Key Takeaways
1. CMMC Is Tiered to Match Risk: CMMC Level 1 protects FCI with basic hygiene, Level 2 secures CUI with NIST SP 800-171 controls, and Level 3 adds advanced protections for national security-related CUI.
2. Assessment Requirements Vary By Level: Level 1 requires annual self-assessments, Level 2 requires either self- or third-party assessments depending on CUI sensitivity, and Level 3 mandates government-led audits.
3. Certification Isn’t One-Size-Fits-All: Your required CMMC level depends on the type of information your contract touches. Understanding which level applies is critical to preparing the right documentation and controls.
As cyber threats continue to rise, the U.S. Department of Defense (DoD) has established the Cybersecurity Maturity Model Certification (CMMC) framework to strengthen the protection of sensitive information across its supply chain. Understanding the CMMC levels is essential for contractors and subcontractors looking to do business with the DoD. In this post, we’ll walk through the key differences between CMMC Level 1, CMMC Level 2, and CMMC Level 3, including the requirements, obligations, and assessment process for each.
Whether you’re new to the framework or looking for a clear breakdown of the CMMC levels explained, this guide will help you navigate what’s expected at each stage of compliance.
What Are CMMC Levels?
CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB). CMMC is divided into three maturity levels, each designed to protect different types of federal information:
- CMMC Level 1: Provides basic safeguarding of Federal Contract Information (FCI)
- CMMC Level 2: Delivers broad protection for Controlled Unclassified Information (CUI)
- CMMC Level 3: Designed for contractors handling CUI critical to national security, enforcing higher-level protections against advanced persistent threats (APTs)
Each level builds on the one before it, with increasing requirements for documentation, security practices, and independent assessment.
CMMC Level 1: Foundational Cyber Hygiene
CMMC Level 1 applies to DoD contractors and subcontractors that only handle FCI. It focuses on 15 security requirements pulled from FAR clause 52.204-21.17. These include fundamental protections like:
- Limiting physical access to systems
- Using antivirus software
- Requiring strong passwords
- Ensuring secure system configurations
The CMMC Level 1 assessment process requires an annual self-assessment. No third-party certification is needed, and scores must be submitted to the Supplier Performance Risk System (SPRS). The key goal of CMMC Level 1 is to demonstrate that basic cyber hygiene is being practiced to protect FCI.
CMMC Level 2: Advanced Cyber Hygiene
CMMC Level 2 applies to DoD contractors and subcontractors that handle CUI. It aligns closely with NIST SP 800-171, requiring organizations to implement 110 security controls across 14 control families. These include:
- Access control
- Incident response
- Risk assessment
- System and communications protection
Assessment requirements for CMMC Level 2 vary based on the type of information that contractors process, transmit, or store on their information systems. If CUI is not critical to national security, contractors can complete a self-assessment annually. However, if CUI is critical to national security, companies are required to complete an assessment with an Authorized CMMC Third-Party Assessor Organization (C3PAO) every three years.
In order to know whether a Level 2 self-assessment or C3PAO assessment is needed, prime contractors and subcontractors with DoD contracts must understand their contractual requirements as they relate to CMMC compliance. Companies can reference the specific Defense Federal Acquisition Regulation Supplement (DFARS) clause or CUI protection language within their contract to understand which assessment they should pursue.
The goal of CMMC Level 2 is to demonstrate a more rigorous, documented cybersecurity program capable of safeguarding CUI.
CMMC Level 3: Expert Cybersecurity
Finally, CMMC Level 3 applies to a limited group of contractors working with CUI that is critical to national security. These companies are often involved in high-risk programs or contracts. CMMC Level 3 builds on the 110 security requirements from NIST SP 800-171, adding an additional 24 enhanced controls from NIST SP 800-172. It requires:
- Enhanced detection and response capabilities
- Advanced threat protection
- Zero trust architectures and threat hunting practices
CMMC Level 3 also differs from the previous levels in that companies cannot self-assess their compliance. Instead, they must partner with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to conduct government-led assessments every three years.
The main focus of CMMC Level 3 is to maintain a robust cybersecurity posture that’s capable of defending against APTs.
CMMC Levels Explained Side by Side
| CMMC Level | Info Type Protected | Assessment Type | Security Framework | Who It Applies To |
| Level 1 | FCI | Annual self-assessment | FAR 52.204-21 | All DoD contractors handling FCI |
| Level 2 | CUI | Self- or third-party with an Authorized C3PAO (depends on contract) | NIST SP 800-171 | Contractors handling CUI |
| Level 3 | CUI critical to national security | Government-led assessment through DIBAC | NIST SP 800-171 + 800-172 | Contractors handling CUI critical to national security |
Understanding the differences between CMMC Level 1, Level 2, and Level 3 is crucial for maintaining compliance and protecting sensitive government information. As the DoD prepares to roll out full implementation of CMMC 2.0, contractors must prepare for their appropriate level by assessing risk, documenting security policies, and—when necessary—engaging with Authorized C3PAOs to complete required assessments.
That’s where IS Partners comes in. As an Authorized C3PAO, our team makes it easy to navigate CMMC audit readiness and compliance while strengthening your security controls for FCI and CUI. We have a greater than 95% client retention rate, underscoring our commitment to providing a tailored approach to CMMC audit preparation and certification. We can conduct gap assessments; evaluate your organization’s people, processes, and technology against CMMC practices; and create a step-by-step plan to remediate any risk or control issues prior to certification.
Still unsure which level your organization needs to achieve? Reach out to our team to evaluate your current security posture and build a roadmap to certification. Whether you’re aiming for CMMC Level 1, CMMC Level 2, or preparing for the stringent demands of CMMC Level 3, proactive preparation is key to staying eligible for defense contracts.
What Should You Do Next?
Determine Which CMMC Level Applies to Your Current or Future DoD Contracts: Start by reviewing your contract with the prime contractor or DoD. Based on the type of data you handle (FCI vs. CUI) and the details of your contract, this will determine which CMMC level you should comply with.
Conduct a Gap Assessment: Once you’ve determined the appropriate requirements for your organization, compare your existing security practices against the required controls for your target CMMC level.
Engage With a CMMC Compliance Consultant or Authorized C3PAO: Finding the right expertise to help guide you through the assessment and certification process is essential for CMMC compliance — especially for CMMC Level 2 and CMMC Level 3.
FAQs
