C3 has merged with Ingalls Read Press Release >>

Understanding Cybersecurity Maturity Model Certification (CMMC) Levels

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard mandatory for all Department of Defense (DoD) contractors. This overview covers the CMMC assessment process, requirements across maturity levels, and the importance of CMMC for businesses seeking DoD contracts. Gain a competitive edge by understanding and achieving CMMC compliance.

  • Kim Buckley

    Marketing Director

In this blog post, we will delve into the three levels of the Cybersecurity Maturity Model Certification (CMMC), explore what each level requires, and how organizations can achieve them.

Over the past, cybersecurity has become vital to securing our nation’s interests. Since the establishment of the Controlled Unclassified Information (CUI) program in 2010 to today’s CMMC, the U.S. Department of Defense (DoD) has sought to eliminate compromises of defense-related information housed on cots. Previous attempts at cybersecurity in the Defense Industrial Base (DIB) relied heavily on a self-attestation model, which has proved inadequate in ensuring that contractors meet specific cybersecurity standards. CMMC introduces a unified cybersecurity standard that introduces third-party assessments to measure protection of CUI and ensures compliance with cybersecurity practices, controls, and processes. This certification framework is designed to assess and enhance the cybersecurity posture of the DoD supply chain. In this blog post, we will delve into the CMMC levels and explore what each level requires, and how organizations can achieve them.

What Are the CMMC Maturity Levels and How Are They Determined?

The CMMC proposed rule includes three maturity levels aimed at protecting Federal Contract Information (FCI) at Level 1, Controlled Unclassified Information (CUI) at Level 2, and defending against advanced persistent threats such as nation-state actors (Level 3).

The CMMC level required will be outlined within specific contracts and will be dictated by the type of information a contractor might interact with:

  • CMMC Level 1 applies to contractors that ONLY handle Federal Contract Information (FCI). The DoD estimates 139,201 contractors will fall into this category.
  • CMMC Level 2 applies to contractors that handle Controlled Unclassified Information (CUI). The DoD estimates 80,598 contractors will need to meet Level 2 requirements.
  • CMMC Level 3 applies to contractors that will be subject to more rigorous cybersecurity controls due to the sensitivity of the CUI being handled. Level 3 is estimated to apply to less than one percent of the Defense Industrial Base, or about 1,487 contractors.

CMMC Levels

Understanding the difference between FCI and CUI is critical to adequately meeting the required protection level under CMMC. The National Archives and Records Administration (NARA), which serves as the Executive Agent for the CUI program, explains the difference between FCI and CUI this way: “While FCI is any information that is ‘not intended for public release,’ CUI is information that requires safeguarding.” [emphasis added]

More details on the differences between CUI and FCI can be found in this blog post.

Types of CMMC Assessments

There are three primary CMMC levels outlined in the proposed rule, with assessment effort becoming more rigorous as the level increases. Contracting officers and program managers will determine the level of data protection required and associate the required CMMC Level to each contract based on DoD policy.

Level 1 Self-Assessment
FAR 52.204-21 dictates the security requirements for Level 1 assessments. These requirements are largely a collection of baseline cybersecurity requirements that frankly any organization should adopt. Assessments for Level 1 are conducted by the contractor through an annual self-assessment. The resulting score, which evaluates 17 controls, must be entered into the Supplier Performance Risk System (SPRS). Assessments are affirmed by a senior official of the contractor.

Level 2 Self-Assessment
Level 2 Assessments are based on NIST SP 800-171, rev. 2. Approximately 5% of contracts requiring Level 2 compliance can be satisfied through self-assessment, despite the contractor handling of CUI as part of the contract. Similarly to Level 1 self-assessments, Level 2 self-assessments are performed annually and affirmed by a senior official of the contractor after the assessment, at POA&M closeout.

Clear guidelines on which contracts will require a Level 2 Self-Assessment rather than a Level 2 Certification Assessment have not yet been established; however, we do know that it will be subject to the determination of Program Managers.

Level 2 Certification Assessment

In contrast, contracts that feature a Level 2 Certification Assessment will require:

  • Implementation of 320 assessment objectives, as outlined by the security requirements in NIST SP 800-171, rev. 2
  • An assessment performed by a Cyber AB-certified CMMC Third-Party Assessment Organization (C3PAO)
  • Assessment results entered into CMMC Enterprise Mission Acceptance Support Service (eMASS) which electronically transmits to SPRS
  • Any requirements granted a Plan of Action and Milestones (POA&M) must be closed out within 180 days before a final certification will be issued
  • Triennial (every three years) reassessment, and annual reaffirmation by a senior official of the contractor

Note that for CMMC Level 2, there are a very small number of requirements that may be eligible for a POA&M if they are not found to be fully implemented during assessment. 215 out of 320 assessment objectives constitute “automatic failure” if they are not found to be MET during the assessment.

Level 3 Certification Assessment

Finally, a Level 3 Certification Assessment will require:

  • CMMC Level 2 certification (i.e., full implementation of NIST SP 800-171, rev. 2)
  • Implementation of 24 selected security requirements from NIST SP 800-172
  • An assessment performed by the DoD, rather than a C3PAO, and the results of which will be entered into CMMC eMASS and electronically transmitted to SPRS
  • Annual affirmation of the assessment score by a senior official of the contractor after each assessment, including POA&M closeout, and annually thereafter
  • Closeout of any granted POA&Ms within 180 days

Next Steps on the CMMC Certification Journey

Achieving CMMC compliance is a continuous journey that requires not only an initial push toward certification, but also ongoing compliance maintenance efforts and a proactive approach to cybersecurity. Organizations must stay up to date with the latest cybersecurity best practices and compliance requirements, implement robust security controls, and continuously monitor and assess their cybersecurity posture.

For more than seven years, C3 Integrated Solutions has been committed to supporting the Defense Industrial Base with innovative technology & cybersecurity solutions, day-to-day IT management, and the professional services, consulting, and support required to protect our nation’s critical data. As one of the first MSPs to provide Microsoft GOV CLOUD services, we have developed groundbreaking services and solutions—such as the Steel Root Compliance Platform—explicitly designed to accelerate and maintain CMMC compliance. Reach out to talk to a CMMC compliance solutions expert.

Chat with a Consultant


Meet the Author

Kim Buckley

Marketing Director

Kim Buckley is the Marketing Director for C3 Integrated Solutions.