Level Up: Your Guide to the Different CMMC Certification Levels

CMMC has various levels of certification- learn what level you need to handle different types of secure information.

The Cybersecurity Maturity Model Certification (CMMC) encompasses maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced or Progressive”. The DoD will use the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place.

To reflect the fact that not all contractors handle the same kind and quantity of sensitive government information, the CMMC framework defines five cybersecurity maturity levels. These five certification levels are cumulative, so any contractor that wants to achieve compliance with Level 3 must also comply with Level 1 and Level 2. Associated with each of the five levels are increasingly sophisticated supporting practices and processes. The practices range from basic cyber hygiene at Level 1 to advanced cyber hygiene capable of protecting against Advanced Persistent Threats (APTs) at Level 5.

Likewise, processes range from simply being performed at Level 1 to also being documented, managed, reviewed, and optimized at Level 5. The higher CMMC level a contractor chooses to comply with, the more sophisticated and better documented its cybersecurity program needs to be. Let’s take a look at the breakdowns of each CMMC level.



The first CMMC level is about meeting the basic requirements to protect FCI, such as using an up-to- date antivirus software application or ensuring that all employees use safe passwords and protect them from unauthorized third parties. FCI is defined as information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government. Every organization that has an active contract with the DoD should be able to achieve CMMC Level 1 compliance without any issues and with minimal effort required to strengthen their cybersecurity defenses.




The second CMMC level can be described as a transition step toward Level 3 because it introduces many of the controls used to protect CUI. The DoD defines CUI as any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls. At this level, contractors are required to establish and document standard cybersecurity practices, policies, and strategic plans necessary to implement a cybersecurity program. This level consists of a major subset of the security requirements specified in NIST SP 800-171.



CMMC Level 3 is all about demonstrating good cyber hygiene and having the controls necessary to protect CUI. Contractors who would like to achieve Level 3 compliance should be prepared to continuously review all activities based on their cybersecurity policy. This level encompasses all requirements specified in NIST SP 800-171, and it also includes requirements from other similar standards. These requirements cover everything from logging and monitoring to incident response to backup and recovery to DNS filtering and spam protection.



Both CMMC Level 4 and Level 5 focus on addressing the changing tactics, techniques, and procedures used by advanced persistent threats (APTs). The main difference between Level 4 and Level 5 is that the latter requires contractors to have a proactive cybersecurity program and standardized processes to achieve consistency across the entire organization.

To achieve compliance with the highest CMMC level, contractors must put in place 171 security controls, which are grouped into 17 domains. These domains include access control, awareness and training, configuration management, maintenance, physical protection, recovery, situational awareness, and more. Simple Plan IT is nationally recognized and accredited as a registered provider organization by the Cybersecurity Maturity Model Certification Accreditation Cody (CMMC-AB). We’re happy to answer any questions about the CMMC process or help you plan the steps you need to take in order to qualify. Our team is available to discuss the steps your particular company should take in the CMMC process, or get started on your certification.

Follow Us on Social Media

Subscribe to our Blog

Most Recent Blog Posts

Don’t Stop Here

More Useful Security Information

Top 10 IT Security Myths — Debunked


Thanks to the recent COVID-19 pandemic, there has been a historic shift in the way people work. Remote work or work-from-home (WFH) policies were set

Cybersecurity Policies That Bridge Generations


Cybersecurity policies are necessary for any business to avoid becoming cybercrime victims. Cybercrimes continue to rise as cybercriminals get more creative- it’s imperative every business