Understanding the Levels of CMMC: Enhancing Cybersecurity Maturity

November 28, 2023

Navigating cybersecurity is rarely a walk in the park, especially when the ‘park’ is highly-regulated, well-guarded, and developed by the US Department of Defense. 

Navigating this complex landscape can be challenging – but fortunately, when it comes to protecting data, there’s no one better to call the shots than the actual DoD. Here’s everything you need to know about CMMC, its compliance levels, and how businesses can ensure compliance with their appropriate level. 

The Cybersecurity Maturity Model Certification (CMMC)

All frameworks constantly evolve and improve to ensure organizations can leverage cybersecurity best practices that are fully equipped to combat the ever-changing threat landscape. Given the dynamic nature of digital threats, this is particularly crucial regarding the Cybersecurity Maturity Model Certification (CMMC). Threats against national security range from serious to critical and there is zero room for complacency. Due to this, in terms of contractual obligations with the DoD, every defense contractor would want to make real sure they’re compliant

Cue CMMC. 

This framework is specifically designed by The US Department of Defense (DoD) to help contractors within the Defense Industrial Base (DIB) assess and improve their cyber security posture. But what does that mean for your business? 

Let’s break down who needs to comply, what the levels are, and how to navigate them.

Who is Subject to CMMC Compliance? 

The CMMC framework is designed to elevate and bulletproof the cybersecurity posture for organizations within the DIB. It primarily protects Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) that moves between the Department of Defense and the relevant contractors and subcontractors. Generally, the security requirements are incorporated into the contracts with the DoD. 

In a nutshell, virtually any DoD prime contractor and DoD subcontractor must comply with CMMC requirements. It’s important to note that the level of CMMC required will vary based on the contract’s nature and the sensitivity of the information involved.

Understanding the Levels of CMMC: Enhancing Cybersecurity Maturity

The transition from CMMC 1.0 to 2.0 represents the DoD’s efforts to streamline the framework, making it more accessible and efficient for contractors while maintaining robust cybersecurity standards.

With the introduction of CMMC 2.0, significant changes have been made to streamline and improve the certification process.

In an attempt to simplify the CMMC Program, the latest CMMC 2.0 model, which is expected to start rolling out throughout defense contracts, has changed the five compliance levels of CMMC 1.02 to three levels. This includes Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). The assessment requirements will vary depending on the level of CMMC needed. 

Each business must conform to the appropriate level based on its contract information. As a subcontractor, your prime will inform you. The majority of contracts will require Level 1 or Level 2 compliance. However, having a baseline understanding of the three levels is vital to ensuring that you’re well-prepared when it comes to staying compliant and potentially signing new business within the industry. 

Companies currently engaged with CMMC should note the transition period to adapt their practices to meet the revised CMMC 2.0 requirements.


Everything you need to know about HIPAA compliance!


Understanding the CMMC 2.0 Compliance Levels

When looking at the very core of CMMC compliance, the model is defined by three fundamental objectives: 

  1. To protect sensitive defense information from cyber attacks.
  2. To create a standardized and unified cybersecurity standard for defense contractors.
  3. To ensure accountability for defense companies responsible for safeguarding government data. 

CMMC 2.0 implements a three-tiered model, requiring companies subject to national security information to implement cybersecurity practices at progressively higher models. Various factors determine the appropriate compliance level for each company but primarily concern the type of information the organization is subject to and its sensitivity level.

Understanding each level in detail will help organizations effectively align their cybersecurity strategies with DoD requirements.

It should be noted that when it comes to CMMC levels, contractors and subcontractors that handle the same type of FCI and CUI, must adhere to the same level. However, there is an exception to the rule, and a lower CMMC level may apply to the subcontractor in cases where the prime only sends selected information. From a high-level perspective, the three compliance levels are as follows:

CMMC Level 1: Foundational (FCI only)

CMMC Level 1 is considered the baseline of compliance and the lowest level, consisting of 17 basic cybersecurity practices such as Authentication and Access Controls. The primary goal of CMMC Level 1 is to protect Federal Contract Information (FCI). Therefore, it’s a mandatory requirement for any party that obtains a DoD contract and does not solely produce Commercial Off the Shelf products. Although level 1 organizations are expected to perform these basic cybersecurity practices, there will be no third-party certification assessment, as this level does not involve sensitive national security information.

Instead, level 1 organizations are expected to conduct annual self-assessments, accompanied by an affirmation from a senior company official to confirm that the company is adhering to relevant requirements.  For example, Level 1 focuses on basic cyber hygiene practices, encompassing essential protocols to protect Federal Contract Information. This senior official will be held liable under the False Claims Act.

Any organization under contract to supply a product or service to the government is required to have CMMC level 1 certification.

CMMC Level 2: Advanced (FCI and CUI)

There is a significant step from level 1 to level 2, primarily focused on protecting CUI and increasing the overall security posture established in level 1. If an organization handles FCI and CUI, it must meet level 2 or higher compliance requirements. This level also requires organizations to document the entire implementation process and repeat all processes as recorded. The level 2 stage is called ‘immediate cyber hygiene’ and is a progression between levels 1 and 3.

Amongst other things, CMMC level 2 compliance will require an organization to comply with all security requirements established in NIST SP 800-171, which are 110 practices. Regarding assessment within level 2 compliance, the process varies depending on whether the CUI data can directly influence national security.

In the event of critical CUI data, organizations must pass a high-level third-party assessment every three years. In contrast, non-prioritized assets with data not essential to national security are required to conduct annual self-assessments. Level 2 aligns with NIST SP 800-171, introducing more complex requirements and expanding upon the foundational practices of Level 1 to provide robust protection for Controlled Unclassified Information.

CMMC Level 3: Expert (FCI and CUI)

CMMC level 3 is considered the highest level of the CMMC certification and primarily focuses on reducing and mitigating the risk from Advanced Persistent Threats (APTs). By far, this level requires the most stringent security measure and is generally reserved for organizations working with CUI on DOD’s highest priority programs. If organizations are subject to level 3 compliance, additional practices from n NIST SP 800-171 and NIST SP 800-172 will apply. More importantly, level 3 certifications are assessed by the Federal Government’s Defense Contract Management Agency. Assessment process details for Level 3 are still being developed at this time.  Level 3, being the most advanced, requires adherence to additional practices beyond NIST SP 800-171, targeting sophisticated threats and demonstrating an organization’s capability to manage Advanced Persistent Threats (APTs).

Benefits of CMMC Compliance

With cybersecurity becoming necessary for protecting your business, the more robust a security framework, the better. Not only will the framework ensure that you mitigate costly cybersecurity risks or data breaches, but implementing some (or all) security measurements shows that your business takes a serious and proactive approach to cybersecurity. 

Moreso, businesses can showcase that they have the necessary cybersecurity measures in place, giving them a competitive advantage. Beyond achieving certification, continuous compliance with CMMC is essential, requiring ongoing monitoring and improvements to cybersecurity practices.


Level Up with Scytale’s Automated Compliance

Understanding the impact of the CMMC compliance levels on your organization and the role they play within the DoD is only the tip of the iceberg. The next step? Ensuring that you implement the relevant requirements to ensure that you’re protecting critical data while growing your business.

However, getting and staying compliant shouldn’t come at the cost of your resources, time or patience. That’s why we’re dedicated to providing our clients with everything they need to lock down their CMMC, without draining resources or taking focus away from key business objectives.