CMMC Maturity Levels Explained: A Practical Guide

Posted: February 27, 2020 to Compliance.

Tags: CMMC, NIST, Compliance, Data Breach

By this point, you should hopefully understand that the purpose of the Cybersecurity Maturity Model Certification (CMMC) is to simplify cybersecurity for federal contractors and sub-contractors.

Katie Arrington, the DOD’s Chief Information Security Officer for Acquisition and Sustainment, noticed (quite aptly) that "self-certifying" just wasn't cutting the cake, so to speak.  Hackers were targeting contractors, and stealing Controlled Unclassified Information (CUI) was like shooting fish in a barrel. Their solution to this massive problem is the CMMC.  The first version was rolled out less than a month ago and we must say that we are impressed.  It takes cybersecurity best practices and applies them to a 5-tiered maturity process, meaning that they build on each other; in other words, you can't achieve CMMC ML 5 until you have also achieved CMMC ML 1-4. Keep in mind, you will not know what CMMC ML your contract will require until it is rolled out (hopefully later this year) and until then, YOU ARE REQUIRED TO BE NIST SP 800-171 CERTIFIED.

So let's take a closer look at each step, shall we?

You can also review the information on the DoD's CMMC website.  We also recommend checking out their well-done FAQ page and if you still have questions, feel free to ask the professionals on our CMMC Defense Forum.

CMMC ML 1

• Practice 
  • "Basic Cyber Hygiene"
  • 17 Practices for basic safeguarding of Federal Contract Information (FCI)
• Process
  • "Performed"
  • No actual processes
• Only addresses practices from the FAR Clause 52.204-21.

There really isn't much to this, as it is simply "Basic Cyber Hygiene.  There is nothing for you to document  but there are 15 safeguarding requirements from FAR (clause 52.204-21) that correspond directly to 17 security requirements from NIST SP 800-171 (r1). The ONLY way you will be qualified to only achieve CMMC ML 1 (unless they make drastic changes) is if you don't handle CUI at all, BUT if you are NIST SP 800-171 certified, it is likely that you would achieve this level certification with very little more work involved.

CMMC ML 2

• Practice 
  • "Intermediate Cyber Hygiene"
  • 72 practices meant to help transition from safeguarding FCI to protecting CUI
• Processes
  • "Documented"
  • 2 processes

This is where you need to start "showing your work" as my old Calculus teacher would say.  You must start documenting every action you have taken in the name of cybersecurity, including those steps from ML1.  This is primarily a "transition step," and it's unlikely that too many contractors will be required to remain at this step, but it needs to be completed nonetheless.  ML2 is taken from, and in compliance with, FAR.  It also contains a select subset of 48 NIST SP 800-171 r1 practices as well as seven more practices that promote "Intermediate Cyber Hygiene." Similar to ML1, if you are already NIST SP 800-171 compliant, you most likely will have no trouble achieving this level.

CMMC ML 3

• Practice
  • "Good Cyber Hygiene"
  • 130 practices to protect CUI
• Processes:
  • "Managed"
  • 1 process for safeguarding CUI
• Includes all 110 security controls from NIST 800-171
• All contractors handling CUI will be required to be CMMC Level 3 certified

This is where we really start to get to the "meat and potatoes."  Not only does ML3 encompass all of NIST SP 800-171 security controls, but it also includes FARS (from ML 1-2) and 20 additional "best cybersecurity practices" to attain "Good Cyber Hygiene." This is actually what we recommend as a starting point for most contractors.  If you are NIST SP 800-171, there will most likely be a little bit of remediation but you will be pretty close and it won't take a lot to get you ML3 certified.

CMMC ML 4

• Practice
  • "Proactive"
  • Includes 130 practices to protect CUI from Level 3 PLUS an additional 26 controls to not only protect CUI but to also reduce the risk of APTs
• Processes:
  • "Reviewed"
  • Actively take corrective measures
• Mostly sourced from NIST 800-171 RevB.

CMMC ML 5

• Practice
  • "Advanced/Proactive"
  • Includes the 130 practices to protect CUI from Level 3 PLUS the 26 controls from Level and and additional 15 practices to further reduce the risk of APTs
• Processes:
  • "Optimizing"
  • Focus on protecting CUI from APTs
• Mostly sourced from NIST 800-171 RevB.

CMMC ML's 4-5 are all of NIST SP 800-171, FARS and a little bit more.  The biggest difference is that you get into proactively protecting your CUI and reducing the threat of Advanced Persistent Threats (APTs), which are sophisticated cyber adversaries.  We doubt many smaller  contractors will be required to attain ML 4 or ML 5, but we can definitely assist with that, as well, if your contract requires it. In fact, we can help you regardless of what level you are required to achieve.  Although there is nothing set in stone as of yet, we have a pretty good idea of what the requirements will be and recommend you start tackling CMMC sooner, rather than later, so you don't wait too long and lose your contracts (or get hacked... or both!) Please call us with any questions you have at 919-422-2607 or visit our CMMC Defense Forum.  You can also schedule a free consultation with Craig online.

Protect Your Business Today

Petronella Technology Group has provided cybersecurity, compliance, and managed IT services from Raleigh, NC for over 23 years. Contact us today for a free consultation and technology assessment.