The Cybersecurity Maturity Model Certification (CMMC) is a certification designed to protect the confidential information of the Department of Defense (DoD). It’s part of the larger effort to ensure all DoD contractors and suppliers in the Defense Industrial Base (DIB) have the necessary cybersecurity processes and procedures to protect controlled unclassified information (CUI) and federal contract information (FCI).

CMMC 2.0 consists of three distinct maturity levels, which are the main focus of this article. Organizations can choose from the three maturity levels, Foundational, Advanced, and Expert, to better assess and improve their cybersecurity posture. This article will explain these maturity levels in detail to help DoD contractors, suppliers, and other organizations needing to become compliant, understand and comply by implementing the necessary security measures.


CMMC 2.0 Maturity Level 1: Foundational

The Foundational level is the first of the three levels, and it consists of basic cybersecurity risk management practices. This level encompasses the most basic of cyber protection measures and is intended to address the most common cyber threats. It focuses on basic measures of security and risk management, such as authentication and access control, which is the ability to control who can access what information.

The requirements of this level are divided into 17 different practices, including, but not limited to, Asset Management, Media Protection, Identification & Authentication, Security Assessment & Authorization, and System & Communication Protection. Organizations must demonstrate that all of the required practices have been implemented, as well as demonstrate effective cybersecurity management processes.

Examples of appropriate security practices for the Foundational level include:

  • Regularly backing up data and storing that data in a secure, offsite location
  • Utilizing complex passwords and two-factor authentication for all accounts
  • Installing, maintaining, and updating firewalls, antivirus, and other security software
  • Regularly conducting security audits to identify vulnerabilities and take action to address them

Who Needs CMMC Level 1 Compliance?

CMMC 2.0 Level 1 applies to DoD contractors and subcontractors that handle federal contract information (FCI) that is provided by or generated for the government under a contract to develop or deliver a product or service to the government.

The Foundational level requires organizations to perform basic cybersecurity practices. They are allowed to reach certification through an annual self-assessment. CMMC Third Party Assessor Organizations (C3PAOs) are not involved with Level 1 certification.

CMMC 2.0 Maturity Level 2: Advanced

The Advanced level is the next step in the CMMC certification process, and it consists of more granular, specialized cybersecurity practices. These practices are designed to protect against more advanced cyber threats. It is intended to be a higher level of protection than the Foundational level, and it is designed to protect a company’s most valuable assets.

The Advanced level is divided into 110 different practices, including, but not limited to, Access Control, Security Assessment & Authorization, System & Communications Protection, and Attack & Response Planning. Organizations must demonstrate that all of the required practices have been implemented, as well as demonstrate effective cybersecurity management processes. CMMC 2.0 Level 2 is mapped to NIST 800-171.

Examples of appropriate security practices for the Advanced level include:

  • Establishing policies and procedures to manage user access and authentication
  • Implementing effective security systems and communication protection such as encryption and network isolation
  • Instituting a system to respond quickly and effectively to cyber threats
  • Regularly conducting security assessments to identify and address vulnerabilities
  • Developing strategies to prevent and detect malicious activities

Who Needs CMMC Level 2 Compliance?

DoD contractors and subcontractors that handle the same type of CUI must meet Level 2 compliance. DoD contractors with prioritized acquisitions that handle data critical to national security must pass an assessment by a C3PAO every three years, while non-prioritized acquisitions with data not critical to national security must conduct an annual self-assessment.


CMMC 2.0 Maturity Level 3: Expert

The Expert level is the highest level of the CMMC certification process, and it consists of the most comprehensive cybersecurity practices. It is designed to ensure the security of an organization’s most sensitive information and assets, as well as ensure the organization’s ability to defend against complex, sophisticated cyberattacks.

CMMC 2.0 Level 3 addresses the most advanced persistent threats and is intended to strengthen a system’s cybersecurity. It requires organizations to establish, maintain, and resource a plan in order to properly implement cybersecurity practices. This plan should include goals, missions, projects, resourcing, training, and the involvement of organization stakeholders. The plans should also focus on protecting CUI.

