How to Determine your CMMC Level Needed

Find out exactly what level of CMMC you need for your projects.

The Cybersecurity Maturity Model Certification (CMMC) defines five cybersecurity maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced or Progressive”. The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place, and each level is cumulative. As such, it’s important to understand exactly what level of certification you will need to appropriately address compliance. [Click here for an overview of CMMC.]



The CMMC is divided into five levels so that DoD contractors are not expected to comply with requirements that are not necessary to protect the type of information they handle. A contractor at the very bottom of the supply chain will most likely be required to certify only to Level 1, while a contractor with access to military base construction projects will be required to certify to one of the highest two levels.

To determine which CMMC level a contractor should be working toward, it’s important to inventory all systems with the goal of figuring out: exactly how and where FCI and CUI data is stored as well as who has access to it. Contractors that don’t have the capacity to complete this first step in-house should partner with a provider that offers CMMC readiness assessments.

Once a readiness assessment has been performed to determine how FCI and CUI data is stored as well as how access is controlled, then figuring out which CMMC Level to comply with shouldn’t be a problem.

Only contractors that are CMMC certified will be allowed to store FCI or CUI in their environment. CMMC however does not apply to Commercial Off-the- shelf (COTS) products or services. These are commercial items sold in substantial quantities in the commercial marketplace which are offered to the government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace.



In the past, cyber security used to be something that was strictly managed by the IT department. But as the digital landscape for businesses has evolved, so have the responsibilities of the IT department. With the financial cost and impacts of cyberattacks increasing year after year, now is not the time to just hope that everything is taken care of.

For starters, you need to know:

  • How quickly can you detect and respond to a security breach?
    (The average breach goes undetected in the United States for almost 7 months)
  • Are you protected against Zero-day attacks and evolving threats?   
    (There’s a new virus created every 5 seconds)         
  • Are you protected against insider theft and non-traditional attacks?
    (Criminals are targeting people, smart devices and automation systems)         
  • Do you have the right team and necessary tools in place?
    (There’s a global shortage of security professionals and most IT departments are not equipped with the latest security tools.)

Simple Plan IT is nationally recognized and accredited as a registered provider organization by the Cybersecurity Maturity Model Certification Accreditation Cody (CMMC-AB). We’re happy to answer any questions about the CMMC process or help you plan the steps you need to take in order to qualify. Our team is available to discuss the steps your particular company should take in the CMMC process, or get started on your certification.

More Resources:

Learn About CUI and Why You Should Care

Read more about the differences between FCI & CUI 

Follow Us on Social Media

Subscribe to our Blog

Most Recent Blog Posts

Don’t Stop Here

More Useful Security Information

Top 10 IT Security Myths — Debunked


Thanks to the recent COVID-19 pandemic, there has been a historic shift in the way people work. Remote work or work-from-home (WFH) policies were set

Cybersecurity Policies That Bridge Generations


Cybersecurity policies are necessary for any business to avoid becoming cybercrime victims. Cybercrimes continue to rise as cybercriminals get more creative- it’s imperative every business