Level 1
Performed
Basic Cyber Hygiene – 17 practices
Focuses on the protection pf Federal Contract Information. Only Basic safeguarding practices are included to meet requirements defined in 48 CFR 52.204-21.
Level 2
Documented
Intermediate Cyber Hygiene – 72 Practices
Includes a subset of security requirements specified in NIST SP 800-171. Organizations should establish and document information security practices and policies.
Level 3
Managed
Good Cyber Hygiene – 130 Practices
Includes all security requirements specified in NIST SP 800-171. Organizations should establish, maintain, and resource an information security plan that addresses how Controlled Unclassified information is protected.
Level 4
Reviewed
Proactive – 156 Practices
Focuses on protection of Controlled Unclassified Information from Advanced Persistent Threats and introduces security requirements from NIST SP 800-171B. Organizations should regularly review and measure practices for effectiveness.
Level 5
Optimizing
Advanced/Progressive – 171 Practices
Focuses on Protecting Controlled Unclassified Information from Advanced Persistent Threats using additional practices that increase the depth and sophistication of the organization’s cybersecurity capabilities.

Click here to return to CMMC page.