Understanding and Leveling Up Your CMMC Maturity

CMMC Knowledge Hub

Graphic of bars moving upward

Five progressive levels are the key to this emerging U.S. Department of Defense (DoD) certification.

As we discuss in our article about your roadmap to CMMC Maturity Model Certification, getting CMMC compliance is important to anyone who plans to do business with the U.S. Department of Defense. Although not currently required for all contracts, the certification is being phased in from now until 2025 and any organization that’s part of the “defense industrial base” that works with DoD needs a plan to get this credential.

Its name makes CMMC sound like one certification, and technically, it is. But one of the other key words in the credential’s name, “maturity,” means organizations can earn certification at any of five levels. Becoming familiar with these cumulative, progressive levels of maturity—and how you achieve each one—is an important part of planning for the certification.

For the next few minutes, we’re going to focus on several key aspects of the most obvious feature of CMMC and the thing that gives it its name: the distinct “stair steps” in its comprehensive definition of cybersecurity readiness, from the single-step start of Level 1 maturity to the rarefied air at the summit of Level 5.

Here’s what you’re in for:

The Tradeoffs of CMMC Levels

It comes as a surprise to a lot of people that you can fly a real airplane with nothing more than a driver’s license.

It’s true: Since 2004, the FAA has allowed anyone with a driver’s license to fly a special class of aircraft known as “light sport”—making flying accessible to anyone willing to limit their adventure to smaller, lower-powered aircraft carrying no more than two people.

Achieving CMMC certification is nothing like flying an airplane, but it does compare when it comes to deciding how much work you want to put into something and what goals you’re trying to achieve.

In other words, if you just want to take short recreational flights in a special kind of small airplane, during the daytime, below certain altitudes, outside of certain airspaces, why go to the trouble and expense of getting a private pilot’s license? If you never plan to get paid for flying, why get a commercial license?

CMMC Knowledge Hub

In the same way, CMMC certification levels represent progressively increasing outlays of time, energy, money, and organizational commitment. While you may have your own reasons for achieving a higher maturity level certification than a DoD contract calls for, remember that each level you go “up” on the model will require a correspondingly bigger effort and budget. That could be worth it if you want to stay in the hunt for opportunities that require a specific level of CMMC certification, but it could also be a waste if your capabilities to do the actual work don’t match up, anyway.

As DoD opportunities that include CMMC requirements begin to form an ever-increasing part of the contract mix in the runup to 2024 (when all contracts will specify a level), reading requests for proposals from Defense will help you get a feel for the certification level you’ll need for the types of jobs you plan to bid on.

The important point is that your goal for CMMC maturity level certification needs to match up to the types of projects you plan to take on with DoD, because earning higher levels of certification is an investment that you’ll want to make sure pays off. Let’s call it “ROC” or “return on certification,” for short.

Processes & Practices meet Domains & Capabilities

The terms “processes” and “practices” have a specific meaning in the universe of CMMC, with the pair of words heading up two level-specific lists under each CMMC certification level.

Think of processes as the “operating system” at each level of CMMC, specifying how the practices are interacted with or managed. These defined procedural activities enable organizations to achieve a specific maturity level, with the type and number of processes you perform specified by and derived from the level you’re aiming for on the CMMC maturity chart.

On the other hand, practices can be thought of as technical activities—ways of doing cybersecurity-critical things, an idea closely related to the familiar concept of “best practices.” As with processes, you need to institute a combination of defined practices to reach a specific level of CMMC maturity.

CMMC requirements are comprised of domains, capabilities, practices, and controls.

All processes and practices fall under a combination of 17 domains, the broad arenas of security such as access control, incident response, and personnel security.

For extra confusion, this multi-dimensional model also groups practices under what are referred to as “capabilities,” leading to a structure of elements at each maturity level following this hierarchy of organization:

  • Domain: Broad arena of security such as access control, incident response, and personnel security
    • Capability: phrase that describes what a set of practices listed below it accomplishes, such as “Control internal system access”
      • Practice: technical activity or way of meeting the goal in the capability and domain above it, like “Limit information system access to the types of transactions and functions that authorized users are permitted to execute” or “Verify and control/limit connections to and use of external information systems” in support of the preceding capability example

So we finally got to the bottom of things: “Practice” is the most granular level of the CMMC model, right? Technically, that’s true, but practices are fulfilled through yet another entity called “controls,” which we’ll set aside for now and cover in a different article.

Climbing the CMMC Staircase

CMMC certification consists of five levels.

Let’s review the five levels of CMMC maturity designated by the somewhat intuitive but less than self-explanatory labels each is known by. In this article, we’re not going to go into the full list of required practices—there are hundreds at the higher levels. Rather, we’re going to describe how each level builds on the previous one and quantify the practices it includes to give a sense of the relative work each requires.

Click on any linked phrase below to see a pop-down explanation. Or read on and come back later to dig a little deeper.

Processes: Performed (i.e. “Do them”)

Fun fact: Processes are not even assessed at level 1. Just make sure you’re performing the practices specified for this level. Read on.

