MSU SBDC CyberSecurity

CMMC Overview

security shield graphic The Cybersecurity Maturity Model Certification (CMMC) is a document developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to measure an organization's cybersecurity maturity.

These measurements span five levels and align processes and practices to the type, and sensitivity, of information that is to be protected from cyber threats. The majority of businesses will require, at a maximum, Level 3 accreditation and information is provided up to Level 3.

The model includes industry best practices from a variety of cybersecurity standards, frameworks, and direct input from the Defense Industrial Base (DIB) community on what is needed to protect Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

CMMC Levels

CMMC has been structured into a five level hierarchy. Each level builds on the level prior to it and the organization will implement additional controls as it moves up to higher levels. There are a total of 171 practices that are divided among the five levels. The model is cumulative in nature. For example, if an organization would like to obtain the Level 3 accreditation they would have to implement all practices from Level 1, Level 2, and Level 3. Below is a description of the intended purpose behind each level and the type of information that will be protected.

level 1 header image
CMMC Level 1 is the baseline that any organization with a government contract must have. It is composed of 17 practices that outline the requirements for Basic Cyber Hygiene according to CMMC. Level 1 is equivalent to all the safeguarding requirements from Federal Acquisition Regulation (FAR) 52.204-21. Its main focus is the protection of Federal Contract Information (FCI).
level 1 header image
CMMC Level 2 is an intermediate step for organizations attempting to achieve Level 3 of CMMC. It requires a total of 72 practices (Includes practices from Level 1). This level is used to progress in the protection of Control Unclassified Information (CUI).
level 1 header image
CMMC Level 3 focuses on the protection of CUI. This level encompasses all of the security requirements specified in NIST SP 800-171 as described by DFARS 252.204 plus 20 additional practices. It requires a total of 130 practices.
level 1 header image
CMMC Level 4 & 5 includes practices from enhanced security requirements provided in Draft NIST SP 800-171B. It is expected that only a small portion of the Defense Industrial Base (DIB) will be required to need these levels of certification.
CMMC Levels 1-3 will be covered in this training content.


The requirements for which level needs to be satisfied will depend upon what each program office sets for their own RFPs. The required level will be known prior to proposal submission.

The CMMC Accreditation Board (CMMC-AB) is organizing a marketplace where organizations seeking certification will be able to visit to find a CMMC Third-Party Assessor Organization (C3PAO). C3PAO's are accredited organizations that have been trained on how to properly conduct CMMC assessments. The AB will then review the findings and be responsible for providing the accreditation.