Free Cyber Risk Analysis: Your Top Cyber Risks in 3 Clicks

Get Started

What is CMMC Compliance?

The requirements for CMMC certification depend on the level of certification.

Here is a short explanation of each certification level, with each level building upon the previous level’s requirement. For example, to complete Level 2, you will need to have completed all the requirements of Level 1 plus additional requirements:

Level 1: “Basic Cyber Hygiene"

  • DoD service providers who prefer to pass an examination at this level should execute 7 NIST 800-171 rev1 controls.

Level 2: "Intermediate Cyber Hygiene"

  • Here, DoD specialists should execute yet another 48 controls of NIST 800-171 rev1 and seven new "Other" controls. 

Level 3: "Good Cyber Hygiene"

  • To accomplish level 3 certification, the last 45 controls of NIST 800-171 Rev1 and 13 new "Other" controls need to be carried out.

Level 4: "Proactive Cybersecurity”

  • Along with controls from levels 1 through 3, 11 additional NIST 800-171 Rev2 controls and 15 new "Other" controls are required.

Level 5: “Advanced/ Progressive Cybersecurity”

  • For the maximum level, DoD specialists must carry out the last four controls in NIST 800-171 Rev2 together with 11 new "Other" controls.

CMMC 2.0 has introduced a streamlined, three-tiered approach to compliance. When CMMC 2.0 goes into effect, the levels will be reduced from five to three. 

Level 1: Foundational

This is the entry point, focusing on basic cyber hygiene practices. Think of it as the foundation of a strong cybersecurity posture. Here's what Level 1 covers:

  • Access Controls: Safeguarding access to systems and data through measures like passwords and user permissions.
  • Data Protection: Implementing practices to protect sensitive information at rest and in transit.
  • Malware Defense: Employing antivirus and anti-malware software to shield against malicious programs.
  • Incident Response: Having a plan to identify, contain, and recover from security incidents.

Level 2: Advanced

Level 2 builds on Level 1 by requiring a more comprehensive set of security controls. Imagine it as adding strong walls and security measures to your foundation. This level aligns with NIST SP 800-171 security controls. Here's what Level 2 entails:

  • All Level 1 Controls: Fulfilling all the requirements from Level 1.
  • Detailed Security Policies: Developing and documenting formal cybersecurity policies and procedures.
  • System and Communication Security: Implementing controls to safeguard systems, networks, and communication channels.
  • Security Awareness and Training: Providing ongoing cybersecurity training for employees.
  • Risk Assessment: Regularly assess your systems and data for vulnerabilities.

Level 3: Expert (Under Development)

This most advanced level is still under development and will likely focus on specialized cybersecurity practices for handling highly sensitive information. Think of it as adding advanced security features and monitoring systems to your secure foundation. Specific details on Level 3 requirements are yet to be finalized.

See Also:

  1. What is CMMC?
  2. What are CMMC Requirements?
  3. Who needs to comply with CMMC?
  4. What is CMMC Compliance?
  5. DFARS and CMMC

Return to Cybersecurity Frameworks and Standards Glossary 


Download the CMMC Overview