CMMC 2.0 Levels Explained Level 1, Level 2, and Level 3
CMMC 2.0 establishes three certification levels that determine which DoD contracts your organization can compete for. Your required level depends on the type of information your contracts involve.
Three Levels of Cybersecurity Maturity
Each level builds on the previous one. Your required level is determined by your contracts and the data they involve, not by organizational preference.
Protects Federal Contract Information (FCI)
17 basic cybersecurity practices from FAR 52.204-21. Annual self-assessment. Applies to contractors handling FCI but not CUI. Most organizations can achieve compliance within 1-3 months with minimal investment.
Protects Controlled Unclassified Information (CUI)
All 110 NIST SP 800-171 requirements across 14 control families. Triennial C3PAO assessment for critical CUI. This is the most common level for defense contractors. 6-18 months preparation, $100K-$500K+ total cost.
Level 2 certification detailsProtects CUI Against Advanced Persistent Threats
110+ requirements including NIST SP 800-172 enhanced controls. Triennial government-led DIBCAC assessment. Reserved for the highest-priority defense programs. Must achieve Level 2 first.
Implementation Timeline
Phase 1 (2025): Self-assessments begin. Phase 2 (2026): C3PAO assessments for critical CUI. Phase 3 (2027): Expanded requirements and Level 3. Phase 4 (2028): Full CMMC inclusion in all applicable contracts.
How to Determine Your Required Level
Review contracts for DFARS clauses 252.204-7012, 7019, 7020, and 7021
Determine if you handle FCI only (Level 1) or CUI (Level 2+)
Check if contracts specify Level 3 for critical programs
Ask prime contractors about flow-down requirements
Get a professional assessment to validate CUI data flows
Begin preparation 12+ months before anticipated contract need
Frequently Asked Questions
What changed from CMMC 1.0 to CMMC 2.0?
CMMC 2.0 consolidated five levels to three, eliminated CMMC-unique practices in favor of direct NIST alignment, allowed self-assessment for Level 1 and some Level 2 programs, and introduced limited POA&M flexibility with a 180-day remediation window for conditional certification.
Most contractors assume they only need Level 1. Is that accurate?
Many contractors underestimate the amount of CUI in their environment. Technical drawings, engineering specifications, test data, and logistics information related to defense programs may qualify as CUI. If any of your contracts involve CUI, you need Level 2. A professional assessment can review your contracts and data flows to determine the correct level.
What NIST standards does each level align with?
Level 1 aligns with FAR 52.204-21 (derived from NIST SP 800-171 basics). Level 2 aligns directly with NIST SP 800-171 Rev 2 (110 requirements). Level 3 builds on Level 2 with additional requirements from NIST SP 800-172. Organizations already working toward NIST 800-171 compliance have done the majority of work needed for Level 2.
How do I know if my contracts involve CUI?
Look for DFARS clause 252.204-7012, which governs CUI safeguarding. Check contract data requirements lists (CDRLs) and delivery schedules. Review data markings on information you receive from the government or prime contractors. If you are a subcontractor, ask your prime contractor what data categories flow down to your level.
Can I start at Level 1 and upgrade to Level 2 later?
Yes, but this is only advisable if your current contracts genuinely require only Level 1. If upcoming contracts will require Level 2, start preparing now. The jump from 17 to 110 controls takes 6-18 months, and delaying preparation puts contract eligibility at risk when CMMC requirements appear in solicitations.
What does a CMMC gap assessment cost?
A professional CMMC gap assessment is a fraction of the total certification cost but provides the foundation for efficient remediation. Contact us for a quote based on your organization size and scope. The assessment pays for itself by preventing wasted remediation spending on areas already compliant.
Not Sure Which Level You Need?
Our CMMC Registered Practitioners will analyze your contracts, data flows, and systems to determine your required level and build a certification roadmap.