CMMC Maturity Level

Understanding CMMC Maturity Levels

The Cybersecurity Maturity Model Certification (CMMC) was developed by the Department of Defense (DOD) to ensure that all contractors and subcontractors working with the DOD have adequate cybersecurity measures in place to protect federal contract information (FCI) and controlled unclassified information (CUI) from cyber threats.


The levels defined

There are three levels of CMMC certification, each with a specific set of cybersecurity requirements.


Level 1: Foundational

Level 1 certification is the entry-level certification and is required for all companies that handle FCI. This level focuses on safeguarding FCI and includes 17 basic cybersecurity practices drawn from the FAR 52.204-21 and NIST SP 800-171.


Level 2: Advanced

This level is for companies in the defense industrial base, including primes and subcontractors, that want to do business with the DOD and that possess or interact with CUI.

Level 2 certification builds on the requirements of level 1 and focuses on the protection of CUI. This level requires the implementation of 110 security controls and 320 assessment objectives. These practices include the development of a system security plan (SSP), implementation of access controls, and regular training of employees on cybersecurity best practices.

The certification process for level 2 involves a review by a CMMC third party assessor organization (C3PAO), who will verify that the company has implemented the required cybersecurity practices.


Level 3: Expert

Level 3 certification is the highest level and is required for companies that handle CUI deemed by the DOD to be the highest priority. This level leverages the 110 security requirements from level 2 with additional requirements from NIST SP 800-172. Those additional requirements have yet to be determined.

By meeting level 2 requirements now, you can put your organization in a position to succeed and more quickly meet level 3 requirements once they are released.

Companies can advance from level 1 to level 2 and on to level 3 compliance.


If you have any questions about what CMMC level your company needs to achieve to continue your work with the DOD, give us a call. We’re the CMMC experts and can help you assess your current state and implement the necessary cybersecurity controls to protect your intelligence and support your pursuit of future contract awards.

Join us for CMMC CON 2024 on Sept. 25, 2024, at 9am EST for a free, virtual, one-day conference focused on safeguarding against cyber threats.
This is default text for notification bar