The new standard CMMC provides five levels of certification
White Paper
|
june 2020
While every contractor or supplier within the DIB supply-chain must be certified,
the new standard CMMC provides five levels of certification
in ascending order of increased security controls ranging from “Basic Cyber Hygiene” to “State of the Art”.

Those levels are:


This alleviates some of the burden in a sense whereby, prior to CMMC, contractors that were only receiving or handling low risk CUI, such as metal manufacturers and printing
companies
, were being asked to comply with the same standard (NIST 800-171) as larger defense prime contractors. That requirement was overly burdensome and cost prohibitive to comply.  The CMMC will be semi-automated and, more importantly, cost-effective enough so that Small Businesses can achieve the minimum CMMC level of 1, while larger primes will need to certify at a level 3.  The requirement for third-party audits and certification ensures that the DIB is secure from outside threats. 
  1. CMMC Level 1
    - Basic Cyber Hygiene has 17 security controls
  2. CMMC Level 2
    - Intermediate Cyber Hygiene has 46 additional controls
  3. CMMC Level 3
    - Good Cyber Hygiene has 47 controls in addition to completing the first 2 levels. Making level 3 the equivalent of the 110 controls currently found in NIST 800-171
  4. CMMC Level 4
    - Proactive will have 26 more security controls in addition to the 110 found in NIST 800-171
  5. CMMC Level 5
    - Advanced / Progressive / State-of-the-Art will have 30 more security controls in addition in the 110 found in NIST 800-171