Although the specific requirements are still being developed, Level 3 will likely contain NIST SP 800-171’s 110 controls and a subset of NIST SP 800-172 controls. The concept and implementation of Level 3 will help organizations reduce their vulnerability to advanced persistent threats, as well as ensure good cyber hygiene practices.

In addition to the security requirements of NIST SP 800-172, Level 3 also added 20 more practices. Furthermore, DFARS clause 252.204-7012 applies, which adds an additional level of security requirements for systems handling CUI for DoD programs with the highest priority.

Examples of appropriate security practices for the Expert level include:

  • Implementing an effective system to monitor and detect malicious activity
  • Establishing policies and procedures to manage user access and authentication
  • Implementing advanced security systems and communication protection such as encryption and network isolation
  • Establishing an incident response system to quickly and effectively respond to cyber threats
  • Implementing a system to regularly audit and monitor systems and networks for potential cybersecurity issues

Who Needs CMMC 2.0 Level 3 Compliance?

CMMC 2.0 Level 3 applies to companies that handle CUI for DoD programs with the highest priority. It’s comparable to CMMC 1.02 Level 5, although the DoD is still developing its specific security requirements.

CMMC for Organizations That Don’t Need to Be Compliant

Organizations that do not need to be compliant with the CMMC standards can still benefit from the framework. To begin, CMMC levels are still applicable as a reference for organizations outside the Defense Industrial Base to create their own security policies and procedures to ensure that their confidential information is well-protected. To determine which CMMC maturity level is most appropriate for their organization, they should assess their security posture. This gives you a starting point to create an effective security plan that meets the goals of your organization.

Organizations looking to create their own security plan should implement the measures of the CMMC. This includes areas such as access control, system and information integrity, media protection, and incident response. As you go through each area, you should consider the requirements of the CMMC levels to tailor the plan to your organization. You should also assess your security posture to identify any gaps and determine how to address them. These should be included in every organization’s cybersecurity risk management strategy.

You should also consider implementing other measures that will improve your security posture, such as continuous monitoring and patching, secure system development, information security, and training. All of these measures can be tailored to meet your individual organizational needs, and should be incorporated into the overall security plan.

By using the CMMC levels as a reference and creating an effective security plan, organizations can ensure that their confidential information is well-protected. In addition, they can foster an environment of trust with their customers and partners, as well as fulfill their obligations to data protection laws and standards. Ultimately, organizations that use the principles of the CMMC for guidance can develop a secure environment for their information and systems.

How Kiteworks-enabled Private Content Network Accelerates CMMC 2.0 Level 2 Compliance

The Kiteworks-enabled Private Content Network (PCN) simplifies and accelerates the CMMC 2.0 Level 2 compliance process for businesses. Kiteworks unifies, tracks, controls, and secures all sensitive content communications in one platform. It also allows first parties and third parties to collaborate on confidential content. Kiteworks helps simplify and accelerate the process of achieving CMMC 2.0 Level 2 compliance by providing access control, secure file transfer, file encryption, secure file sharing, and authentication with two-factor authentication and multi-factor authentication. Organizations can set granular permissions and policies to ensure the highest levels of security of their data and content.

With Kiteworks, organizations can securely share their CMMC 2.0 Level 2 documentation and evidence internally with a C3PAO (Third Party Assessor Organization) and with the CMMC Accreditation Body (CMMC-AB). This helps organizations get through the compliance process faster and more efficiently.

Kiteworks helps organizations create a digital audit trail for all their sensitive content communications. This enables them to monitor sensitive content communications and to demonstrate adherence to data privacy and security regulations, including CMMC 2.0 Level 2. Kiteworks also provides C3PAO auditors with a full audit trail that can be used to accelerate the certification process. Plus, Kiteworks supports nearly 90% of CMMC 2.0 Level 2 requirements out of the box.

To learn more about the Kiteworks Private Content Network and how it can accelerate your CMMC 2.0 Level 2 compliance, schedule a custom-tailored demo today.


Back to Risk & Compliance Glossary

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.


Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Get A Demo