CMMC collection · Understand CMMC
CMMC levels: 1, 2, and 3 explained
What each CMMC level requires, who needs which one, and how assessments differ — from Level 1 self-assessment to Level 3 government evaluation.
- What are the CMMC levels?
- CMMC 2.0 defines three levels of cybersecurity maturity, each tied to the sensitivity of the information a contractor handles: Level 1 (Foundational) for Federal Contract Information, Level 2 (Advanced) for Controlled Unclassified Information, and Level 3 (Expert) for CUI on the highest-priority programs. Your contracts — not your preference — determine your level.
Level 1: Foundational
- Protects: FCI — non-public information provided or generated under a federal contract.
- Requirements: 15 basic safeguarding practices from FAR 52.204-21 (access control, media handling, basic hygiene).
- Verification: annual self-assessment, entered in SPRS, with an annual affirmation by a senior company official.
- Effort: weeks rather than months for a reasonably run IT environment.
Level 2: Advanced
- Protects: CUI — controlled unclassified information such as technical drawings, specifications, and export-controlled data.
- Requirements: all 110 controls of NIST SP 800-171, tested against 320 assessment objectives.
- Verification: triennial assessment by an authorized C3PAO for most contracts (a subset allows self-assessment), plus annual affirmations.
- Effort: typically months of remediation for first-timers, plus assessment scheduling lead time.
Level 2 is where conditional certification exists: score at least 80% with only POA&M-eligible controls open, and you can certify conditionally with 180 days to close the rest.
Level 3: Expert
- Protects: CUI associated with the DoD's highest-priority programs against advanced persistent threats.
- Requirements: 24 selected requirements from NIST SP 800-172, layered on a final Level 2 certification.
- Verification: government-led assessment by DIBCAC, every three years.
- Applies to: a small fraction of the DIB — you'll know from your program office if this is you.
Which level do you actually need?
Work the question in this order: What do your contracts say? What clauses do they carry (DFARS 252.204-7012 implies CUI and therefore Level 2)? And what does your data actually include — because CUI has a way of appearing in drawings and emails regardless of what anyone assumed? Our article on choosing between Level 1 and Level 2 walks the decision in detail.
Frequently asked questions
Which CMMC level do most defense contractors need?
Level 2 covers the broad middle of the DIB: any contractor whose work involves CUI — drawings, specifications, technical data — needs the 110 NIST 800-171 controls. Level 1 applies to contractors handling only FCI, and Level 3 is reserved for a small set of the highest-priority programs.
Can some Level 2 contracts use self-assessment?
Yes. The rule allows Level 2 self-assessment for a subset of contracts, but DoD has indicated most Level 2 requirements will demand C3PAO certification — and primes overwhelmingly ask for the certified version. Plan for certification unless your contracting officer says otherwise.
Does Level 3 replace Level 2?
No — it stacks on top. Level 3 candidates must first hold a final Level 2 certification from a C3PAO, then undergo a government-led (DIBCAC) assessment of the additional NIST 800-172 requirements.
How do I know which level my contract requires?
The solicitation states it. Look for the CMMC level in the requirement documents and for DFARS 252.204-7012/7021 clauses; the underlying question is whether you handle only FCI (Level 1) or CUI (Level 2+). When it's ambiguous, ask your contracting officer or prime — in writing.
Walk into your CMMC assessment ready.
Book a 30-minute readiness call with a Fortwise advisor. No high-pressure sales — just a clear read on where you stand and what it takes to certify.
- Confirm which CMMC level your contracts actually require
- Pinpoint the gaps most likely to fail your assessment
- Leave with a clear, prioritized path to certification
One-on-one with a CMMC advisor · No obligation · We never store your CUI
