Understanding CMMC Levels
The Cybersecurity Maturity Model Certification (CMMC) framework defines three cybersecurity maturity levels that are designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is handled, stored, and/or processed by Defense Industrial Base (DIB) companies and contractors.
Understanding the CMMC certification levels, especially CMMC Level 3, can be daunting, even with the major changes that the US Department of Defense (DoD) announced to the CMMC program shortly after launching version 1.0.
The DoD released CMMC 1.0 in January 2020 with plans to roll it out during 2021-2025 and require all defense contracts to comply by 2026, including those at the stringent CMMC Level 3. CMMC 1.0 triggered more than 850 public comments.
In response to public comments and internal reviews, the DoD published an Advanced Notice of Proposed Rulemaking (ANPRM) that provided a preview of significant changes that would be forthcoming in CMMC 2.0.
With the release of CMMC 2.0 in late 2021, CMMC Level 3 remains formidable, but overall, the framework is a more streamlined, flexible, and affordable system for defense contractors and their suppliers. CMMC 2.0 is expected to be completed in 2023.
Until that time, DoD has suspended compliance requirements. However, DOD contractors and suppliers are strongly encouraged to work toward meeting compliance requirements, as they will need to be compliant once CMMC 2.0 is finalized.
Understand Your CMMC Maturity Levels
The CMMC has three maturity levels, Foundational, Advanced, and Expert, which describe an organization’s cybersecurity posture. For CMMC Level 2 and CMMC Level 3, Certified Third-Party Assessment Organizations (C3PAO) evaluate and validate organizations’ status. Depending on the type of work contractors want to bid on for DoD projects, they must meet specific CMMC level requirements.
Seven Examples of Controlled Unclassified Information
1. For Official Use Only (FOUO)
2. Law Enforcement Sensitive (LES)
3. Personally Identifiable Information (PII)
4. Proprietary Business Information (PBI)
5. Sensitive but Unclassified (SBU)
6. Sensitive Personally Identifiable Information (SPII)
7. Unclassified Controlled Technical Information (UCTI)
CMMC Maturity Levels at a Glance
- CMMC Level 1
This is the most basic level of certification that consists of practices that correspond to the essential safety conditions outlined in FAR 52.204-21 (Federal Acquisition Regulation 52.204-21).
- CMMC Level 2
This was created to provide a basic level of cybersecurity for any organization that has CUI, which requires a higher level of security than an organization with only FCI.
- CMMC Level 3
The primary objective is to enhance the security practices established in the previous two levels and significantly enhance organizations’ overall cybersecurity.
What Are the Different Levels of CMMC?
The CMMC initially had five levels built onto security domains, capabilities, practices, and processes to define best practices for overall security and the protection of FCI and CUI. The second version of the CMMC took these concepts and streamlined them into three levels.
Comparison of CMMC Levels Between Model 1 to CMMC Model 2
|CMMC Model 1.0||Model||Assessment|
|Level 5 Advanced CUI, Critical Programs||171 practices||Third-party|
|Level 4 Proactive Transition Level||156 practices||None|
|Level 3 Good CUI||130 practices||Third-party|
|Level 2 Intermediate Transition Level||72 practices||None|
|Level 1 Basic FCI Only||17 practices||Third-Party|
|Level 3 Expert||130 practicesBased on NIST SP 800-171||Triannual government-led assessments|
|Level 2 Advanced||110 practicesBased on NIST SP 800-171||Triannual third-party assessments for critical security information and annual self-assessments for select programs|
|Level 1 Foundational||17 practices||Annual self-assessment|
Source: U.S. Department of Defense Office of the Under Secretary of Defense Acquisition and Sustainment CMMC
NIST CSF Maturity Levels and Controls
The NIST CSF, or the National Institute of Standards and Technology Cybersecurity Framework, was borne out of President Obama’s 2013 Executive Order 13636 Improving Critical Infrastructure Cybersecurity.
It called for development of a voluntary risk-based cyber security framework that provided a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to managing cyber security risk for critical infrastructure services.
Developed in partnership with small and large organizations from around the world, including owners and operators of the nation’s critical infrastructure, the NIST CFS defined four tiers and five maturity levels for cybersecurity. The NIST CSF was designed to help organizations assess risks and implement solutions.
