An In-depth Look at CMMC Levels 3-5

May 21, 2020

At Rimstorm, we’ve been covering Cybersecurity Maturity Model Certification (CMMC) rather extensively in our blogs and in social media. It’s important to do so, because the time to act on this is now if you plan on doing any work at all for the Department of Defense. While CMMC’s levels 1 and 2 are important for laying down the foundation of good cybersecurity practices, levels 3, 4 and 5 are what you want to focus on if you handle any controlled unclassified information (CUI). The upper levels of CMMC certification can be difficult without guidance, but we’re here to help you on that front. Here’s a closer look at CMMC Levels 3, 4 and 5.

CMMC Level 3

Level 3 is considered “good” cyber hygiene and contains three processes and 130 practices. This is also the stage where NIST 800-171 compliance comes into the picture. What do we mean by processes and practices?

CMMC Level 3 Processes

• Each practice is physically documented. This includes everything from the lower CMMC levels as well.
• A company-wide policy is in place that covers all activities.
• A plan exists and is maintained and resourced. This plan must include all the aforementioned activities. Examples include mission, goals, project plan, resourcing, training needed and involvement of relevant stakeholders.

CMMC Level 3 Practices

• Comply with every component of the Federal Acquisition Regulation System. As you can probably guess, this takes up a predominant number of practices throughout all CMMC levels above Level 1. Official FAR documentation can be found here.
• Encompasses all practices from NIST SP 800-171 (Revision 1). Much like FAR, this makes up a huge chunk of your CMMC level. It’s much stronger than Level 2, in that Level 2 only requires 48 NIST practices instead of all of them.
• There are 20 additional practices tacked on to support good cyber hygiene. When combined with NIST and FAR, this brings the total to 130 individual items to keep track of.

CMMC Level 4

Compared to Level 3, CMMC Level 4 takes a more proactive stance. There are four processes and 156 practices. You’ll notice that everything from Level 3 carries over, along with the additional components.

CMMC Level 4 Processes

• Each practice is documented, including lower levels. (Same as in Level 3.)
• A policy exists that covers all activities. (Same as in Level 3.)
• A plan exists that includes all activities. (Same as in Level 3.)
• Activities are reviewed and measured for effectiveness. In other words, the results of the review are shared with higher-level management.

CMMC Level 4 Practices

• Same as in Level 3, you comply with everything in FAR.
• Same as in Level 3, you comply with everything in NIST SP 800-171 r1.
• Here’s where a bit more is added. Level 4 includes a select subset of 11 practices from Draft NIST SP 800-171B.
• There are 15 additional practices added, which demonstrate a proactive cybersecurity program. Combined with FAR, NIST and the NIST draft, that’s 156 practices in total.

CMMC Level 5

Ready to take an advanced and progressive cybersecurity stance? CMMC Level 5 covers everything, and hitting this mark is a seriously good look for your organization. It contains five processes and 171 practices, covering everything from the previous levels and then some.

CMMC Level 5 Processes

• Same as in Levels 2-4: Each practice is documented, including lower levels.
• Same as in Levels 2-4: A policy exists that covers all activities.
• Same as in Levels 3-4: A plan exists that includes all activities.
• Same as in Level 4: Activities are reviewed and measured for effectiveness.
• New: There is a standardized, documented approach across all applicable organizational units.

CMMC Level 5 Practices

• Same as in Level 3-4, you comply with everything in FAR.
• Same as in Level 3-4, you comply with everything in NIST SP 800-171 r1.
• Same as in Level 4, you include the additional 4 practices from Draft NIST SP 800-171B.
• New: Level 5 includes an additional 11 practices to demonstrate an advanced cybersecurity program.

As we’ve mentioned, adopting this framework is an outstanding look for your organization. And Rimstorm is here to help you look your best. But more than that, national security depends on it. Contact us today for a free consultation and information on how we can help you achieve CMMC Levels 3 through 5.