A Guide to the 5 CMMC Maturity Levels

Unlike NIST SP 800-171, the CMMC model possesses five levels. Learn about the CMMC framework, who it affects, and what it means for the future of DoD contracts.

The US Department of Defense (DOD) released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) on January 20, 2020. The CMMC framework allows contractors in the Defense Industrial Base (DIB) to better assess and improve their cyber security posture.

The CMMC ensures that contractors implement the appropriate levels of cyber security practices and procedures needed to protect controlled unclassified information (CUI) and federal contract information (FCI). This page provides an overview of the Cybersecurity Maturity Model Certification, CMMC levels and the process for starting your journey towards CMMC compliance.

Do you need to be DFARS 252.204-7012, 7019 and 7020 compliant? Schedule a free consultation with the cyber security experts at Beryllium InfoSec Collaborative today to learn how cuick trac™ can help. cuick trac™ is a cost-effective, practical solution that helps you receive, process and transmit controlled unclassified information (CUI). Call 763-546-8354 or schedule an online cuick trac™ demo today.

CMMC Capabilities

Under DFARS 252.204-7012, DoD contractors were responsible for implementing their own cyber security practices and monitoring their compliance with those practices prior to the release of CMMC. Audits of contractors were rare, and they were often allowed to attest to their own level of security, resulting in inconsistent compliance with security requirements. CMMC changes this paradigm by requiring all DoD contractors to be independently audited by a certified third party.

CMMC maps best practices in cyber security to five maturity levels. Level 1 indicates the lowest level of cyber security maturity with the simplest processes and most basic cyber hygiene practices. Level 5 is the highest level of cyber security maturity in the CMMC model and applies to optimized processes and the most advanced cyber hygiene practices.

CMMC incorporates existing federal regulations regarding cyber security such as 48 CFR 52.204-21, DFARS clause 252.204-7012, NIST SP 800-171, and NIST SP 800-172 into a single set of best practices in cyber security. It categorizes these practices into 17 domains with 43 capabilities distributed across those domains. The capabilities that contractors must demonstrate depend on the CMMC level they're seeking. The data below itemizes the 43 CMMC capabilities and their association with the 17 domains of the CMMC model:

Access Control (AC)

  • Establish system access requirements
  • Control internal system access
  • Control remote system access
  • Limit data access to authorized users and processes

Asset Management (AM)

  • Identify and document assets

Audit and Accountability (AU)

  • Define audit requirements
  • Perform auditing
  • Identify and protect audit information
  • Review and manage audit logs

Awareness and Training (AT)

  • Conduct security awareness activities
  • Conduct training

Configuration Management (CM)

  • Establish configuration baselines
  • Perform configuration and change management

Identification and Authentication (IA)

  • Grant access to authenticated entities

Incident Response (IR)

  • Plan incident response
  • Detect and report events
  • Develop and implement a response to a declared incident
  • Perform post incident reviews
  • Test incident response

Maintenance (MA)

  • Manage maintenance

Media Protection (MP)

  • Identify and mark media
  • Protect and control media
  • Sanitize media
  • Protect media during transport

Personnel Security (PS)

  • Screen personnel
  • Protect CUI during personnel actions

Physical Protection (PE)

  • Limit physical access

Recovery (RE)

  • Manage back-ups

Risk Management (RM)

  • Identify and evaluate risk
  • Manage risk

Security Assessment (CA)

  • Develop and manage a system security plan
  • Define and manage controls
  • Perform code review

Situational Awareness (SA)

  • Implement threat monitoring

System and Communications Protection (SC)

  • Define security requirements for systems and communications
  • Control communications at system boundaries

System and Information Integrity (SI)

  • Identify and manage information system flaws
  • Identify malicious content
  • Perform network and system monitoring
  • Implement advanced email protections

Organizations can demonstrate their compliance with the above capabilities by adhering to a range of practices and processes. Practices are the technical activities of each capability and consist of 171 practices mapped across the five CMMC levels. Processes measure an organization's maturity in implementing cyber security procedures, which include nine practices mapped across the maturity levels.

The figure below illustrates the distribution of the 171 practices across the 17 domains. The domains are listed on the left, with the number of practices in each maturity level according to color. Six domains account for 105 out of 171 practices, including the following:

  • Access Control
  • Audit and Accountability
  • Incident Response
  • Risk Management
  • System and Communications Protection
  • System and Information Integrity

Who needs to comply with CMMC?

By 2026, all contractors that do business with the DoD must comply with CMMC except those who only handle commercial off-the-shelf software (COTS). This requirement applies to prime contractors as well as their subcontractors and every supplier the prime contractor works with across their entire supply chain.

Each DoD contract will specify the CMMC maturity level that each contractor must meet, so contractors on the same contract may have different CMMC requirements. For example, some parts of a contract may require the prime contractor for that section to meet CMMC Level 3, while only requiring its subcontractors to meet Level 1. The CMMC Accreditation Body (CMMC-AB) is currently working with the DoD to ensure that independent, third-party assessors are available for contractors at each of the CMMC levels. (Learn more: Who needs CMMC compliance?)

