Some compliance frameworks in Drata have tiered requirements that are organized into different levels, such as 'Security Level' and 'Maturity Level'. The level picker functionality provides an easy way to scope requirements right off the bat.

The level picker functionality applies to the following frameworks: CMMC, FFIEC and NIST 800-53. Only account administrators or information security leads have access to the this functionality in Drata.

When first setting up CMMC, FFIEC or NIST 800-53, you'll select the appropriate requirement level for your organization. Doing so will automatically mark requirements that aren't associated to that level out of scope.

Selecting a Default Level

Use the level picker to select the 'Security Level' for CMMC and NIST 800-53, and 'Maturity Level' for FFIEC when you first land on the respective Framework page.

CMMC

For CMMC, the level category is 'Level' and includes the following options:

NIST 800-53

For NIST 800-53, the level category is 'Control Baseline' and includes the following options:

In addition, when scoping NIST 800-53, you can elect to include all Privacy requirements that have crossover with the selected Control Baseline.

FFIEC

For FFIEC, the level category is 'Maturity Level' and includes the following options:

Changing A Level

Should you need to do so, you can change the level at any time. Select the gear icon in the top right corner of the requirements list. The requirements list will reset with the applicable requirements marked in our out of scope depending on the new selection.
​