CCSS uses three levels to show how a system meets the Standard: Level 1, Level 2, and Level 3. Each level builds on the one before it. A system is certified at a level based on the requirements it meets across all applicable aspects. To achieve a higher level, the system must meet that level’s requirements in addition to the requirements from the lower levels.
Level 1 establishes the foundation for key material management. At this level, controls are defined, processes are documented, and there is evidence that those processes are followed. This includes core controls across the key lifecycle such as generation, storage, access, and usage, along with supporting documentation and operational evidence. Level 1 shows that key material management is structured, implemented, and operating in practice.
Level 2 builds on Level 1 by strengthening how controls are enforced. Controls are applied more consistently across the environment. Additional requirements expand coverage across the key lifecycle. Level 2 includes all Level 1 requirements.
Level 3 builds on Levels 1 and 2 and reflects a high level of operational maturity. Controls are consistently applied across the full key lifecycle, with stronger technical safeguards in place to protect key material. Processes are repeatable and hold up under normal operations and stress scenarios. Risk from single points of failure or compromise is reduced. Level 3 includes all requirements from Levels 1 and 2.
Each level is assessed through an audit. A system either meets the requirements for a level or it does not. The levels are cumulative, so moving up means meeting more requirements and applying controls with greater consistency across the system.