testing on computer

In recent years, governments around the world have begun to endure increasingly more complex and expensive cyberattacks. The United States is chief among them and in 2018 exceeded more than 13.7 billion dollars paid due to cybercrime. Attacks on the government can lead to the leak of sensitive, personal data of millions of Americans such as names, addresses and social security numbers.

The United States is one of the countries with the highest commitment to cybersecurity integrity. As a result, the Department of Defense (DoD) is implementing the Cybersecurity Maturity Model Certification (CMMC) to tighten security standards for third parties engaging with government contracts in hopes of preventing and mitigating new cyberattacks.

With the U.S. DoD moving towards requiring CMMC compliance for the Defense Industrial Base (DIB), it is important to start planning for your organization’s certification. One of the most commonly asked questions by organizations is: What level of CMMC do I need to meet, and how do I meet it?


CMMC includes 5 levels, ranging from level 1 (basic cyber hygiene) to level 5 (advanced/proactive cyber practices). Each level of CMMC compliance is dependent on what type of data your organization handles.

CMMC Data Types

There are two types of data defined for CMMC:

  1. Federal Contract Information (FCI) – FCI is any data that is provided by, or created for, the government and is not intended for release.
  2. Controlled Unclassified Information (CUI) – CUI is information that the government or government contractors create or possess that a legal regulation requires or permits an agency to handle in a secure manner. Contractors who already do work with the government likely know what systems contain CUI. CUI is different from FCI because it would be marked as requiring CUI protection whereas FCI is any confidential data not marked as public.

Determining a Level and Impact

Your organization should be told what CMMC level needs to be met by the DoD in Requests for Information (RFIs) and Requests for Proposals (RFPs). If you aren’t actively pursuing a new contract, you can anticipate which level you may need by reviewing the data types you may store, process, and transmit, in tandem with the following breakdown of the CMMC levels.

The 5 CMMC Compliance Levels

To accommodate varying levels of sensitive data that contractors handle, CMMC uses a sliding scale. Each level (1 through 5) is layered on top of one another. That means if you need to meet level 3 compliance, your organization will inherently meet levels 1 and 2.

Level 1:

  • Focused on the protection of FCI (CUI comes into play for higher levels of compliance)
  • Referred to as basic cyber hygiene, based on required practices
  • Requires that 17 practices be followed
  • Every contractor who does work with the government will have FCI data in their systems, and therefore is the base for all CMMC compliance

Level 2:

  • Similar to level 1 as it is applicable to systems containing FCI, but requires documentation of security rather than just implementation
  • Referred to as intermediate cyber hygiene
  • Requires additional 55 practices beyond level 1 (72 total)
  • Transition level between protecting FCI and CUI — a steppingstone between level 1 and level 3

Level 3:

  • This level of CMMC compliance is the baseline for any systems containing CUI
  • Most contractors will be required to comply with level 3 (an estimated 80%)
  • An additional 58 practices must be followed (130)

Level 4:

  • This level requires that contractors review their security policies and practices and is focused on processes that are proactive
  • Shifts attention to the protection of data from APTs
  • Improves the incident detection and response of the organization
  • Requires an additional 26 practices (156 total)

Level 5:

  • This is the final and most intense compliance level
  • Requires the optimization of process implementation within the organization
  • With an additional 15 practices required, it focuses on advanced and progressive processes (171 total)

Current estimates put 80% of DoD contractors at CMMC Level 3 with Levels 1, 2, 4, and 5 accounting for 5% each.

Need Help Getting Started?

NuHarbor Security can help advise your organization to identify where your FCI or CUI is being stored, processed, and transmitted. We also can assess current security maturity and where improvement may be needed. CMMC is a serious undertaking that requires proper preparation to eventually pass a CMMC certification audit. NuHarbor can guide your organization on its path to CMMC compliance, check out our CMMC compliance services page for more information.

by: Jack Danahy

Vice President of Product & Engineering

Contact Us

Pin It on Pinterest

Share This

Share This

Share this post with your friends!