Skip to content

CMMC collection · Understand CMMC

CMMC levels: 1, 2, and 3 explained

What each CMMC level requires, who needs which one, and how assessments differ — from Level 1 self-assessment to Level 3 government evaluation.

What are the CMMC levels?
CMMC 2.0 defines three levels of cybersecurity maturity, each tied to the sensitivity of the information a contractor handles: Level 1 (Foundational) for Federal Contract Information, Level 2 (Advanced) for Controlled Unclassified Information, and Level 3 (Expert) for CUI on the highest-priority programs. Your contracts — not your preference — determine your level.

Level 1: Foundational

  • Protects: FCI — non-public information provided or generated under a federal contract.
  • Requirements: 15 basic safeguarding practices from FAR 52.204-21 (access control, media handling, basic hygiene).
  • Verification: annual self-assessment, entered in SPRS, with an annual affirmation by a senior company official.
  • Effort: weeks rather than months for a reasonably run IT environment.

Level 2: Advanced

  • Protects: CUI — controlled unclassified information such as technical drawings, specifications, and export-controlled data.
  • Requirements: all 110 controls of NIST SP 800-171, tested against 320 assessment objectives.
  • Verification: triennial assessment by an authorized C3PAO for most contracts (a subset allows self-assessment), plus annual affirmations.
  • Effort: typically months of remediation for first-timers, plus assessment scheduling lead time.

Level 2 is where conditional certification exists: score at least 80% with only POA&M-eligible controls open, and you can certify conditionally with 180 days to close the rest.

Level 3: Expert

  • Protects: CUI associated with the DoD's highest-priority programs against advanced persistent threats.
  • Requirements: 24 selected requirements from NIST SP 800-172, layered on a final Level 2 certification.
  • Verification: government-led assessment by DIBCAC, every three years.
  • Applies to: a small fraction of the DIB — you'll know from your program office if this is you.

Which level do you actually need?

Work the question in this order: What do your contracts say? What clauses do they carry (DFARS 252.204-7012 implies CUI and therefore Level 2)? And what does your data actually include — because CUI has a way of appearing in drawings and emails regardless of what anyone assumed? Our article on choosing between Level 1 and Level 2 walks the decision in detail.

Frequently asked questions

Which CMMC level do most defense contractors need?

Level 2 covers the broad middle of the DIB: any contractor whose work involves CUI — drawings, specifications, technical data — needs the 110 NIST 800-171 controls. Level 1 applies to contractors handling only FCI, and Level 3 is reserved for a small set of the highest-priority programs.

Can some Level 2 contracts use self-assessment?

Yes. The rule allows Level 2 self-assessment for a subset of contracts, but DoD has indicated most Level 2 requirements will demand C3PAO certification — and primes overwhelmingly ask for the certified version. Plan for certification unless your contracting officer says otherwise.

Does Level 3 replace Level 2?

No — it stacks on top. Level 3 candidates must first hold a final Level 2 certification from a C3PAO, then undergo a government-led (DIBCAC) assessment of the additional NIST 800-172 requirements.

How do I know which level my contract requires?

The solicitation states it. Look for the CMMC level in the requirement documents and for DFARS 252.204-7012/7021 clauses; the underlying question is whether you handle only FCI (Level 1) or CUI (Level 2+). When it's ambiguous, ask your contracting officer or prime — in writing.

Free 30-minute readiness call

Walk into your CMMC assessment ready.

Book a 30-minute readiness call with a Fortwise advisor. No high-pressure sales — just a clear read on where you stand and what it takes to certify.

  • Confirm which CMMC level your contracts actually require
  • Pinpoint the gaps most likely to fail your assessment
  • Leave with a clear, prioritized path to certification

One-on-one with a CMMC advisor · No obligation · We never store your CUI