NIST CSF is required for federal agencies because compliance with NIST 800-53 is mandatory. Commercial entities use NIST CSF as a guideline for their security programs.
The NIST CSF is divided into three parts that are used to measure maturity levels.
1. Framework Core is a set of cybersecurity activities, desired outcomes, and applicable informative references common across critical infrastructure sectors. The core has five functions, which are subdivided into 22 categories (i.e., groups of cybersecurity outcomes) and 98 subcategories (i.e., security controls).
2. Framework Implementation Tiers are the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework.
3. Framework Profile is an integration of industry standards and best practices to help organizations manage their cybersecurity risks and develop a shared understanding of their cybersecurity risks.
Used to enhance cybersecurity, NIST controls provide details about risk posture, information protection, and security standards. NIST CSF controls provide a reference library to support the development of more secure and resilient federal information systems.
These controls are the operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems.
CMMC Level 1 and Requirements
Considered Foundational, CMMC Level 1 in version 2.0 has the same 17 requirements as the first version. CMMC Level 1 includes the same 15 controls that were derived from 48 Code of Federal Regulations 52.204-21 (48 CFR 52.204-21), commonly referred to as the FAR Clause or FAR 52.204-21.
This is the section titled Basic Safeguarding of Covered Contractor Information Systems. It covers the protections required for Federal Contract Information (FCI). CMMC Level 1 also includes annual self-assessments and certifications by company leadership.
CMMC Level 1 Requirements
Access Control (AC)
- Limit information system access to authorized users, process acting on behalf of authorized users, or devices (including other information systems)
- Limit information system access to the types of transactions and functions that authorized uses are permitted to execute
- Verify and control/limit connections to and use of external information systems
- Control information posted or processed on publicly accessible information systems
Identification and Authentication (I.A.)
- Identify information system users, processes acting on behalf of users, or devices
- Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems
Media Protection (M.P.)
- Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse
Physical Protection (P.P.)
- Limit physical access to the organization’s information systems, equipment, and the respective operating environments to authorized individuals
- Escort visitors and monitor visitor activity
- Maintain audit logs of physical access devices
- Control and manage physical access devices
System and Communications Protection (S.C.)
- Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizations’ information systems) at the external boundaries and key internal boundaries of the information systems
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
System and Information Integrity (S.I.)
- Identify, report, and correct information and information system flaws in a timely manner
- Provide protection from malicious code at appropriate locations within organizational information systems
- Update malicious code protection mechanisms when new releases are available
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed
CMMC Level 2 and Requirements
In version 2.0, CMMC Level 2 is considered Advanced. CMMC Level 2 is based on CMMC Level 3, from CMMC version 1.0, but it reduces the number of required controls to 110. The controls for CMMC Level 2 are aligned with the National Institute of Standards and Technology Special Publication 800-171, or NIST SP 800-171, which groups security controls into 14 domains.
CMMC Level 2 splits prioritized acquisitions and non-prioritized acquisitions according to the level of controlled unclassified information (CUI) that is involved. For example, a non-prioritized acquisition would involve CUI related to military uniforms, while prioritized acquisitions would involve CUI related to communications systems.
The non-prioritized acquisitions would only require the annual self-assessments and certifications detailed in CMMC Level 1, but the prioritized acquisitions would require an independent third-party assessment from a certified third-party assessment organization (C3PAO) who’s qualified by the CMMC Accreditation Body (CMMC-AB).
