What Level Of CMMC Certification Do You Need?

December 2, 2020

In reaction to the growing number of cyber threats which resulted in billions of dollars worth of losses, the Department of Defense (DoD) introduced its newest certification system called the Cybersecurity Maturity Model Certification (CMMC). It was introduced on January 21, 2020. The CMMC is designed to safeguard the important DoD information called Controlled Unclassified Information (CUI) and Federal Contractor Information (FCI). It also attempts to alleviate the possible cyber threats associated with storing and sharing that data.

The CMMC level that an organization will need to achieve depends upon the vulnerability of the DoD information it will work with, and the scale of cyber threats associated with that information. Therefore, the more important the CUI, the higher the CMMC level will be required. Prior to compliance, companies could define their compliance under the Defense Federal Acquisition Regulations (DFARS) and NIST 800-171. Owing to the lack of proof that they had been adhering to security practices allowed companies with security gaps to carry on providing their products and services to the DoD. This inescapably led to breaches and disruptions in the defense supply chain.

Which Companies Need To Be CMMC Certified?

  1. If your company receives, processes, or creates CUI, your organization will need to be Level 3 or above.
  2. If your company handles “High Value Assets (HVA) CUI”, your organization will need to be a Level 4 or 5.

If your company does not apply to either of the previous statements above, you will likely only be required to meet Levels 1 & 2.

Read on to find out more about each level.


Level 1 demonstrates “Basic Cyber Hygiene.” The 17 controls of NIST 800-171 rev1 need to be executed by the DoD contractors who wish to pass the level 1 audit. The first CMMC level is about meeting the basic demands to protect the FCI. It ensures that all employees use up-to-date antivirus software applications and safe passwords that will protect them from uncertified third parties. This is the only level where documentation does not need to be audited; the company just needs to perform the processes. All organizations having an active contract with the DoD should be able to achieve CMMC Level 1 compliance without any concerns and with minimal effort required to reinforce their cybersecurity defenses.


Level 2 demonstrates “Intermediate Cyber Hygiene”. This level requires an organization to set up and document practices and policies to manage the implementation of its CMMC efforts. The documentation of applications and processes is introduced at this level to ensure practices are performed in a replicable manner. It consists of a subgroup of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Here, DoD contractors must administer another 48 controls of NIST 800-171 rev1 plus seven new “Other” controls.


Level 3 demonstrates “Good Cyber Hygiene”. At this level, establishing, maintaining, and resourcing a plan exhibiting the management of activities for practice implementation needed to be conducted by the organization. The plan needs to include details on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders. Those who would like to attain Level 3 compliance need to constantly evaluate all activities based on their cybersecurity policy. At this level, organizations are expected to support activities and review policies and processes, demonstrating a plan to manage specific tasks. The final 45 controls of NIST 800-171 Rev1 plus 13 new “Other” controls must be applied to achieve level 3 certification.


Level 4 demonstrates “Proactive” cybersecurity. Organizations at this level are able to take correctional action when necessary. They also notify higher-level management of status or issues on a recurring basis. In addition to levels 1 through 3, 11 more controls of NIST, 800-171 Rev2 plus 15 new “Other” controls must be implemented. Both CMMC Level 4 and Level 5 focus on addressing the changing strategies, methods, and plans used by Advanced Persistent Threats (APTs). These domains include access command, acknowledgment and instruction, layout management, conservation, physical safeguarding, retrieval, situational awareness, and more. At Level 4, organizations are expected to analyze and document tasks for effectiveness and advise upper management on any matters.


Level 5 demonstrates “Advanced / Progressive” cybersecurity. Level 5 requires an organization to standardize and refine process implementation across the organization. Level 5 focuses on the security of CUI from APTs. To achieve this highest level, DoD contractors must implement the final four controls in NIST 800-171 Rev2 plus 11 new “Other” controls. Organizations at this level are expected to clarify and regulate process implementation across the enterprise. The main difference between Level 4 and Level 5 is that stability is achieved across the entire organization by having a proactive cybersecurity plan and standardized processes. Contractors must put in place 171 security controls, which are grouped into 17 groups to achieve compliance with the highest CMMC level.

As your organization moves forward it helps to have an IT risk and compliance management partner that understands the complexities and nuances of dealing with defense department contracts. SureShield ensures ease when it comes to implementing this CMMC-level accreditation that companies require to bid for and win contracts with the DoD. Read our blogs about opportunities and new challenges with CMMC and everything you need to know about CMMC for more information on the subject.

Follow us on Twitter and Linkedin for new updates and visit our website to know how ComplyShield can help you streamline CMMC compliance.

Leave a comment

Your email address will not be published. Required fields are marked *