|
CMMC
|
|
What are the 5 CMMC Levels?
DoD CMMC Levels
CMMC Level 1 - The baseline requirement for all DoD contractors and subcontractors is described as “basic cyber hygiene.” There are no documentation requirements in this level, but each organization must be able to demonstrate essential cyber practices on 17 topics. Basic cyber hygiene will be required for all contractors to protect Federal Contract Information (FCI).
CMMC Level 2 is a transition level to help organizations chart their path from Level 1 (“basic cyber hygiene”) to the 130 practices which will be required at Level 3 to protect Controlled Unclassified Information (CUI). This level contains 72 practice requirements and introduces documentation (process) requirements. Since it is designed to be an intermediate level of maturity, no DoD contracts are expected to specifically call for a Level 2 certification.
CMMC Level 3 is intended to demonstrate “managed processes” and “good cyber hygiene” commensurate with protecting CUI. Organizations who have been responsible for safeguarding CUI on previous Federal contracts will find the NIST SP 800-171 requirements familiar, although several additional requirements are included as well (such as incident reporting).
CMMC Level 4 builds upon the CUI requirements from Level 3, specifically to protect against Advanced Persistent Threats (APTs) which could come from sophisticated adversaries due to the sensitivity of the information. Level 4 adds 26 practice requirements and focuses on the effectiveness of security controls, with topics such as risk management and penetration testing.
CMMC Level 5 further builds upon the APT safeguards in Level 4 by adding 15 more practice requirements (bringing the overall total to 171). The goal for Level 5 organizations is an “advanced/progressive” cyber maturity that is optimized across the entire organization. This represents the highest level of cyber maturity expected at the unclassified level.
DoD CMMC Levels
- Level 1
- Basic Cyber Hygiene (NIST SP 800-171 Revision 1 – 16 Controls)
- Level 2
- Intermediate Cyber Hygiene (NIST SP 800-171 Revision 1 – 46 Controls)
- Level 3
- Good Cyber Hygiene (NIST SP 800-171 Revision 1 – 47 Controls)
- Level 4
- Proactive (NIST SP 800-171 Draft Revision B – 26 Controls)
- Level 5
- Basic Cyber Hygiene (NIST SP 800-171 Draft Revision B – 4 Controls)
CMMC Level 1 - The baseline requirement for all DoD contractors and subcontractors is described as “basic cyber hygiene.” There are no documentation requirements in this level, but each organization must be able to demonstrate essential cyber practices on 17 topics. Basic cyber hygiene will be required for all contractors to protect Federal Contract Information (FCI).
CMMC Level 2 is a transition level to help organizations chart their path from Level 1 (“basic cyber hygiene”) to the 130 practices which will be required at Level 3 to protect Controlled Unclassified Information (CUI). This level contains 72 practice requirements and introduces documentation (process) requirements. Since it is designed to be an intermediate level of maturity, no DoD contracts are expected to specifically call for a Level 2 certification.
CMMC Level 3 is intended to demonstrate “managed processes” and “good cyber hygiene” commensurate with protecting CUI. Organizations who have been responsible for safeguarding CUI on previous Federal contracts will find the NIST SP 800-171 requirements familiar, although several additional requirements are included as well (such as incident reporting).
CMMC Level 4 builds upon the CUI requirements from Level 3, specifically to protect against Advanced Persistent Threats (APTs) which could come from sophisticated adversaries due to the sensitivity of the information. Level 4 adds 26 practice requirements and focuses on the effectiveness of security controls, with topics such as risk management and penetration testing.
CMMC Level 5 further builds upon the APT safeguards in Level 4 by adding 15 more practice requirements (bringing the overall total to 171). The goal for Level 5 organizations is an “advanced/progressive” cyber maturity that is optimized across the entire organization. This represents the highest level of cyber maturity expected at the unclassified level.
TechSavvi provides IT expert consulting services to help DOD contractors achieve 100% compliance with CMMC regulations. Use TechSavvi help you pass your CMMC Certification audit with 100% confidence.
As a NIST Consultant, TechSavvi helps Department of Defense (DoD) contractors implement the NIST 800-171 cybersecurity framework in order to comply with DFARS and prepare for an upcoming CMMC audit.
For many government contractors, contracts with the Department of Defense (DoD) make up a substantial part of their business. They simply cannot risk failing an upcoming Cybersecurity Maturity Model Certification (CMMC) audit. That’s why many DOD Contractors are choosing TechSavvi so they know exactly what they need to do to achieve 100% compliance.
Contact us to learn how your business can get started towards CMMC certification.
Explore the pages below to learn more about the CMMC framework and how to get CMMC certified.
As a NIST Consultant, TechSavvi helps Department of Defense (DoD) contractors implement the NIST 800-171 cybersecurity framework in order to comply with DFARS and prepare for an upcoming CMMC audit.
For many government contractors, contracts with the Department of Defense (DoD) make up a substantial part of their business. They simply cannot risk failing an upcoming Cybersecurity Maturity Model Certification (CMMC) audit. That’s why many DOD Contractors are choosing TechSavvi so they know exactly what they need to do to achieve 100% compliance.
Contact us to learn how your business can get started towards CMMC certification.
Explore the pages below to learn more about the CMMC framework and how to get CMMC certified.
