Submitted by on
Home> Guides> CMMC> Understanding CMMC Levels

Home > Understanding CMMC Levels

Understanding CMMC Levels

Share this Page

The Cybersecurity Maturity Model Certification (CMMC) framework defines three cybersecurity maturity levels that are designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is handled, stored, and/or processed by Defense Industrial Base (DIB) companies and contractors.

Understanding the CMMC certification levels, especially CMMC Level 3, can be daunting, so detailed certification information appears in the guide below.

While CMMC attainment can be a challenge, especially at CMMC Level 3, it guides DoD contractors to improve security preparedness.

The DoD released CMMC 1.0 in January 2020 and updated it significantly with CMMC 2.0 in November 2021. The requirements for the various CMMC levels- including CMMC Level 3- were finalized by the U.S. Department of Defense’s (DoD’s) Final Rule in October 2024. 

Let’s jump in and learn:

Understand Your CMMC Levels

CMMC is comprised of three levels, which describe an organization’s cybersecurity posture. For CMMC Level 2, Certified Third-Party Assessor Organizations (C3PAOs) evaluate and validate an organization’s status. For CMMC Level 3, assessment is performed by the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC). Depending on the type of work contractors want to bid on for DoD projects, they must meet specific CMMC level requirements.

Seven Examples of Controlled Unclassified Information

1. For Official Use Only (FOUO) 

2. Law Enforcement Sensitive (LES)

3. Personally Identifiable Information (PII

4. Proprietary Business Information (PBI)  

5. Sensitive but Unclassified (SBU) 

6. Sensitive Personally Identifiable Information (SPII) 

7. Unclassified Controlled Technical Information (UCTI)

CMMC Maturity Levels at a Glance

  • CMMC Level 1

CMMC Level 1 is the most basic level of certification, consisting of practices that correspond to the essential cybersecurity requirements outlined in FAR 52.204-21 (Federal Acquisition Regulation 52.204-21).  

  • CMMC Level 2

CMMC Level 2 was created to provide a basic level of cybersecurity for any organization that manages CUI, and requires a higher level of cybersecurity preparedness than for an organization that only manages FCI. CMMC Level 2 requirements are aligned with NIST Special Publication (SP) 800-171

  • CMMC Level 3

The primary objective of CMMC Level 3 is to enhance the cybersecurity practices that are established in the previous two levels and significantly enhance organizations’ overall cybersecurity. CMMC Level 3 requires compliance with all of the 110 CMMC Level 2 requirements, along with 24 additional requirements from NIST SP 800-172

What Are the Different Levels of CMMC?

CMMC initially contained five levels of cybersecurity protection, to define best practices for protection of DoD contractors’ and subcontractors’ FCI and CUI. The CMMC Final Rule streamlined requirements into three levels, as outlined above.

NIST CSF Maturity Levels and Controls

The NIST CSF, or the National Institute of Standards and Technology Cybersecurity Framework, was borne out of President Obama’s 2013 Executive Order 13636 Improving Critical Infrastructure Cybersecurity.

It called for development of a voluntary, risk-based cybersecurity framework that provided a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to managing cybersecurity risk for critical infrastructure services.

Developed in partnership with small and large organizations from around the world, including owners and operators of the nation’s critical infrastructure, the NIST CFS defined four tiers and five maturity levels for cybersecurity. The NIST CSF was designed to help organizations assess risk and implement solutions.

NIST CSF is required for federal agencies because compliance with NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations) is mandatory. Commercial entities also use NIST CSF as a guideline for their security programs.

The NIST CSF is divided into three parts that are used to measure cyber-maturity levels.

1. Framework Core is a set of cybersecurity activities, desired outcomes, and applicable informative references common across critical infrastructure sectors. The core has five functions, which are subdivided into 22 categories (i.e., groups of cybersecurity outcomes) and 98 subcategories (i.e., security controls).

2. Framework Implementation Tiers are the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework.

3. Framework Profile is an integration of industry standards and best practices to help organizations manage their cybersecurity risk and develop a shared understanding of cybersecurity risk.

Used to enhance cybersecurity, NIST controls provide details about risk posture, information protection, and security standards. NIST CSF controls provide a reference library to support the development of more secure and resilient federal information systems.

These controls are the operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems.

CMMC Level 1 and Requirements

CMMC Level 1 includes 15 requirements that are derived from 48 Code of Federal Regulations 52.204-21 (48 CFR 52.204-21), commonly referred to as the FAR Clause or FAR 52.204-21.

CMMC Level 1 also requires annual self-assessments and an annual cybersecurity affirmation by company leadership.

CMMC Level 2 and Requirements

CMMC Level 2 contains 110 requirements that are aligned with NIST SP 800-171. Unlike CMMC Level 1 (which is focused on FCI protection), CMMC Level is also focused on CUI protection. 

In the vast majority of cases, CMMC Level 2 requires a formal assessment by a C3PAO- every three years- along with an annual cybersecurity affirmation. 

CMMC Level 3 and Requirements

CMMC Level 3 contains 134 requirements, including the 110 requirements from CMMC Level 2 that are aligned with NIST SP 800-171. In addition to the 110 Level 2 requirements, DoD contractors and sub-contractors must also comply with 24 additional requirements from NIST SP 800-172. For that reason, CMMC Level 3 applies primarily to the largest DoD contractors that manage the most sensitive defense-related information. 

CMMC Level 3 requires a formal assessment by the DCMA DIBCAC- every three years- along with an annual cybersecurity affirmation.

CMMC Levels Provide Benefits Beyond DoD

While CMMC compliance can be challenging, especially at CMMC Level 3, it provides guidance on security best practices that help contractors to improve their overall security preparedness. The NIST SP 800-171 and NIST SP 800-172 controls that are detailed in the CMMC certification levels 2 and 3 can be used by any organization to assess their security posture and enhance it as needed.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 21st November, 2024

Share this Page

Additional Resources

CMMC 2.0 Compliance Checklist

Learn critical steps to prepare for your CMMC assessment, along with common pitfalls to avoid

Read Now

It's Official: The DoD's Latest CMMC Ruling & What You Need to Do Now

Learn how the CMMC 2.0 proposed rule will impact your organization

Watch Now

Take the Final Step to CMMC 2.0 Compliance

Join Egnyte’s CMMC Community for specialized webinars and a CMMC checklist

Learn More

The Future of CMMC 2.0 Compliance

Current Lay of the Land: CMMC 2.0 Compliance

Read Now

Get started with Egnyte.

Request Demo

 
Contents
  1. Understand Your CMMC Maturity Levels
  2. What Are the Different Levels of CMMC?
  3. NIST CSF Maturity Levels and Controls
  4. CMMC Level 1 and Requirements
  5. CMMC Level 2 and Requirements
  6. CMMC Level 3 and Requirements
  7. CMMC Levels Provide Benefits Beyond DoD