Want to scale and automate your business?


CMMC Maturity and Practice Model

Using Way We Do

Any supplier to the US Department of Defense (DoD) are now required to to be certified under a maturity and practice model called CMMC, short for Cybersecurity Maturity Model Certification.

There are 5 levels required and up to 171 practices that are required to be adopted by suppliers, also known as the Defense Industrial Base (DIB).  Depending on the type of service provided to the DoD and the degree to which the supplier has access to Controlled Unclassified Information (CUI) will determine the level of certification required.

As shown in the diagram below, each of the 5 levels ranging from Basic Cyber Hygiene to Advanced / Progressive, lists the practices that need to be documented and adopted by the organization.  Customers of Way We Do, use our platform to provide documented process and evidence of information security management adoption to achieve certification faster.

The practices have been adopted from a range of other cybersecurity standards including NIST SP 800-171, ISO 27001 and others.

CMMC Level 1: Basic Cyber Hygiene

At this level, organizations are not required to provide documented evidence of the 17 practices that need to be adopted, but merely demonstrate that Basic Cyber Hygiene has been met.  These 17 practices are internationally accepted basic information security factors that should be implemented in every organization, no matter the size.

CMMC Level 2: Intermediate Cyber Hygiene

Level 2 certification is called Intermediate Cyber Hygiene.  It includes all of the elements of Level 1 plus 48 practices from NIST 800-171 r1 and 7 additional practices from CMMC.  At this level, processes need to be documented.

CMMC Level 3: Good Hygiene

As well as incorporating level 1 and 2 requirements, Level 3 certification demonstrates “Good Hygiene”.  130 practices need to be documented and adopted, which includes 110 NIST 800-171 r1 items and 20 from CMMC.

CMMC Level 4: Proactive

Level 4 demonstrates a more proactive adoption of cyber practices. It covers CMMC levels 1 to 3 and additional requirements from NIST 800-171 r1, Draft NIST 800-171B, and 15 from CMMC, totaling 156 practices.

CMMC Level 5: Advanced / Progressive

A total of 171 practices are required to be documented and institutionalized, demonstrating an advanced and progressive approach to cybersecurity. Practices include levels 1 to 4, NIST 800-171 r1, Draft NIST 800-171B, and 11 additional requirements from CMMC.


Have questions?