CMMC Maturity Levels
The Cybersecurity Maturity Model Certification (CMMC) establishes a framework for implementing cybersecurity across the Department of Defense (DoD) supply chain. It consists of five maturity levels designed to measure the progress of organizational cybersecurity practices and processes.
Level 1: Basic Cyber Hygiene
This level includes the most fundamental security practices. Organizations must implement basic security controls to protect Federal Contract Information (FCI).
Level 2: Intermediate Cyber Hygiene
At this level, organizations build upon the practices from Level 1. They begin to implement a subset of the NIST SP 800-171 security requirements, focusing on ensuring more robust practices.
Level 3: Good Cyber Hygiene
Organizations meet all NIST SP 800-171 requirements at this level. The emphasis is on establishing a comprehensive cybersecurity program that safeguards Controlled Unclassified Information (CUI).
Level 4: Proactive
This level requires organizations to have enhanced measures to proactively detect and mitigate threats. It involves advanced security practices, including continuous monitoring and improvements.
Level 5: Advanced/Progressive
At the highest level, organizations are expected to have a sophisticated cybersecurity strategy that includes adaptive practices. This level emphasizes optimizing processes to respond to evolving cybersecurity threats.
Each level builds upon the previous one and reflects a progressively mature cybersecurity program, aiming to ensure that contractors can successfully protect sensitive information.