CMMC Levels

Cyber Security Maturity Model Certification

Whether you are seeking CMMC compliance Level 1 or Level 5 AG Grace, Inc Can Assist you.  We help you understand what it will take for your organization to achieve compliance. 

Our Comprehensive program will help you gain a better understanding of your needs for CMMC ML1- ML5 and is based upon NIST SP 800-171 compliance. 

We know that Every Organization is different and not all controls will apply or be applicable.  Our assessment will help you identify and document the controls you are required to implement and identify and document the controls you are not required to implement

CMMC Level 1: 

Processes: Performed

Level 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.

Practices: Basic Cyber Hygiene

Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”)

CMMC Level 2: 

Processes: Documented

Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented.

Level 2 Required Processes:

ML.2.999: Establish a policy that includes [DOMAIN NAME].

ML.2.998: Document the CMMC practices to implement the [DOMAIN NAME] policy.

Practices: Intermediate Cyber Hygiene

Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices reference, the protection of CUI.

Achieving CMMC Level 2 requires the implementation of the practices listed below plus CMMC Level 1 Practices

CMMC Level 3: 

Processes: Managed

Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.

Level 3 Required Process:

ML.3.997: Establish, maintain, and resource a plan that includes [DOMAIN NAME].

Practices: Good Cyber Hygiene

Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats. It is noted that DFARS clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting.

Achieving CMMC Level 3 requires the implementation of the practices listed below plus CMMC Level 1 Practices and CMMC Level 2 Practices.

CMMC Level 4: 

Processes: Reviewed

Level 4 requires that an organization review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.

Level 4 Required Process:

ML.4.996: Review and measure [DOMAIN NAME] activities for effectiveness.

Practices: Proactive

Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B [6] as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.

Achieving CMMC Level 4 requires the implementation of the practices listed below plus CMMC Level 1 Practices, CMMC Level 2 Practices, and CMMC Level 3 Practices.

CMMC Level 5: 

Processes: Optimizing

Level 5 requires an organization to standardize and optimize process implementation across the organization.

Level 5 Required Processes:

ML.5.995: Standardize and optimize a documented approach for [DOMAIN NAME] across all applicable organizational units.

Practices: Advanced/Proactive

Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

Achieving CMMC Level 5 requires the implementation of the practices listed below plus CMMC Level 1 Practices, CMMC Level 2 Practices, CMMC Level 3 Practices, and CMMC Level 4 Practices.

OUR METHODOLOGY