Differences Between CMMC and NIST 800-171

The passage of the DFARS general rule in December 2020 allowed the DOD to introduce CMMC and solidify its importance in DOD contracts. CMMC level 3 is based mostly on NIST 800-171, which specified the cyber security standards for DIB contractors handling CUI prior to the deployment of CMMC. Contractors can still refer to DFARS clause 252.204-7012 for guidance on self-assessing their cyber security capabilities until CMMC is more widely enforced.

With the addition of DFARS 252.204-7019, which requires contractors to upload a self-assessment score, at a basic level, to the Supplier Performance Risk System (SPRS), accountability and accuracy by the contractor is far more important than in the past.

Contractors must also meet all 110 security controls in NIST SP 800-171 or provide a Plan of Actions and Milestones (POAM) indicating their plan to do so. A POAM describes the specific measures that a DIB contractor will take to correct the deficiencies discovered during a security control assessment. This plan should identify the tasks the contractor needs to perform in addition to the resources those tasks will require.

The shift from self-assessments to independent assessments for cyber security compliance is one of the most significant differences between NIST 800-171 and CMMC. Third Party Assessment Organizations (C3PAOs) will now conduct these assessments, which won’t accept noncompliance with DOD cybersecurity regulations.

Under NIST 800-171, noncompliance was acceptable, provided the contractor prepared a POAM and made progress in closing their remaining gaps. CMMC also adds 20 new security requirements to Level 3, which build upon the 110 requirements already in NIST 800-171. CMMC requires contractors to meet both sets of requirements, adding further support for good cybersecurity practices.

CMMC and NIST SP 800-171 mandates will continue to coexist until the DOD completes the CMMC roll-out according to its existing timeline. The number of DoD contractors subject to CMMC will gradually increase over the next few years to include all of these contractors, while the number of defense contractors still subject to NIST SP 800-171 will drop to zero.

What CMMC level does my company need to achieve?

The CMMC maturity level that the DoD requires of its contractors depends on the sensitivity of the data these contractors will be working with. Each maturity level has its own set of processes and practices that allow the contractor to work on information with progressively greater sensitivity.

CMMC Level 1

Level 1 requires organizations to perform the specified practices. However, they may be able to perform these practices in an ad-hoc manner without relying on documentation. As a result, C3PAOs don't assess process maturity for level 1. Practices at this level focus on the protection of FCI, so level 1 only includes practices that meet the basic safeguarding requirements described in 48 CFR 52.204-21.

CMMC Level 2

Level 2 requires the organization to document its processes for the purpose of guiding their efforts to achieve CMMC Level 2 maturity. This documentation must also allow users to repeat these processes. Organizations must perform their processes as documented to achieve this maturity level.

Level 2 practices are classified as intermediate cyber hygiene practices, which are a progression between level 1 and level 3. They consist of a subset of the requirements specified by NIST SP 800-171 in addition to practices from other standards. Level 2 is a transitional stage, so these practices focus on protecting CUI.

CMMC Level 3

Level 3 requires the organization to establish, maintain and resource a plan to manage the activities needed to implement its cyber security practices. This plan can include information on a variety of specific topics, including goals, missions, projects, resourcing, training and the involvement of organization stakeholders.

The cybersecurity practices at this level qualify as good cyber hygiene practices and focus on the protection of CUI. However, they also encompass all the security requirements that NIST SP 800-171 specifies as well as the other 20 practices added for CMMC level 3. DFARS clause 252.204-7012 still applies, which also adds requirements beyond NIST SP 800-171 such as reporting security incidents.

CMMC Level 4

Level 4 requires the organization to periodically review the effectiveness of its security practices. It also requires organizations to take corrective action when needed and inform upper management of the status of their information systems on a recurring basis.

Level 4 practices are considered proactive and focus on the protection of CUI from advanced persistent threats (APTs), although they also encompass a subset of the requirements from the draft of NIST SP 800-172 and other documents. These practices generally improve an organization's ability to detect and respond to security threats, especially the adaptation of changes in the tactics, techniques and procedures (TTPs) of APTs.

CMMC Level 5

Level 5 requires the organization to optimize its processes for the purpose of ensuring a standardized implementation across the entire organization. Practices at this level focus on the protection of CUI from APTs, and are considered advanced and proactive. The practices added at this level increase the sophistication and depth of the organization's cybersecurity capabilities.

