What are the five CMMC levels?

The five CMMC levels are: Level 1—Basic Cyber Hygiene, Level 2—Intermediate Cyber Hygiene, Level 3—Good Cyber Hygiene, Level 4—Proactive Security, and Level 5—Advanced and Progressive Security.

Who needs to be CMMC certified?

All DoD contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must obtain a CMMC certification at the level required by their contract.

How long does a CMMC audit take?

A full CMMC audit can take several months, including preparation time, readiness assessments, remediation, and the certification audit conducted by a C3PAO.

How can contractors prepare for a CMMC audit?

Contractors typically perform a readiness assessment, gap analysis, remediation, and update their System Security Plan (SSP). Many hire a cybersecurity partner like RSI Security to accelerate preparation and reduce risk.

Is CMMC certification required to bid on DoD contracts?

Yes. Contractors must achieve their required CMMC level before bidding on new Department of Defense contracts. Without certification, organizations cannot compete for DoD work.

What Are the Different Levels of Cybersecurity Maturity Model Certification?

Q: What is the Cybersecurity Maturity Model Certification (CMMC)?

CMMC is a cybersecurity framework required by the Department of Defense to ensure contractors protect Controlled Unclassified Information (CUI). It includes five maturity levels with specific practices and processes to meet.

RSI Security

2 months ago

Cybersecurity Maturity Model Certification

In 2020, Department of Defense (DoD) contractors were required to implement robust cybersecurity protocols in response to increasing security breaches. One of the most significant incidents occurred on October 4, 2018, affecting over 30,000 civilian and military contractors.

To prevent future breaches, companies that handle Controlled Unclassified Information (CUI) must demonstrate that their networks and systems meet stringent security standards. Achieving this requires compliance with the applicable Cybersecurity Maturity Model Certification (CMMC) levels for the type of data they manage. Before contractors and their partners can obtain certification, they need a clear understanding of the CMMC framework and its five distinct levels.

What is Cybersecurity Maturity Model Certification (CMMC)?

The Cybersecurity Maturity Model Certification (CMMC) is designed to ensure that all Department of Defense (DoD) contractors handling Controlled Unclassified Information (CUI) have robust cybersecurity protocols across every system and network. This requirement also extends to a contractor’s third-party associates.

CMMC goes beyond the Defense Federal Acquisition Regulation Supplement (DFARS) by eliminating self-assessments. Contractors and their partners must now engage a third-party certified auditor to verify compliance with CMMC standards.

The CMMC framework is based on NIST SP 800-171 standards. While organizations do not need separate NIST certification to comply with CMMC, achieving compliance with NIST protocols is essential. It’s important to note that meeting NIST requirements does not automatically grant CMMC certification, as each framework has distinct criteria for safeguarding CUI.

In simple terms, CMMC verifies that appropriate cybersecurity protocols are in place to protect CUI. It evaluates the processes and practices required for certification. There are five CMMC levels, and each level has a specific set of practices and processes that organizations must meet to achieve certification.

Assess your CMMC compliance

Cybersecurity Maturity Model Certification (CMMC) Levels

The Cybersecurity Maturity Model Certification (CMMC) framework consists of five progressive levels. The Department of Defense (DoD) determines the required certification level based on the type of Controlled Unclassified Information (CUI) a company manages. Each level builds on the previous one, increasing in both cybersecurity protocol complexity and process maturity.

Level One: Basic Cyber Hygiene

CMMC Level One focuses on fundamental cyber hygiene and compliance with 48 CFR 52.204-21, a federal regulation requiring the safeguarding of covered contractor information (FCI).

Level One serves as the foundation for all CMMC levels.
Audits at this level verify that basic cybersecurity practices are implemented and maintained.
Process maturity is not required; only the implementation of practices is assessed.
FCI includes contractual information about products or services provided to the government that is not intended for public release.

Level Two: Intermediate Cyber Hygiene

Level Two introduces the first elements of process maturity while continuing to protect FCI.

Focuses on intermediate cyber hygiene and a more advanced set of security protocols.
Organizations must document operational procedures, policies, and plans to implement and maintain these protocols.
Passing a Level Two assessment allows contractors to bid on government contracts that require a higher level of cybersecurity.

