The CMMC framework has five levels that a company can meet in order to demonstrate its system’s cybersecurity protocols. The first level concerns “basic” measures such as those prescribed by the NIST 800-171 requirements, which include measures like limiting unsuccessful login attempts. The second level has additional NIST 800-171 requirements so that controlled unclassified information (CUI) remains secure. The third level stipulates having a company-wide management plan for cybersecurity practices relating to CUI. The fourth level requires the company to routinely test and review its cybersecurity practices to ensure its procedures and protocols are sufficient to defend against threats. Finally, the fifth level is the highest level and requires the company to have in place a tested and appropriate cybersecurity management system.