What CMMC level should the organization aim for?

The CMMC maturity level that a company must reach to work for the Department of Defense is determined by the sensitivity of the DoD information it will be working with. The following explanation of the process and practice standards for each of CMMC’s five levels will assist you in determining which nist 800-171 compliance level is most appropriate for your company.

Level 1 of CMMC

  • Performed Processes

The prescribed practices must be followed by an organization at Level 1. Process maturity is not examined for Level 1 because the company may only be able to implement these practices ad hoc and may or may not rely on documentation.

  • Basic Cyber Hygiene is a good practice to follow.

Level 1 focuses on the preservation of FCI and only includes practices that comply with the 48 CFR 52.204-21 fundamental safeguarding standards.

Level 2 CMMC

  • Processes are well-documented.

To implement its CMMC activities, a business must define and codify practices and rules at Level 2. Individuals can perform practises in a repeatable manner by documenting them. Documenting and practicing processes as documented helps organizations create mature capabilities.

  • Intermediate Cyber Hygiene Practices

Level 2 is a step between Level 1 and Level 3 that includes a portion of the NIST SP 800-171 security requirements as well as practices from other standards and references. Because this is a transitional level, a subset of the practices make mention of CUI protection.

Level 3 CMMC

  • Processes are well-managed.

An organization must design, maintain, and resource a plan that demonstrates the management of activities for practice implementation at Level 3. Missions, goals, project plans, resources, required training, and involvement of important stakeholders may all be included in the plan.

  • Cyber Hygiene Best Practices

Level 3 focuses on CUI security and includes all of the security standards outlined in NIST SP 800-171 as well as 20 additional threat mitigation measures. Level 3 standards must be met by any contractor whose contract includes a DFARS clause.

Level 4 CMMC

  • Process Reviewed

An organization’s processes must be reviewed and measured for success at Level 4. Furthermore, companies at this level can take corrective action as needed and regularly update higher-level management on status or difficulties.

Level 5 of the CMMC

  • Processes: Improving

To achieve Level 5, a business must standardize and optimize process implementation across the board.

  • Advanced/Proactive Practices

The protection of CUI from APTs is the focus of Level 5. Additional cybersecurity practices expand the breadth and sophistication of the capabilities.