CMMC Levels
The Three Levels of CMMC Certification
The CMMC framework has three levels. The requirements at each level specify practices and capabilities from an array of security domains. The model is cumulative whereby each level adds additional requirements to the total of all layers below.
CMMC’s first iteration (v1.0) had five levels and a set of processes unique to the CMMC framework. The five-level stack was compressed to three in November 2021 with the announcement of CMMC 2.0. At the same time the extra processes were also removed.
Official CMMC Model as posted by the Office of the Under Secretary of Defense’s Acquisition and Sustainment – OUSD(A&S): https://www.acq.osd.mil/cmmc/model.html
Level 1 | Foundational | 17 Practices
This level is the most basic and is based on the safeguarding requirements from FAR clause 52.204-21 Basic Safeguarding of Covered Contractor Information Systems. It applies to information systems owned and operated by a contractor that process, store, or transmit Federal Contract Information (FCI). FCI is information not intended for public release but exchanged with the federal government in the process of delivering products and services to the government.
The fifteen safeguards from FAR 52.204-21 correspond to 17 practices in NIST SP 800-171 and include multiple actions and practices contractors must take regarding FCI. For example, safeguards include “limiting information system access to authorized users, processes acting on behalf of authorized users, or devices, including other information systems.”
A CMMC 1.0 assessment guide had been previously published and since been removed from the official site. The CMMC 2.0 guide is still pending and is expected soon.
FAR 52.204-21: https://www.acquisition.gov/far/52.204-21-0
Level 2 | Advanced | 110 Practices
Level 2 is likely to be the most common requirement of coming contract solicitations. It is the minimum level for an organization handling Controlled Unclassified Information (CUI). All of the 110 security requirements from NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations are present. There is differentiation within Level 2 contracts where some organizations may be allowed self-attestation while others require a third-party assessment. This is based on the CUI being handled under the contract.
A CMMC 1.0 assessment guide had been previously published and since been removed from the official site. The CMMC 2.0 guide is still pending and is expected soon.
NIST SP 800-171r2: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf
171 Assessment Guide: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171a.pdf
Level 3 | Expert | 171 Practices
One more step to Level 3 which focuses on the significant risk associated with Advanced Persistent Threats (APTs). Level 3 adds a subset of NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information requirements to the obligations of Level 1 and 2.
The CMMC 2.0 assessment guide for Level 3 is a bit more nebulous in terms of expected delivery. No CMMC 1.0 guide had been published prior.
NIST SP 800-172: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-172.pdf