What Are the CMMC Levels?

The current, most up-to-date CMMC 2.0 framework levels from the Department of Defense (DoD),  include cybersecurity best practices across 17 domains., for example: to a group of users, workstations, devices, printers, computers, and database servers that share different types of data across the network. These 3 CMMC levels include defined practices. Not all information is equally sensitive, and employees may have different access permissions. Reaching higher CMMC levels leads to an improvement in an organization's capacity to protect controlled Unclassified Information (CUI).

Level 1

Foundational Cyber Hygiene Practice: This level requires basic cybersecurity protocols deployed by most companies. To robtain Level 1, organization's need to implement 17 NIST SP 800-171 Rev2 controls.

Level 2

Advanced Cyber Hygiene Practice: This level requires all 110 NIST SP 800-171 Rev2 controls to achieve Level 2 certification.

Level 3

Expert Practice: This level includes advanced cybersecurity processes implemented, reviewed, and updated across the enterprise. Companies need to implement all NIST 800-171 controls plus an additional subset of NIST 800-172 controls.

Level 1-3 Summary

Level 1 reflects the basic approach most organizations will use. Level 2 refers to DoD cybersecurity requirements in NIST SP 800-171 Rev2. Requirements for Level 3 meet the standards of NIST 800-171 along with a portion of NIST SP 800-172. The controls are consistent with security measures many contractors use.

Read More about CMMC:


About Critical Insight

Critical Insight is the only cybersecurity-as-a-service provider that prepares, monitors and responds to cyber threats, going beyond SOC-as-a-service offerings typical of Managed Detection and Response (MDR) offerings.

With a focus on organizations that deliver critical services – hospitals, local governments, utilities, school systems, and more – we provide end-to-end support to those with limited security teams or budgets to handle threats proactively and as they occur.

Based in Bremerton and Seattle, Washington, Critical Insight is a venture-backed company founded by former CISOs in the public sector. We are committed to training new analysts and providing the most up-to-date cybersecurity protection.

Learn about us →

Check out our Security Awareness Trainings

In these 60-minute sessions, you’ll learn how to spot the links to avoid, you’ll learn how ransomware really works, and you’ll come away with some pretty good stories to tell. This won’t be one of those boring trainings, we promise.