One of the most common questions businesses are asking is “What are the CMMC requirements, and which level applies to my business?”
CMMC Levels Explained
CMMC 2.0 has three levels, and the level you need depends on the type of information your organization handles. Here’s a quick breakdown.
Level 1 – Foundational
- Applies to all federal and Defense contractors that handle Federal Contract Information (FCI).
- This requires the implementation of 15 foundational cybersecurity practices from FAR 52.204-21.
- Annual self-assessment is required (no third-party audit).
If you only handle basic contract information and not sensitive defense data, this may be your level.
Level 2 – Advanced
- Applies to companies handling Controlled Unclassified Information (CUI).
- This requires compliance with NIST SP 800-171 (110 security controls).
- Assessment requirements depend on contract sensitivity:
- Self-assessment (for select non-critical contracts)
- C3PAO third-party assessment (for most DoW contractors handling CUI)
- One important caveat: Even if your company does not directly contract with the DoW, you may still be required to meet CMMC Level 2 if a Primary contractor flows the requirement down to you.
For many, scheduling a Level 2 assessment with a C3PAO is a good business decision, opening businesses up to more opportunities.
Why the Confusion Around “Self vs. C3PAO”?
Some Level 2 contractors may qualify for a self-assessment, while others must undergo a C3PAO assessment. When in doubt, assume that handling CUI likely means preparing for a third-party assessment unless explicitly told otherwise.
💡 If you need more clarity, reach out to us, and we can talk through your business needs.
Level 3 – Expert
- Level 3 applies to companies supporting the most sensitive DoW programs.
- This builds on Level 2 requirements and adds controls from NIST SP 800-172.
- Requires assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
At this present time, Level 3 will apply to a small percentage of contractors supporting high-priority national security programs.
Which Level Do You Need?
The determining factor is not your company size; it’s the type of data you handle under your DoW contracts.
Ask yourself:
- Do we handle only FCI? → Likely Level 1 (Self-Assessment)
- Do we handle CUI? → Likely Level 2
- Is our contract tied to critical national security priorities? → Possibly Level 3
Your contract and prime contractor will ultimately specify the required level.
Have Questions About Your CMMC Level?
If you’re trying to determine your CMMC requirements or prepare for an assessment, let's connect. A quick conversation can save months of confusion and costly missteps.