1. Access Control (AC)
22 practices that include user access provisioning, securing application services on public networks, and mobile device policies
2. Awareness Training (AT)
3 practices, which are information security awareness education and controls against malware
3. Audit and Accountability (AU)
9 practices that include event logging, reporting information security events, and collection of evidence
4. Configuration Management (CM)
9 practices that include baseline configuration and settings, inventory of assets, and ownership of assets
5. Identification and Authentication (IA)
11 practices that include user registration and de-registration, authentication management, and password management
6. Incident Response (IR)
3 practices, which are assessment of and decision on information security events, response to information security incidents, and contact with authorities
7. Maintenance (MA)
6 practices that include maintenance controls, equipment maintenance, and removal of assets
8. Media Protection (MP)
9 practices that include a clean desk and screen policy, handling of assets, and disposal of media
9. Personnel Security (PS)
2 practices, which are personnel screening and termination
10. Physical Protection (PE)
6 practices that include physical entry controls, cabling security, and securing offices, rooms, and facilities
11. Risk Assessment (RA)
3 practices, which are management of technical vulnerabilities, vulnerability scanning, and remediation of vulnerabilities
12. Security Assessment (CA)
4 practices, which are security assessments, plan of action and milestones, continuous monitoring, and system security plans
13. System and Communications Protection (SC)
16 practices, which include boundary protection, security engineering principles, application partitioning, and network segmentation
14. System and Information Integrity (SI)
7 practices, which include security alerts, advisories, and directives, flaw remediation, and malicious code protection
CMMC Level 3 and Requirements
CMMC Level 3, considered Expert, replaces CMMC 1.0 Levels 4 and 5. One of the biggest changes to CMMC Level 3 in version 2.0 is that it requires C3PAO audits and certifications every three years. The CP3PAO issues the certification after an audit validates that the contractor’s security posture meets the requirement for CMMC Level 3.
This involves the contractor demonstrating all implementations, documentation, and process management to the C3PAO to show how they can maintain compliance with CMMC Level 3 controls.
Classified as Good Cyber Hygiene, CMMC Level 3 is the minimum requirement for any contractor
that generates or has access to CUI. A challenge at CMMC Level 3 is institutionalizing and actively managing the controls rather than simply documenting the processes.
At CMMC Level 3, the number of controls increases to 130. The CMMC Level 3 controls include NIST SP 800-171 and FAR 52.204-21, per the requirements for CMMC Level 1 and CMMC Level 2, as well as 58 new practices under 16 domains that are aligned with NIS SP-800-172.
1. Access Control—8 additions under CMMC Level 3:
1. Authentication and encryption measures for safeguarding wireless access.
2. Cryptography to safeguard the confidentiality of remote sessions.
3. Separate the duties of individuals to reduce the risk of malicious actions. These actions are distinct from collusion, which doesn’t require the identification of specific threats.
4. Prevent execution of privileged functions from non-privileged accounts. Audit logs must document and analyze all privileged functions.
5. Automatically terminate user sessions that meet defined conditions.
6. Monitor and control all access via mobile devices.
7. Require authorization for remote execution of functions and access to security-related information.
8. Encrypt CUI on all computing platforms.
2. Asset Management—a new domain with 1 practice under CMMC Level 3:
1. Define specific practices and procedures for handling CUI and related data.
3. Audit and Accountability—7 additions under CMMC Level 3:
1. Regularly review all logged events and update or correct them when necessary.
2. Necessitate an alert in the event that the audit and/or logging process fails.
3. Collect all information pertaining to audits into one or multiple central repositories to facilitate the review, analysis, and strategic decision-making regarding audit information.
4. Protect information pertaining to audits and audit logs, from all forms of unauthorized access, including especially the use, modification, and deletion thereof.
5. Restrict access to auditing functionalities to a subset of privileged users.
6. Correlate review and analysis of audit records with reporting relative to investigation and response to unlawful, unauthorized, or otherwise irregular activities.
7. Facilitate immediate, on-demand analysis and reporting with efficient procedures for audit record reduction and generation of audit reports.
4. Awareness and Training—a new domain with 1 practice under CMMC Level 3:1. Provide training on security awareness that includes best practices for monitoring, identifying, and reporting insider threats from other staff.
5. Configuration Management—3 additions under CMMC Level 3:
1. Define, document, and approve access to all physical and virtual systems. System access must be based on the current security configuration.
2. Minimize access through restriction, disablement, and prevention. These systems include hardware, software, functions, and services.
3. Deny access by exception, commonly known as blacklisting, to prohibit unauthorized access. Enable authorized access with permission by exception, also known as whitelisting.
6. Identification and Authentication—4 additions under CMMC Level 3:
1. Utilize multi-factor authentication (MFA) for local and network access to privileged accounts. Network access to non-privileged accounts also requires MFA.
2. Employ authentication mechanisms for access to privileged and non-privileged accounts that are “replay resistant.” These measures include cryptographic nonces, one-time authenticators, and Transport Level Security (TLS).
3. Prevent reuse of identification credentials like usernames by the same user or others for a defined period after changes to the account, including termination.
4. Disable identification credentials after an organizationally defined period of inactivity in the account. This action must also prevent reuse, per IA.3.085.
