CMMC Compliance: Requirements of the Three Levels of Certification

Cybersecurity is a top concern for businesses in every sector, as cyberattacks have dramatically increased in recent years. The number of attacks targeting businesses rose 50% in 2021 alone.

Government and military organizations––and their contractors––rank among the most targeted industries. This has driven the Department of Defense (DoD) to expand cybersecurity standards for its contractors, including the Cybersecurity Maturity Model Certification (CMMC), to protect sensitive unclassified information. While the implementation of CMMC is suspended during the rulemaking process, the DoD encourages contractors to continue to improve their cybersecurity controls.

Currently, the DoD CMMC 2.0 standards define 3 levels of certification. The first step for contractors to prepare for CMMC certification is knowing which certification level your organization requires and preparing to collect evidence for assessment.

An Overview Of The 3 Levels Of CMMC

What does CMMC compliance require at the 3 levels of certification? Levels progress from basic safeguarding requirements at Level 1 to expert controls at Level 3.

Level 1: Foundational Practices

Level 1 certified organizations meet basic cyber hygiene requirements and conduct annual self-assessments.

There are17 practices required to meet CMMC Level 1 certification. These include, but are not limited to:

• Access controls that limit access to authorized users
• Identification and authentication processes that verify users
• Media protection practices to avoid releasing sensitive information
• Physical protection rules that limit physical access to systems
• System and communications protection to protect organizational communications
• System and information integrity practices that protect from cyberattacks

Level 2: Advanced Cybersecurity Practices

At Level 2, organizations meet intermediate cyber hygiene requirements to protect Controlled Unclassified Information (CUI) and complete either self or third-party assessments depending on the data they hold.

CMMC Level 2 certification includes 110 practices aligned with NIST SP 800-171 , including:

• Access control and accountability monitoring
• Cybersecurity training for managers and users
• Security assessment practices, including configuration settings enforcement
• Incident response plans and maintenance controls
• Recovery practices to backup data and risk management practices
• System and information integrity monitoring for potential attacks or security issues

Level 3: Expert Cybersecurity Practices

CMMC Level 3 requirements and assessment guides are still under development.
CMMC Level 3 will add additional practices as defined by NIST SP 800-172 , that provide for the protection of CUI.

Organizations and Contracts That Require Higher Levels Of Certification

Which CMMC level does your organization need? Pursuing the most appropriate certification level will save your organization time and money.

CMMC Levels 1-3

Most organizations that contract with the DoD require a CMMC certification at Level 1 at a minimum.  Level 1 practices represent a foundational baseline and a good entry point to the certification process.

Contractors working with Controlled Unclassified Information (CUI) will need Level 3 implementation and certification at a minimum.

Work With Hartman Executive Advisors To Determine The CMMC Level Requirement For Your Business

Hartman Executive Advisors offers , including establishing evidence collection and resource planning, to help your organization meet its certification needs. Make sure your organization is prepared for CMMC compliance. Contact Hartman today to learn more about cybersecurity best practices and CMMC 2.0.