Practices: Basic Cyber Hygiene

Basic Cyber Hygiene includes 17 practices (across six domains) that you may already be doing, with a focus on physical protection requirements and access controls. Level 1 means you can protect federal contract information (FCI), which is information not intended for public release. Certain higher levels allow you to protect CUI, or controlled unclassified information. And that can open up new opportunities for your company.

The Office of the Under Secretary of Defense for Acquisition & Sustainment does offer an assessment guide for Cybersecurity Maturity Model Certification Level 1.

Processes: Documented (i.e. “Write them down”)

At level 2, you can’t just say you have level 2 practices in place. You need to write them down, creating documentation that can be referenced and followed. However, your documentation is still not evaluated against some objective standard. That starts at level 3.

Practices: Intermediate Cyber Hygiene

Look at you, at level 2 and already called “intermediate!” That’s because level 2 is considered a sort of bridge to level 3, not a goal in and of itself. Level 2 builds on level 1 by adding 55 practices (across 15 of the 17 domains) for a total of 72 practices. And while you’re still only able to protect federal contract information (FCI), you’re methodically putting the pieces in place to eventually protect CUI, or controlled unclassified information, one of the big prizes of level 3. Yes, getting level 2 will definitely put you on the flight path to level 3!

Processes: Managed (i.e. “Describe in detail how you’ll follow them”)

At level 3, process documentation gets serious. Unlike level 2, where you’re supposed to create documentation around your processes but there’s no standardized way to determine if it measures up, level 3 forces you to create a plan for managing your practices across all relevant domains. That includes written documentation on who’s responsible for what, how you’ll pay for it, and what tools you’ll use to execute the practices.

Practices: Good Cyber Hygiene

The number of practices almost doubles at level 3, with level 2’s 72 practices getting augmented by 58 more for a total of 130, now spread over all 17 domains. One big advantage of level 3 is proving you can protect CUI, or controlled unclassified information–something that levels 1 and 2 can only dream of! Level 3 is expected to be the most common maturity requirement for contracts once CMMC is fully phased in. Aside from the new opportunities you’ll have with level 3 maturity, you also get the exhilaration of having your cyber hygiene officially designated as . . . “good.”

At Level 3, the Office of the Under Secretary of Defense for Acquisition & Sustainment once again offers an assessment guide for Cybersecurity Maturity Model Certification.

Processes: Reviewed (i.e. “Grade your work”)

At this point, your documentation isn’t just comprehensive, but focused on reviewing the plans you’ve made—and confirming they work! It also emphasizes keeping your organization’s senior leadership aware of what’s going on in the realm of security and making sure they have the information to manage and respond to advanced persistent threats, or APTs—the well-planned and sustained attacks designed to get cybercriminals inside your network and steal information.

Practices: Proactive

Level 4 adds 26 practices for a total of 156. The emphasis of the added practices is proactively reducing the risk of APTs, or advanced persistent threats, while improving your ability to protect CUI, or controlled unclassified information. Like level 2, level 4 is considered sort of a transition zone to the next level up. While you may not see many contracts specifying level 4, it might give you an edge over level 3 competitors on level 3-specified deals.

Processes: Optimizing (i.e. “Spread the gospel internally”)

You’ve been proactively prepared for APTs or advanced persistent threats since level 4. At level 5, standardizing and optimizing processes across your organization is the goal. That means establishing consistency across all 17 domains specified by CMMC and standardizing processes so they can improve as you perform them.

Practices: Advanced/Proactive

Level 5 raises the total number of practices to 171, up from 156 at level 4. This highly sophisticated level of cybersecurity designates your organization as one that can rigorously repel APTs (advanced persistent threats) and protect CUI (controlled unclassified information). We can’t get into all the details right here, but be prepared to field an around-the-clock incident response team and respond to random tests when you least expect them.

Downstream CMMC Compliance

In a world of joint ventures, subcontracting and ad-hoc, collaborative projects, the Department of Defense is interested in more than your firm’s cybersecurity preparedness: They want to make sure that your suppliers don’t present a security risk.

So while it’s critical that your organization achieves a CMMC level appropriate to the projects you plan to bid on, you’ll also have to make sure any other organization you work with on the project meets the contract’s requirements for subcontractors, which may be as simple as Level 1 or “Basic Cyber Hygiene.”

Hard Realities of CMMC Compliance Tracking

We’re not gonna kid you: Once you understand the complex overlaps and dependencies between CMMC’s processes, domains, capabilities, practices and controls that show up even at Level 1, you’ve got a lot of work to do.

By Level 5, this structure of CMMC elements, and the list of things you need to accomplish, gets torturously long—a measure of how seriously DoD takes cybersecurity and the importance of proving its suppliers can deliver the security they say they can.

Anticipating the complete switch to CMMC compliance requirement in DoD contracting by 2024, many firms in the defense industrial base have already started preparing their plan of attack for CMMC certification.

Some companies are trying to do it all with spreadsheets and word processors, while others have turned to specialized software that we’ll explore in a future article.

Let's demo

Opportunity is knocking

See what Onspring can do for your CMMC certification plans.
Let's demo