What are CMMC levels?

by Lizzie Tinker

The new Cybersecurity Maturity Model Certification (CMMC) is set to be required for Department of Defense (DoD) federal contracts July 1, 2020. While the auditor requirements and training have not been released, the DoD has released the controls and the levels of certification. The CMMC has five levels of certification with controls borrowed from the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), Community Emergency Response Team (CERT), and other frameworks.

CMMC level one is the starting point and first level of certification. This level looks at the performance of security controls and overall basic cyber hygiene. The focus is to protect federal contract information.  All DoD contracts will require at least this certification level.

CMMC level two requires all the controls from level one to be met and moves from security processes being performed and adds the requirement of documentation. These controls and the documentation represent an overall intermediate cyber hygiene. This level is also the transitional step in the model and progresses the maturity of the organization towards protecting Controlled Unclassified Information (CUI).

CMMC level three certification covers the previous levels controls and moves from security being performed and documented to also being managed.  Organizations at this level have good cyber hygiene and protect CUI.

CMMC level four takes the previous three levels and adds a review element. Organizations that are certified level four are proactive in security and are not only protecting CUI but are reducing their risk to an attack from Advanced Persistent Threats (APTs).

CMMC level five is the top of the model. To achieve this certification all controls in the CMMC must be achieved.  Organizations at this level are optimizing security processes, using advanced practices, protecting CUI, and reducing risk to APTs.

While the certifying process is still unreleased, it is important for all organizations who are doing business with or hope to do business with, the DoD to have a gap analysis performed to determine what controls are currently met and what work needs to be done.

We can help

Elliott Davis has advisors who can help walk through the Cybersecurity Maturity Model Certification process. Contact the team to see how we can assist you.