Proudly serving Virginia, Maryland and DC // Call us today! 703.396.6120
V2 SystemsV2 Systems
The 5 Levels of CMMC

by Erik Briceno

Time is ticking on adopting the security postures required by the Cybersecurity Maturity Model Certification (CMMC). We realize that the requirements can feel overwhelming, but like most problems, they can be broken down into parts. And it just so happens that CMMC is divided into five levels, each tier building upon the previous one. The more of these levels your organization achieves, the better you will look when vying for a DoD contract. Here’s a closer look at what they are.

CMMC: Level 1 – Basic Cyber Hygiene

While Level 1 of CMMC may be considered “basic” cyber hygiene, it’s comprised of 35 practices as of the latest CMMC revision (and at the time of writing this article). This covers everything from things like password strength to locking the door to your office when you leave for the day.

CMMC: Level 2 – Intermediate Cyber Hygiene

While considered more of a stepping stone for protecting CUI, most companies — particularly those with managed service providers handling their basic IT — are mostly there already. There should be little to no extra costs for a company to reach Level 2. This is yet another example of why having an MSSP can be invaluable throughout this process. At the time of writing, Level 2 contains 115 practices.

CMMC: Level 3 – Good Cyber Hygiene

The 5 Levels of CMMCOne of the major differences between CMMC Level 2 and CMMC Level 3 is on-going security management. Just because an organization has purchased security solutions, that doesn’t necessarily mean they are properly in place or correctly implemented. There are 91 practices to adopt in Level 3. If an organization handling CUI has the practices of CMMC Level 3 in place at all times, they become a difficult target for malicious actors.

CMMC: Level 4 – Proactive

“Proactive” is exactly what it sounds like. At CMMC Level 4, an organization has a substantial and proactive cybersecurity program. The organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures, or TTPs, in use by APTs. For process maturity, a CMMC Level 4 organization is expected to review and document activities for effectiveness and inform high-level management of any issues. In total, Level 4 contains 95 practices.

CMMC: Level 5 – Advanced / Progressive

CMMC Level 5 is all about standardizing and optimizing. It mainly focuses on the protection of CUI from APTs. The 34 additional practices that make up Level 5 increase the depth and sophistication of cybersecurity capabilities and include the need for subject matter experts.

While the DoD is not asking small to medium size businesses to implement Fort Knox’s level of security, they are requiring adequate security and good cyber hygiene. That’s what the Cybersecurity Maturity Model Certification is all about. And that’s exactly why you should turn to the experts for help in adopting it. That’s where we come in.


Since 1995, Manassas Park, VA-based V2 Systems has employed local systems administrators, network engineers, security consultants, help desk technicians and partnering companies to meet a wide range of clients’ IT needs, from research, to implementation, to maintenance. Concentrate on your VISION…We’ll handle the TECHNOLOGY!

About ebriceno
Erik Briceño is the owner of V2 Systems, Inc., one of Northern Virginia’s leading Information Technology Managed Service Providers. He is an inspiring leader for its employees and instrumental business partner for its customers. He is passionate about V2’s purpose, dedicated to exceeding expectations and a consummate professional not afraid of jumping in and getting his hands dirty. Prior to joining V2 Systems in 2002, Erik was a co-founder and COO of, a leading provider of online resources servicing over 5,000 independent musical artists. At, Erik spearheaded all aspects of corporate development, funding, strategic vision, and business development for the firm. From 1997 to 1999 Erik held the position of Acoustic Systems Engineer for Electric Boat Corporation, a leading defense contractor. In this role, Erik was responsible for the acoustic fidelity of two noise critical systems and components in the US Navy’s nuclear submarine systems. Erik holds a B.S. in Mechanical Engineering from Vanderbilt University and a Masters of Business Administration from George Mason University. When not working, you will find Erik a dedicated family man, raising two young children with his lovely wife Karen. Together, they enjoy building legos, playing baseball, skiing, riding horses, swimming, traveling, and fixing up old Mopars.
The 5 Levels of CMMC
The 5 Levels of CMMC