Understanding CMMC Levels

For companies in or entering the Defense Industrial Base (DIB), the Cybersecurity Maturity Model Certification (CMMC) is quickly becoming a prerequisite to doing business with the Department of Defense (DoD). CMMC is designed to ensure contractors protect sensitive government data, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The CMMC 2.0 update simplified the compliance path by consolidating the original five maturity levels into three tiers, making the adoption process clearer and more accessible for businesses. These risk-based levels align closely with existing NIST standards. Understanding your required CMMC level is the crucial first step toward avoiding disqualification from contracts.

CMMC Level 1 serves as the entry point for organizations in the defense supply chain and focuses on Foundational Cyber Hygiene.

• Who It's For: Contractors and subcontractors handling only Federal Contract Information (FCI). FCI is information "not intended for public release" provided by or generated under a federal contract, such as proposals or progress reports.

• Key Requirement: Organizations must implement the 17 basic safeguarding practices derived from FAR 52.204-21. These practices cover basic security areas like access control, physical protection, and media protection.

• Assessment: Compliance is verified through an annual self-assessment. This self-assessment must be submitted to the Supplier Performance Risk System (SPRS) portal.

• Compliance Note: This level has the lowest estimated cost, ranging from 5,000–30,000. Importantly, no Plans of Action & Milestones (POAMs) are allowed for Level 1; all 17 practices must be fully implemented to pass.

CMMC Level 2 is the standard for organizations that process, store, or transmit Controlled Unclassified Information (CUI). CUI is sensitive federal data that requires safeguarding because its compromise can pose a direct threat to national security or intellectual property.

• Who It's For: Organizations handling CUI. Most organizations handling CUI will need at least Level 2 compliance.

• Key Requirement: Level 2 demands the full implementation of NIST SP 800-171 Rev 2, which includes 110 security controls across 14 control families.

• Assessment: This level may require a C3PAO-conducted third-party assessment for higher-risk contracts. A SPRS score of 110 is required for compliance.

• Compliance Note: While POAMs are permitted under a conditional certification, there are strict rules: all high-value 3- and 5-point controls must be fully implemented before assessment, and only certain 1-point controls may be covered by a POAM. Organizations have only 180 days to remediate any remaining POAM items.

CMMC Level 3 represents the highest level of security maturity.

• Who It's For: Contractors supporting high-priority DoD programs who face elevated exposure to Advanced Persistent Threats (APTs).

• Key Requirement: This level requires implementing all of NIST SP 800-171 plus selected, more rigorous controls from NIST SP 800-172.

• Assessment: Assessments for CMMC Level 3 are conducted directly by the government via the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

• Strategic Value: Achieving Level 3 grants access to high-value contracts involving sensitive data and positions the business to win—and retain—high-value DoD work. The estimated cost for this level is the highest, ranging from 300,000–1,000,000+.

CMMC is a business enabler that signals to federal agencies your organization takes data security seriously. The most important first step is to assess your current CMMC level to identify your requirements (Level 1 for FCI only, Level 2 for CUI) and pinpoint any security shortcomings. By proactively building a roadmap for improvement, you position your business to stay competitive in the defense market.