Which CMMC Level Is Right For You?
By Scott Dawson
August 31, 2021

With the requirements of Cybersecurity Maturity Model Certification (CMMC) soon to be finalized, all Department of Defense contractors will require some level of cybersecurity. Certifications are expected to begin this Fall, with all contracts including CMMC by 2026. Even though cybersecurity has nominally existed in these contracts for years, many companies are only now considering cybersecurity practices.

CMMC is a maturity model. This means that CMMC isn’t a “one size fits all” certification like ISO 27001. Instead, different companies will require different levels of CMMC. CMMC includes a progression of gradually-building requirements across five levels. Level 2 contains the requirements of Level 1, Level 3 contains the requirements of Level 2, and so forth.

But how do you know which CMMC level is right for you?

 

The Basics

Let’s simplify things: even though CMMC contains five levels, you likely only need to worry about Level 1 and Level 3.

Level 2 does not appear in contracts; it simply exists as a milestone on the way to Level 3. Levels 4 and 5 serve organizations that handle highly sensitive information, and few contractors will actually need this level of security.

The vast majority of contractors will require either Level 1 or Level 3.

But what makes these levels different, and how do you know which one will apply to your organization?

 

CMMC Level 1 and Level 3 – What’s the Difference?

CMMC addresses two types of government information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Although this information isn’t technically classified, it should still be protected; In the wrong hands, it could lead to tactical disadvantages or larger security breaches. We cover the difference between FCI and CUI more extensively in a previous article.

CMMC Level 1 exists to protect FCI. This is the simplest level of CMMC. It contains the 17 cybersecurity practices that make up Basic Cyber Hygiene.

These practices come from the Federal Acquisition Regulation, or FAR, which applies to all government contracts. Technically, all government contracts already require this basic level of cybersecurity. Until now, however, an official certification has not been required.

CMMC Level 3 exists to protect CUI. This level contains the 130 cybersecurity practices that make up Good Cyber Hygiene.

As you can tell from the number of practices, Level 3 is much more complex than Level 1. But if you handle CUI, you will need at least this level of certification. In the future, CUI will be clearly labelled in federal contracts, but CMMC assessments will likely begin before this takes place.

When don’t you need CMMC?

There’s only one circumstance in which a DoD supplier doesn’t need CMMC, and that’s in the case of Commercial Off-The-Shelf (COTS) products. If you’re only supplying the same standard, commercially-available products you produce for other customers, you likely don’t need CMMC. But the moment you start making defense-specific modifications based on a contract, you’ll require at least CMMC Level 1.

The Right Level For You

So what CMMC level will your organization require?

It all depends on the information that flows down to your organization. If you’re receiving CUI, whether from another contractor or directly from the DoD, you will require Level 3. If not, you only handle FCI, and you will require Level 1.

 

CUI Flowdown

 

At the top level, the DoD provides information to a Prime Contractor. This information likely contains CUI and requires CMMC Level 3 or higher. These prime contractors work with sub-contractors, such as manufacturers, to whom they hand down the necessary government information. Those suppliers hand down information to their suppliers, and so forth.

In this way, CUI flows down through contractors to sub-contractors. If you are a sub-contractor, and the prime contractor above you handles CUI, you might also handle CUI. In this case, you would require Level 3.

But it’s also possible that, even though the prime contractor handles CUI, they will only pass FCI down to your organization. In this case, you would only require Level 1.

It all depends on the actual information flowing down to your organization.

In the future, DoD contracts and sub-contracts will clearly state the required CMMC level. But it’s important to anticipate the requirements now to start preparing for future certification.

A Good Rule of Thumb

Want to know if you will actually require Level 3 certification? Look in your current contract for references to DFARS 252.204-7012. This DFARS regulation only applies to contracts that handle CUI. So if you see this in your contract, you can trust that you will require CMMC Level 3 in the near future.

It’s possible that one of your contracts will require CMMC Level 3, while another only requires CMMC Level 1. In such a case, you would still need to be certified to the higher level.

But even if you don’t think your current contracts will require Level 3, plan strategically. Do you want to do more government contracting in the future? What contracts do you hope to win? CMMC will soon apply to all DoD contracts, and other government agencies are already considering CMMC as a contract requirement.

You might not need Level 3 now, but if you want to win more government contracts in the future, this certification could tip the scale in your favor.

And remember that all DoD contracts will require at least Level 1, and the requirements for Level 1 are contained in every subsequent level. If you’re a DoD contractor—of if you hope to win future DoD contracts—you should start working toward CMMC Level 1 today.

 

How Core Can Help

At Core Business Solutions, we specialize in helping American small businesses achieve cybersecurity. As a Registered Provider Organization with the CMMC Accreditation Board (CMMC-AB), we’re trained to help businesses like you achieve CMMC. We have several CMMC-AB Registered Practitioners on staff, ready to help you apply these requirements to your business. We also provide training, gap assessments, and technical security solutions to take the “guesswork” out of CMMC prep.

Here’s a look at how Core Business Solutions can help your business:

    • Our Registered Practitioner consultants help you learn the requirements of CMMC and apply them to your specific context.
    • We provide online training for your leadership, staff, and IT professionals.
    • We deliver the technical security solutions required for certification, such as vulnerability scanning and management. We’re in the process of rolling out even more solutions, including email security and penetration testing.
    • We assist your company in preparation for the third-party certification audit.

You can learn even more at our CMMC page. We also host regular CMMC webinars to explain the practices and answer your questions.

Ready to start your CMMC journey? Want help figuring out which CMMC level applies to you? Get a free quote today.

Related Articles:

The Costs of CMMC: What to Expect

The Costs of CMMC: What to Expect

Cybersecurity Security Model Certification (CMMC) will soon be required for all Department of Defense contractors. Whether you’re major corporation or a small manufacturer, you’ll require some level...

Preparing for CMMC Level 1

Preparing for CMMC Level 1

Audits will soon begin for Cybersecurity Maturity Model Certification or CMMC. If you’re a Department of Defense contractor, you will need at least CMMC Level 1 to keep your place in the Defense...

Smartlink Execution Complete Please note that the CORE Application window may have fallen behind this window and your Email client. Close this Message