Level 1: Basic Cyber Hygiene – This is the foundation for all other cybersecurity models. Information shared as part of the contract is not intended for public release but is not considered controlled unclassified information (CUI). There are 17 practices in level 1.
Level 2: Intermediate Cyber Hygiene – Companies at this level should be able to establish and document standard cybersecurity operating procedures, policies, and strategic plans. There are 72 practices in level 2.
Level 3: Good Cyber Hygiene– Compliance at this level means a company can protect and maintain a comprehensive cybersecurity program and includes 130 practices.
Level 4: Substantial Cyber Hygiene – Contractors will be able to identify, adapt, and implement cybersecurity controls as threats change. There are 156 practices in level 4.
Level 5: Proactive Cyber Hygiene – Proactive cybersecurity management includes optimized controls, documented practices, and regular communication with management requiring 171 practices.