Level Three: Good Cyber Hygiene & NIST Alignment

Level Three is required for organizations that handle CUI.

Organizations must implement NIST SP 800-171 Rev 1 security requirements.
Level Three confirms that basic protocols are in place to protect CUI.
Companies must continuously review and maintain adherence to security procedures.
Advanced Persistent Threats (APTs) may still pose a risk, and organizations must proactively plan, implement, and maintain protocols.
Some Level Three organizations may need to comply with additional DFARS clause 252.204-7012 requirements, including incident reporting.

Level Four: Proactive Cybersecurity

Level Four emphasizes proactive cybersecurity and process maturity.

Organizations must be able to adapt their defenses against APTs using changing tactics, techniques, and procedures (TTPs).
Audits at this level assess whether the company regularly reviews and documents the effectiveness of its cybersecurity systems.

Level Five: Advanced & Optimized Cybersecurity

Level Five represents the most advanced level of the CMMC framework.

Organizations demonstrate a progressive and proactive cybersecurity program.
Companies must optimize security systems to prevent and mitigate APTs effectively.
Process maturity requires that cybersecurity protocols are fully integrated and consistently applied across the organization.

CMMC Timeframe

The Cybersecurity Maturity Model Certification (CMMC) assessment process has a tight timeframe, giving DoD contractors limited time to implement the required cybersecurity protocols. The official CMMC levels were released in January 2020, and contractors needed certification by October 2020 to bid on new government contracts.

Key CMMC Milestones in 2020:

January 2020: CMMC levels and requirements were officially released.
February–May 2020: Initial round of assessor training took place.
June–September 2020: Audits began for select DoD programs and RFIs. Contractors wishing to bid on these programs needed to be certified at the required CMMC level.
October 2020 and beyond: Contractors must obtain certification from an accredited assessor to qualify for new contracts.

Due to the tight schedule, many DoD contractors are partnering with cybersecurity firms like RSI Security to prepare for their CMMC assessments efficiently.

Preparing for a Cybersecurity Maturity Model Certification (CMMC) Audit

CMMC audits can take up to eight months to complete, making it crucial for organizations to start preparation early. Given the tight timeframe, it is highly recommended that companies engage a third-party assessor to perform a pre-audit assessment.

A comprehensive pre-audit typically consists of four key components, each designed to ensure readiness for the CMMC Level Assessment:

Readiness Assessment and Gap Analysis – Evaluate current cybersecurity practices and identify gaps relative to the required CMMC level.
Remediation Plan – Develop a structured plan to address identified gaps and improve security processes.
Monitoring and Reporting – Implement ongoing monitoring to track progress and ensure continued compliance.
System Security Plan (SSP) – Document all security controls and practices to demonstrate compliance during the official audit.

Engaging a qualified cybersecurity partner can streamline this process, improve audit readiness, and increase the likelihood of successfully achieving Cybersecurity Maturity Model Certification

Readiness Assessment and Gap Analysis for CMMC

The Readiness Assessment and Gap Analysis is a crucial first step in preparing for Cybersecurity Maturity Model Certification (CMMC). This process helps DoD contractors understand how close they are to meeting the requirements for their specific CMMC level.

During the assessment, key areas are evaluated, including:

Data Storage and Access Controls: How is sensitive data stored, and who has access to it?
Incident Response Plans: Are plans in place, up to date, and effective in addressing potential breaches?
Personnel Training: Are IT staff and other employees adequately trained on cybersecurity protocols?
Implementation and Maintenance of Security Protocols: How consistently are security measures applied and monitored?

Once the readiness assessment is complete, the Gap Analysis identifies areas at risk and develops a structured plan to address these gaps. This ensures the organization is fully prepared for the official CMMC audit and can achieve certification efficiently.

Remediation Plan for CMMC Compliance

A remediation plan is developed to address any security gaps identified during the Readiness Assessment and Gap Analysis. Its primary goal is to ensure that contractors achieve full Cybersecurity Maturity Model Certification (CMMC) compliance.