7. Incident Response—2 additions under CMMC Level 3:
1. Ensure that all incidents are tracked, documented, and reported to all designated authorities, whether internal or external to the organization.
2. Regularly test the organization’s incident response capabilities.
8. Maintenance—2 additions under CMMC Level 3:
1. Sanitize equipment transported off-site for maintenance by removing all CUI, including traces and other potential pathways to unauthorized access to CUI.
2. Monitor all media containing diagnostic or test programs to ensure it is free of all forms of malicious code prior to installing or using it on organizational systems.
9. Media Protection—4 additions under CMMC Level 3:
1. Mark or code any media containing CUI intended for limited distribution.
2. Disallow the use of any portable storage devices with unclear ownership or origin.
3. Restrict access to media containing CUI. Maintain accountability for this media during transport to areas not controlled by the organization.
4. Use cryptography or physical safeguards to protect the confidentiality of CUI stored on digital media, especially during transport.
10. Physical Protection—1 new practice under CMMC Level 3:
1. Expand physical safeguards for CUI to all alternative work sites.
11. Recovery—a new domain with 1 practice under CMMC Level 3:
1. Regularly perform robust and resilient data backups according to protocols and schedules defined by the organization’s security needs and storage media.
12. Risk Management—3 additions under CMMC Level 3:
1. Perform periodic risk assessments that identify and prioritize risks according to criteria defined by the organization, including categories and sources.
2. Develop and implement plans to mitigate those risks as they’re identified.
3. Manage products separately if they’re unsupported by vendors. Enforce access restrictions to these products and use them independently of other assets to reduce the spread of malware.
13. Security Assessment—2 additions under CMMC Level 3:
1. Monitor existing security controls to ensure ongoing efficacy and safety.
2. Employ independent security assessments specific to software developed internally for internal use if identified as a risk.
14. Situational Awareness—a new domain with 1 practice under CMMC Level 3:
1. Collect, analyze and share relevant cyber threat intelligence from external sources with stakeholders, including reputable reports and forums.
15. System and Communications—15 additions under CMMC Level 3:
1. Use cryptography up to FIPS for protecting CUI.
2. Ensure that effective and efficient information security is optimized across all information system elements, including the following:
- Architectural designs
- Infrastructural designs
- Software development techniques
- System engineering principles
3. Fully separate user functionalities access and system management.
4. Prevent insecure transfers of sensitive information with shared internal and external system resources, including unintentional and unauthorized transfers.
5. Implement a whitelist approach to network communications traffic, meaning such traffic is denied by default and allowed only by exception.
6. Prevent the potentially dangerous occurrence of “split tunneling,” in which remote devices simultaneously establish a non-remote connection with the organization’s systems and a connection to resources in external networks.
7. Use cryptography or physical safeguards to prevent unauthorized disclosure of CUI, especially during transmission or transportation.
8. Terminate network connections related to communication immediately upon the end of the session or after a period of inactivity defined by the organization.
9. Maintain cryptographic keys for all cryptography used across all systems.
10. Strictly monitor and control the use of mobile codes.
11. Strictly monitor the use of Voice over Internet Protocol (VoIP) technology.
12. Ensure the authenticity of communications across sessions.
13. Ensure protection of CUI while in storage or some other passive capacity.
14. Use robust Domain Name System (DNS) filtering services.
15. Develop and enforce a policy restricting the publication of CUI on external, publicly accessible media and platforms such as forums and social media.
16. System and Information Integrity—a new domain with 3 practices under CMMC Level 3:
1. Deploy mechanisms for detecting spam and protecting against it at all entry, exit, and access points to the organization’s information systems.
2. Use all available resources to detect and prevent document forgery.
3. Implement sandboxing techniques to detect, filter, block, or otherwise prevent malicious and suspicious email communications.
CMMC Levels Provide Benefits Beyond DoD
While CMMC can be challenging, especially at CMMC Level 3, it provides guidance on security best practices that help contractors to improve their overall security posture. The controls detailed in the CMMC certification levels can be used by any organization to assess their security posture and enhance it as needed.
Due to the fact that the CMMC incorporates NIST SP 800-171 and other government guidelines, it assists with adherence to compliance requirements for other federal agencies.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 17th August, 2022