Level 1 is the most basic level of cyber maturity; It forms the initial building block for basic cybersecurity. The implemented practices are to support the organization’s basic cybersecurity hygiene such as password management and keeping systems up-to-date with patches. This level is intended for small businesses with minimal risk to their data.
The organization implements cybersecurity measures in an ad-hoc manner and may or may not rely on documentation.
The organization limited or inconsistent cybersecurity maturity processes. At this stage the implemented cybersecurity measures offer limited protection against data exfiltration and malicious actions.
Source: Cybersecurity Maturity Model Certification (CMMC) 1.0
This level requires an organization to apply the measures identified at previous levels 1 (performed). Although this level indicates a cyber hygiene overall, it is still limited compared to higher levels. The organization may still struggle to effectively defend against advanced persistent threats (APTs). In addition, the organization will have to demonstrate that practices are documented in policies and procedures.
The organization establishes and documents practices and policies to guide the implementation of their cybersecurity efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented.
The organization reviews in detail its policies and practices, along with dedicated resources. These resources help to ensure that security solutions are implemented correctly and able to be fully effective through active monitoring.
Source: Cybersecurity Maturity Model Certification (CMMC) 1.0
This level requires an organization to apply the measures identified at previous levels 1 and 2 (performed and documented). In addition, the organization will have to establish, maintaining and resource a plan to demonstrate that it is managing the activities for practice implementation.
The organization establishes, maintains, and resources a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
The organization deploys measures to obtain an advanced or progressive cyber security posture and seeks to reduce the risk of Advanced Persistent Threats (APTs). The considered APTs are often nation states or state-sponsored groups, utilizing sophisticated expertise along with extensive resources, allowing them to continually attack security networks using multiple and varying attack vectors including physical and cyber security as well as deception techniques.
Source: Cybersecurity Maturity Model Certification (CMMC) 1.0
This level requires an organization to apply the measures identified at previous levels 1, 2, and 3 (performed, documented and managed). In addition, the organization will have to implement the necessary processes to review and measure practices to demonstrate their effectiveness, taking corrective action and informing senior management when practices fail to meet the required level of effectiveness.
An organization reviews and measures practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
The organization deploys measures to protect business-critical information from Advanced Persistent Threats (APT). These measures enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.
Source: Cybersecurity Maturity Model Certification (CMMC) 1.0
Level 5 is the highest level of cyber security maturity. This level requires an organization to apply the measures identified at previous levels 1, 2, 3 and 4 (performed, documented, managed, reviewed and measured). In addition, the organization will have to implement the necessary processes to standardize and optimize practices to demonstrate their consistency, effectiveness, and efficiency across the organization.
The organization standardizes and optimizes process implementation across all layers of the organization.
The organization implements additional practices that increase the depth and sophistication of cybersecurity capabilities.
Source: Cybersecurity Maturity Model Certification (CMMC) 1.0