A comprehensive remediation plan typically includes five key components:

Activity Planning: Define the actions necessary to resolve identified security issues.
Resource Allocation: Assign the personnel, tools, and budget required to mitigate risks and close gaps.
Timeline Development: Establish a schedule with projected completion dates and milestones for remediation tasks.
Vulnerability Analysis: Provide insights into how security gaps were discovered and assessed.
Risk and Cost Assessment: Document risk levels, set priorities, and estimate the costs associated with remediation efforts.

All information from these five components should be well-documented to guide the organization during implementation and serve as reference material for the official CMMC audit.

Continuous Cybersecurity Monitoring and Reporting for CMMC

Once a contractor achieves Cybersecurity Maturity Model Certification (CMMC) compliance, ongoing monitoring and reporting become essential. The CMMC framework requires that systems are continuously monitored for potential threats.

Key aspects of this process include:

Threat Detection: Continuously scan systems to identify vulnerabilities or suspicious activity.
Documentation: Record all detected threats and security incidents.
Response Tracking: Track and document response times and corrective actions to ensure issues are promptly addressed.

By maintaining continuous monitoring and thorough reporting, organizations not only stay compliant but also strengthen their overall cybersecurity posture, reducing the risk of breaches and ensuring readiness for future audits.

Updated Security Plans for CMMC Compliance

Maintaining an updated System Security Plan (SSP) is essential for achieving and sustaining Cybersecurity Maturity Model Certification (CMMC) compliance. Any changes to security protocols must be thoroughly documented to demonstrate ongoing adherence to CMMC requirements.

Key elements that should be documented include:

Company Cybersecurity Policies – Overall policies guiding the organization’s security posture.
Employee Security Responsibilities – Roles and responsibilities of staff in maintaining security.
Administration Tasks – Procedures for managing systems and access controls.
Network Diagrams – Visual representations of systems and networks handling CUI.

According to NIST SP 800-171, if the SSP protects Controlled Unclassified Information (CUI), any security changes to systems or networks with CUI access must be recorded. Some government contracts may also require a review of the updated SSP. Without proper documentation, contractors risk losing eligibility for DoD contracts.

The first two steps (policy and employee responsibilities) establish a strong foundation for a CMMC level assessment. The last two steps (administration tasks and network diagrams) help organizations maintain compliance and advance through the Cybersecurity Maturity Model Certification levels.

What to Expect From a CMMC Level Assessment

The first Cybersecurity Maturity Model Certification (CMMC) assessments began in June 2020. Companies that adequately prepared for the audit typically find it easier to achieve certification. However, even well-prepared organizations may be uncertain about the audit process.

According to the Office of the Under Secretary of Defense for Acquisition & Sustainment:

“Your organization will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of certification requested based on your business requirements. Certification will be awarded upon demonstrating the appropriate maturity in capabilities and organizational processes to the satisfaction of the assessor and certifier.”

Key Details of a CMMC Level Assessment:

All DoD contractors must become CMMC certified by passing a CMMC audit.
Passing the audit validates that the organization meets the required cybersecurity level for its DoD business.
Certification is mandatory for any company wishing to hold DoD contracts or act as subcontractors on DoD projects.
The Department of Defense uses certified third-party assessor organizations (C3PAOs) to conduct audits and verify that contractors meet the appropriate level of cybersecurity controls.
Contractors are awarded certification (Levels 1–5) if they satisfy 100% of the required controls for their targeted level.
While most assessments are performed by third-party organizations, some higher-level evaluations may be conducted by DoD assessors within the Services, Defense Contract Management Agency (DCMA), or Defense Counterintelligence and Security Agency (DCSA).

In summary, CMMC level assessments cannot be performed in-house. Contractors must have adequate security protocols in place for the specific CMMC level they are applying for. Without proper certification, companies may be ineligible to bid on government contracts.

In Conclusion: Preparing for Cybersecurity Maturity Model Certification

Time is limited for DoD contractors to complete assessments and achieve their required Cybersecurity Maturity Model Certification (CMMC) level. The tight schedule has left many organizations with questions about how to prepare and what to expect during the audit.

RSI Security is not only certified to perform CMMC audits but also offers expert guidance to help organizations prepare for their assessments. With certified personnel and proven methodologies, RSI Security ensures contractors can achieve compliance efficiently and maintain readiness for future audits.