The various levels of CMMC include increasing levels of practices focused on the handling of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). These levels are based on the sensitivity of the information to be protected and the associated range of threats that may be encountered. The processes and practices come from various existing cybersecurity standards and frameworks including ISO 27001, NIST 800-171, and others.
-
Level 1 – Basic Cyber Hygiene (Performed) – 17 practices
-
Level 2 – Intermediate Cyber Hygiene (Documented) – 72 practices
-
Level 3 – Good Cyber Hygiene (Managed) – 130 practices
-
Level 4 – Proactive Cyber Hygiene (Reviewed & Improved) – 156 practices
-
Level 5 – Advanced Cyber Hygiene (Optimized) – 171 practices
As with other cybersecurity standards, CMMC is organized in to domains:
Access Control | Asset Management | Audit & Accountability | Awareness & Training | Configuration Management |
Identification & Authentication | Incident Response | Maintenance | Media Protection | Personnel Security |
Physical Protection | Recovery | Risk Management | Security Assessment | Situational Awareness |
System & Communications Protection | System & Information Integrity |