How to Enable CMMC Compliance

Contractors that only need to handle basic information with a low level of sensitivity may only need to achieve CMMC Level 1. The process becomes more complex for contractors who need to handle CUI since they need to achieve at least CMMC Level 3. Achieving this level requires a comprehensive approach to security that includes the following three steps:

1. Adopt a platform that can securely exchange CUI. Companies that work with CUI frequently contain this type of information in e-mails and files, which must be protected as required by CMMC. These capabilities include end-to-end encryption and easy deployment of that encryption, to protect CUI, FCI and International Traffic in Arms Regulations (ITAR) data. Beryllium can help contractors navigate their best path to satisfy this.

2. Develop a robust System Security Play (SSP). This document indicates the process a contractor will use to implement the policies and procedures that CMMC Level 3 requires. C3PAOs use the SSP to understand how contractors will implement these security controls.

The SSP must provide detailed information, as general summaries of the methods for implementing controls won't allow the contractor to pass an audit. Working with subject matter experts like Beryllium, can help contractors develop a strong SSP that will expedite their journey towards CMMC compliance.

3. Obtain a CMMC consulting partner. Contractors will often need a partner to guide them through the compliance process for CMMC. In particular, Level 3 compliance is usually too big a requirement for most companies to achieve without help. Partnering with Beryllium, an approved Registered Provider Organization by the CMMC-AB,  who can help facilitate this process and minimize costs, is critical.

For example, we can connect you to our network of experienced Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), Provisional Assessors (PAs) and Registered Provider Organizations (RPOs).

What CMMC levels means for DoD contractors

CMMC will affect DoD contractors and the number of ways as its roll-out continues. For example, POAMs will no longer be accepted once the CMMC implementation is complete, phasing out the DFARS Interim Rule. At this point, all DoD contractors will need to meet all 130 security controls described in NIST SP 800-171 and CMMC Level 3.

Prime contractors for the DoD must ensure their subcontractors meet the requirements appropriate to their CMMC level, which depends on the type of data they will handle. Assume for this example that a prime contractor has CMMC Level 5, but it only shares FCI with one of its subcontractors. The DoD would only require that subcontractor to achieve CMMC Level 1.

Contractors must also meet the requirements for the level they're seeking in both practices and processes. For example, a contractor could achieve Level 3 for practices and Level 2 on processes. In this case, the contractor will be certified at the lower level, CMMC Level 2.

Contractors need to begin repairing for CMMC now rather than waiting until they receive a contract with an actual CMMC requirement. This preparation requires significant time, so failure to prepare now could result in the loss of a contract later.

Timeline for Implementation

The DoD is currently planning to begin adding CMMC level requirements to DOD Requests for Information (RFIs). These requirements will initially be added to about 15 procurements for critical programs and technologies in the DoD, including those related to nuclear and missile defense. CMMC certification will be used as a basis for approving or disapproving competitors for these contracts.

The data below shows the estimated number of contracts that will contain CMMC level requirements by fiscal year, although this timeline will likely change:

CMMC procurements by fiscal year

FY 2021: 15

FY 2022: 75

FY 2023: 250

FY 2024: 325

FY 2025: 475

Initially, the DoD estimated that the first round of CMMC implementation would affect about 1,500 primes and subcontractors, which was going to require CMMC certification by Fall 2021. Although this pilot program has taken longer than expected, C3PAOs are now being authorized and prime contractors are starting to look at their supply chain in a very specific manner. The rollout will continue over the next five years, with the expectation that all new DoD contracts will contain CMMC requirements by Fall 2026.

CMMC Compliance Checklist

No two paths to CMMC compliance are the same, but consultants and MSPs do recommend a number of best practices. These practices may be categorized by phase, including baselining, implementation, enactment and assessment.

Baselining

  • Develop a plan with a consultant for achieving your desired level of compliance.
  • Determine if you manage CUI and how you will protect it.
  • Create a gap assessment between your company's current capabilities and where they need to be.
  • Create POAMs for the controls you don’t currently meet.

Implementation

  • Implement the action items identified in the POAMs.
  • Implement the procedures, training and tools needed to close the gaps identified in the gap assessment.

Enactment

  • Implement necessary monitoring of systems.
  • Train your employees on the new security requirements.
  • Resolve outstanding issues. Work through the SSP and adjust your time table accordingly.

Assessment

  • Undergo an audit by a C3PAO.
  • Prepare to present audit proof/evidence that required controls have been met and are documented correctly
  • Prepare for continuous improvement.

"Level Up" Your CMMC Security Posture with cuick trac™

Beryllium is able to help contractors start their CMMC compliance journey by meeting the requirements for processing, storing and transmitting CUI. Cuick trac™ helps contractors implement 110 NIST 800-171 controls needed for CMMC Level 3 compliance. 

Call 763-546-8354 or complete the online form today to schedule a demonstration or consultation with one of our security experts about your organization’s CMMC compliance.

Derek White
Director of Business Development
Derek’s success comes from his customer first mentality, utilizing collaboration between security and technology, to create positive outcomes & compliant solutions.

Speak With a NIST Security Expert at Beryllium InfoSec Today

To reach us please fill out the form below.