What CMMC Level Do I Need?

While Defense contractors have a lot of questions about the Cybersecurity Maturity Model Certification, “What CMMC level do I need?” Is at the top of the list. With that in mind, today we answer this question and provide some tips on how to achieve CMMC Compliance.

How Many CMMC Levels Are There?

Let’s start with the basics. The Cybersecurity Maturity Model Certification consists of three levels: Level 1 or Foundational, Level 2 or Advanced, and Level 3 or Expert.

These levels are progressively advanced. In other words, the higher the CMMC level, the more cybersecurity practices you need to observe — and the more resources you need to invest in the process.

CMMC Level 1 comprises 17 practices. Level 2 requires those 17 practices plus 93 for a total of 110. Level 3 requires you to carry out more than 110 cybersecurity practices.

According to the Department of Defense, “once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.”

The bottom line is: get CMMC certified or forget about DoD contracts. But what CMMC level do you need to attain? Let’s review the model level by level to give you a sense of the factors you need to weigh,

Self-assessments suffice to meet CMMC Level 1 requirements. Plus, as explained earlier, this tier consists of just 17 practices. According to the Department of Defense, if a company does not process, store, or transmit CUI on its unclassified network, but does process, store or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment

DoD has stated that it intends to require companies to register CMMC Level 1 self-assessments and affirmations in the Supplier Performance Risk System (SPRS).

If you want to start working on Level 1 compliance, you can use the official Scoping Guidance and Self-Assessment Guide.

With CMMC Level 2, things get a little more complex: You are required to comply with 110 practices (which include the 17 practices of Level 1) and pass a triennial third-party assessment.

Contact our CMMC Registered Practitioners Today

However, here’s what you need to remember: CMMC level 2 aligns with NIST SP 800-171, which Defense contractors were already required to follow.

With the above in mind, it’s easy to see why aiming for CMMC Level 2 compliance is the common-sense option for most contractors. Not only does CMMC Level 2 include the requirements of Level 1, but you should already have the vast majority of the necessary cybersecurity practices in place.

When it comes to CMMC Level 3, other considerations come into play. While achieving this tier of compliance would give you access to more contracts, implementation costs can be substantial, especially for small businesses.

As for how to know which CMMC level will be required for a specific contract, DoD has made clear that it will specify the required CMMC level in the solicitation.

Achieving CMMC Compliance: Some Useful Resources

CMMC compliance can be challenging even for those who are already familiar with cybersecurity.

But don’t worry: We have created some resources designed with the needs of small and medium-sized businesses (SMBs) in mind.

The main goal of CMMC is to protect Controlled Unclassified Information (CUI), so it makes sense to start your journey by reading our blog “What Is CUI, Exactly?“

Once you have a solid grasp of CUI, head over to our “CMMC Starter Kit for Small Businesses“

Finally, bring it all together by reading “How to Achieve CMMC Level 2 Compliance in 90 Days,” where we offer a common-sense roadmap for achieving your objectives.

The best part? We are here to help you every step of the way. Our team of Registered Practitioners stands ready to answer all your CMMC questions. Contact us today to get started.

We Help You Achieve CMMC Compliance

Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.

Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.

Contact our CMMC Registered Practitioners today by clicking here.