Note: “CMMC Certification Levels” are now referred to as “CMMC Compliance
Levels” as per CMMC 2.0 guidelines
Overview
In order to do business with the Department of Defense (DoD), your organization needs to achieve one of three CMMC Compliance Levels. Level 1 has
the fewest requirements, while Level 3 is the most difficult to reach. Which level you must achieve should be stated in your contract. The majority of contracts require level 1 or 2.
The CMMC Compliance Level you are required to achieve is dependent on the nature of the information you will be handling and its security requirements:
-
Level 1: Federal Contract Information (FCI)
-
Level 2: FCI & Controlled Unclassified Information (CUI)
-
Level 3: FCI & CUI + Additional Protections and Controls
Level 1: Foundational
The first level of CMMC Compliance consists of 17 basic cybersecurity best practices, covering topics such as Identity and Authentication and basic Access Controls. If you are doing business with the DoD or related organization and do not exclusively produce commercial off-the-shelf products, Level 1 is the base level you must reach. This level of compliance is by far the most common, and most contractors will not need to go further.
Unlike higher levels of CMMC compliance, you do not need to pass an assessment by a third party to achieve Level 1. You are, however, required to perform annual self-assessments on your cybersecurity posture. A senior company official must affirm this assessment, and their statement will be liable under the False Claims Act.
Level 2: Advanced
(Referred to as CMMC Certification Level 3 in CMMC version 1.02)
The second CMMC compliance level requires you to expand upon information controls implemented in Level 1, and increase your overall security to be eligible to handle CUI, which has more serious national security implications than FCI. CMMC Level 2 requires full compliance with the NIST SP 800-171 security framework. This international data security standard consists of 110 cybersecurity best practices. Achieving this level of compliance will cost much more time and money compared to Level 1, but it is nonnegotiable if your organization is to handle both CUI and FCI.
All organizations that reach CMMC Compliance Level 2 (with a few exceptions) must continually prove that they are in compliance. These regular audits are performed by a CMMC Third-Party Assessment Organization (C3PAO), which is a civilian organization that is officially accredited by the CMMC Accreditation Body (CMMC-AB) to perform such audits.
Level 3: Expert
(Combines CMMC Certification Levels 4 and 5 of CMMC version 1.02)
This compliance level ensures your organization has the ability to reliably protect CUI from advanced persistent threats (APTs), such as state-sponsored cybercriminal collectives. The additional requirements for Level 2 to Level 3 are few compared to those from Level 1 to Level 2, however, these new practices and controls are more advanced and will be more time-consuming for you to implement and maintain. For example, you must implement a set of more stringent security practices from NIST SP 800-172 requirements in addition to all those required for Level 2.
Because this is the highest level, you must continually prove your organization’s ability to maintain CMMC Compliance Level 3 by passing audits administered directly by government officials.