Level 1: Requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for level 1. Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”)
Level 2: Requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented. Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices reference the protection of CUI.
Level 3: Requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders. Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats.
Level 4: Requires that an organization review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring bases. Level 4 Focuses on the protection of CUI from APTs (Advanced Persistent Threats) and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing TTPs (Tactics, Techniques, and Procedures) used by APTs
Level 5: Requires an organization to standardize and optimize process implementation across the organization. Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.
Each of the levels are stepping stones to the next level. To be compliant for level 3 you must have implemented the requirements from level 2 AND level 1. Each level is progressively more difficult to implement and requires more stringent controls. We expect many contracts that deal with any kind of sensitive data to require a level 3 certification and recommend most companies prepare for level 3.
For a detailed analysis of each level check out our blog posts here:
The National Defense Magazine estimated that the total cost for a company to become compliant was around $250,000. Each company will be different and require a custom solution that should be less than the $250k. Larger and more complex IT scenarios will lead to a higher cost, unfortunately, there is not a one-size-fits-all solution.