What CMMC Level Do I Need?

Publication date: Aug 25, 2020

Last Published: Sep 02, 2021

Table of Contents
Read Time : 5 minutes

Improving the cybersecurity posture of the Defense Industrial Base (DIB) and protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from falling into the wrong hands is no easy task.

To ensure that all DoD contractors have appropriate levels of cybersecurity practices and processes in place, the Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) framework, and its roll-out has already begun.

All DoD contractors should familiarize themselves with the CMMC as soon as possible and determine which of the five CMMC levels they need to comply with by performing a comprehensive inventory of their systems to reveal where FCI and CUI data is stored—if it’s stored at all.

CMMC eBook

DoD Contractors Guide to CMMC Certification.

CMMC Levels Explained

The CMMC framework defines five cybersecurity maturity levels to reflect the fact that not all DoD contractors handle the same kind and quantity of sensitive government information.

The five CMMC certification levels are cumulative, so any contractor that wants to achieve compliance with, let’s say, Level 3 must also comply with Level 1 and Level 2. Here’s  a concise summary of each of the five levels:

CMMC Level 1

The first CMMC level is about meeting the basic requirements to protect FCI, such as using an up-to-date antivirus software application or ensuring that all employees use safe passwords and protect them from unauthorized third parties. FCI is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.

All organizations that have an active contract with the DoD should be able to achieve CMMC Level 1 compliance without any issues and with minimal effort required to strengthen their cybersecurity defenses.

CMMC Level 2

The second CMMC level can be described as a transition step toward Level 3because it introduces CUI, which the DoD defines as any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls.

At this level, contractors are required to establish and document standard cybersecurity practices, policies, and strategic plans necessary to implement a cybersecurity program. This level consists of a major subset of the security requirements specified in NIST SP 800-171.

CMMC Level 3

CMMC Level 3 is all about demonstrating good cyber hygiene and having the controls necessary to protect CUI. Contractors who would like to achieve Level 3 compliance should be prepared to continuously review all activities based on their cybersecurity policy.

This level encompasses all requirements specified in NIST SP 800-171, and it also includes requirements from other similar standards. These requirements cover everything from logging and monitoring to incident response to backup and recovery to DNS filtering and spam protection.

CMMC Level 4 and Level 5

Both CMMC Level 4 and Level 5 focus on addressing the changing tactics, techniques, and procedures used by Advanced Persistent Threats (APTs). The main difference between Level 4 and Level 5 is that the latter requires contractors to have a proactive cybersecurity program and standardized processes to achieve consistency across the entire organization.

To achieve compliance with the highest CMMC level, contractors must put in place 171 security controls, which are grouped into 17 domains. These domains include access control, awareness and training, configuration management, maintenance, physical protection, recovery, situational awareness, and more.

Determining Which CMMC Level to Comply With

The CMMC is divided into five levels so that DoD contractors are not expected to comply with requirements that are not necessary to protect the type of information they handle. A contractor at the very bottom of the supply chain will most likely be required to certify only to Level 1, while a contractor with access to military base construction projects will be required to certify to one of the highest two levels.

To determine which CMMC level a contractor should be working toward, it’s important to inventory all systems in order to find out where FCI and CUI data is stored and how. Those contractors that don’t have the capacity to complete this first step in-house should partner with a managed services provider (MSP) offering CMMC readiness assessments

Once a readiness assessment has been performed to reveal how FCI and CUI is stored, and access to information controlled, determining which CMMC to comply with shouldn’t be a problem.

The next step is to perform a gap analysis to identify what needs to be done to achieve compliance with the appropriate CMMC level. The outcome of the gap analysis should be a comprehensive remediation plan with a clear timeline and actionable steps to fill the identified gaps. Again, DoD contractors that are not confident in their cybersecurity capabilities can outsource the implementation of relevant changes to policies and procedures to an MSP.


The Cybersecurity Maturity Model Certification wants to avoid burdening the private sector with unnecessarily complicated requirements, which is why it’s divided into five levels, allowing contractors in the Defense Industrial Base to select the most appropriate level according to their access to Federal Contract Information and Controlled Unclassified Information. To determine which CMMC level to comply with, contractors need to thoroughly inventory their systems to know exactly where FCI and CUI data is stored, but they don’t have to do this alone. They can partner with an MSP that is offering CMMC readiness assessments and understands what needs to  be done to meet CMMC requirements.

To get started with getting your organization CMMC compliant contact OSIbeyond today.

Related Posts: