The Practical Matters of CMMC-Join our Latest Webinar on Considerations and Challenges in Pursuing Certification Register Now

Dark teal and black gradient

Blog

CMMCCompliance

CMMC Certification Levels: Which Level Applies to You?

April 30, 2026

If you’re one of the 300,000 companies working within the defense sector, you’ve likely noticed that cybersecurity has only become more of an essential business requirement. 

In response to the seriousness of modern security threats, the Department of Defense (DoD) developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 to help standardize security preparedness.

Today, the government requires tangible proof that organizations are adequately protecting the data they collect, store, and process. CMMC 2.0 provides a tiered framework that enables businesses to align security requirements with their level of risk while demonstrating compliance with established cybersecurity standards.

Below, we outline the three CMMC certification levels and help you determine which one may apply to your organization, along with best practices to consider as you prepare for your CMMC assessment.

What Is the Cybersecurity Maturity Model Certification (CMMC) 2.0?

CMMC 2.0 is the framework the DoD uses to verify that contractors, subcontractors, and suppliers who access, store, or process Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) have appropriate cybersecurity safeguards in place.

In the past, many organizations were allowed to “self-attest,” meaning they could affirm compliance with required cybersecurity standards without independent verification. With CMMC 2.0, certain contractors are now required to provide documented evidence of compliance, and in some cases undergo third-party assessments.

The CMMC 2.0 framework is supported by federal regulations, including 32 CFR and 48 CFR, to ensure consistent cybersecurity standards across the defense supply chain.

The Purpose of CMMC 2.0

The primary goal of CMMC 2.0 is to protect two categories of information that are frequently targeted by threat actors:

  • Federal Contract Information (FCI) includes information provided to or generated for the government under a contract that is not intended for public release. This can include materials such as contract-related emails, delivery schedules, and project documentation.
  • Controlled Unclassified Information (CUI) is more sensitive data that requires safeguarding or dissemination controls in accordance with federal requirements. This may include technical drawings, research data, specifications, and other information that could impact national security or government operations if compromised.

Objectives with CMMC for Defense Contractors

The DoD introduced the CMMC framework to achieve several key objectives across its defense contractor ecosystem. First, it aims to standardize cybersecurity expectations. Whether an organization is a large enterprise or a small business, the requirements for protecting sensitive government information remain consistent across the defense supply chain. 
Second, this framework helps the government verify the level of your “cyber hygiene” by using a Supplier Performance Risk System (SPRS). This provides the DoD with greater visibility into contractor compliance and helps identify organizations that meet required security standards as well as those that may pose potential risk to the supply chain.

CMMC 2.0 vs. CMMC 1.0

For companies familiar with the original CMMC guidelines, the initial version introduced five maturity levels, which many contractors found complex and resource-intensive to navigate. CMMC 2.0 was introduced by the DoD to simplify the model, reduce compliance burden, and make certification more accessible, particularly for small and mid-sized contractors.

One of the most significant changes is the reduction from five levels to three clearly defined levels of cybersecurity maturity. The updated framework also aligns more closely with existing NIST cybersecurity standards, which many organizations already use as the foundation for their security programs.

In addition, CMMC 2.0 introduces greater flexibility in how compliance is validated. At lower levels, many organizations may be able to complete annual self-assessments, while higher-risk contracts still require more rigorous third-party assessments.

How Many CMMC Levels Are There?

There are three different tiers in the CMMC 2.0 framework. Each level represents a step up in security. The level your business needs to follow will depend entirely on the type of data you handle for your government contracts.

These levels range from “Foundational” for basic information to “Expert” for companies defending against more sophisticated, state-sponsored cyberattacks.

CMMC 2.0 Certification Levels Explained

Level 1 – Foundational

Who it applies to
CMMC Level 1 applies to contractors that handle Federal Contract Information (FCI). This includes non-public government-related information that is not considered sensitive enough to qualify as Controlled Unclassified Information (CUI). Many organizations in the defense supply chain fall into this category.

What’s required
Level 1 focuses on basic cybersecurity hygiene. Organizations must implement 15 fundamental security practices designed to protect FCI. These include measures such as maintaining up-to-date antivirus software and restricting physical access to systems and facilities.

How it’s assessed
Compliance is typically verified through an annual self-assessment. A senior company official must affirm the organization’s compliance and submit the results to the Supplier Performance Risk System (SPRS).

Level 2 – Advanced

Who it applies to
CMMC Level 2 applies to contractors that handle Controlled Unclassified Information (CUI). This typically includes organizations working with sensitive government data such as technical drawings, engineering specifications, or specialized software code provided by the DoD.

What’s required
Level 2 aligns with the security requirements outlined in NIST SP 800-171 and includes 110 cybersecurity controls. Organizations must implement these controls to protect CUI and reduce risk across their systems and processes.

A key requirement is the development and maintenance of a formal System Security Plan (SSP), which documents how each control is being met.

How it’s assessed
Depending on the contract, Level 2 may be verified through either a self-assessment or a third-party assessment. However, most organizations handling CUI are expected to undergo a third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) every three years.

Level 3 – Expert

Who it applies to
CMMC Level 3 is reserved for contractors supporting the most sensitive defense programs. These organizations are typically high-value targets for advanced threat actors due to the critical nature of the information they handle.

What’s required
Level 3 builds on the 110 controls required at Level 2 (NIST SP 800-171) and adds a subset of enhanced security requirements from NIST SP 800-172, designed to defend against advanced persistent threats. These additional controls include capabilities such as continuous security monitoring and active threat detection.

How it’s assessed
Level 3 assessments are conducted directly by the Department of Defense and are more rigorous than lower-level evaluations. Organizations must first demonstrate compliance with Level 2 requirements before being considered for Level 3 certification, as Level 3 is intended for the highest-risk environments.

Key Domains and Capabilities Across All Levels

The CMMC requirements are grouped into categories called “domains.” These domains cover different areas of your digital security to ensure you aren’t relying on just basic security standards

Some of the most important domains you’ll encounter include:

  • Access Control (AC): Managing who can log into your systems and what they can do once they are in.
  • Incident Response (IR): Having a clear plan for what you do if a security breach happens, including how you report and recover from it.
  • Risk Management (RM): Regularly checking your systems for vulnerabilities and assessing potential threats.
  • System and Information Integrity (SI): Monitoring for malicious code and making sure your systems haven’t been tampered with.

While a Level 1 company might focus on basic login rules, a Level 2 company has to implement more specific requirements, like mobile device management. By the time you reach Level 3, these domains require advanced features like bidirectional authentication.

Determining Your CMMC Level

Selecting the appropriate CMMC level is not a matter of preference, it is determined by the type of information your organization handles and the specific requirements outlined in your government contracts. The most effective starting point is to evaluate how Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) flow through your business systems, users, and third-party relationships.

Data type is the primary driver
If your organization only handles Federal Contract Information (FCI), such as administrative data, scheduling information, or contract-related communications, you will typically fall under CMMC Level 1 requirements.

If your organization handles Controlled Unclassified Information (CUI), such as technical specifications, engineering data, or sensitive program information, CMMC Level 2 is required to participate in those contracts.

Contract language determines requirements
In many cases, your required CMMC level is explicitly defined in contract language. Clauses such as DFARS 252.204-7012 are strong indicators that CUI is involved and that Level 2 compliance will be required. Reviewing current and future contract obligations is a critical step in determining your compliance path.

Role in the supply chain matters
Your required level may also vary based on your position within the defense supply chain. Prime contractors working directly with sensitive government programs may require higher-level certification, while subcontractors on the same program may only need Level 1 if they do not directly access or process regulated data.

Higher-risk environments
CMMC Level 3 applies only to a limited number of organizations supporting high-priority defense programs involving the most sensitive categories of CUI. These environments are typically associated with advanced national security or mission-critical technologies.

Reducing scope through segmentation
Some organizations reduce compliance scope by implementing secure system segmentation, often referred to as an enclave approach. This isolates systems that process CUI into a defined environment, allowing CMMC Level 2 requirements to apply only to that segment rather than the entire organization, helping reduce cost and operational complexity.

Preparing for CMMC Certification

Achieving CMMC Level 2 certification can require between six to eighteen months of preparation, depending on the current state of an organization’s cybersecurity controls and documentation. Beginning the process early helps organizations strengthen their security posture and remain eligible for defense contracts that require higher levels of certification. 

Below are some of the basic steps you’ll want to take when preparing for your CMMC certification:

Step 1: Conduct a CMMC Gap Assessment

Compare your current practices to the required controls

The first step is to compare your current cybersecurity controls against the requirements for your target CMMC level. A gap assessment helps identify missing or incomplete controls, whether technical safeguards such as encryption and access controls, or administrative requirements such as documented policies and incident response procedures.

This process provides a clear baseline of your current security posture and outlines the remediation work needed before pursuing certification.

Step 2: Perform a CMMC Readiness Assessment

Once identified gaps have been addressed, organizations often complete a readiness assessment to confirm they are prepared for a formal CMMC evaluation. This step simulates elements of the assessment process and helps ensure that implemented controls are functioning properly, documented appropriately, and consistently followed by staff.

A readiness assessment can help reduce the risk of delays or findings during the official certification process.

Step 3: Build Your System Security Plan (SSP)

The System Security Plan (SSP) is one of the most important documents required for CMMC compliance. The SSP outlines your system environment, identifies where sensitive information is stored and processed, and documents how each required security control is implemented.

Assessors rely heavily on the SSP during an evaluation, so maintaining an accurate and well-documented plan is essential for demonstrating compliance.

Step 4: Engage a Qualified CMMC Consultant or C3PAO

Many organizations choose to work with external experts when preparing for CMMC certification. Registered Provider Organizations (RPOs) and experienced consultants can help organizations interpret requirements, remediate security gaps, and prepare documentation.

When pursuing Level 2 certification that requires a third-party assessment, organizations will need to schedule an evaluation with a Certified Third-Party Assessment Organization (C3PAO). Because assessment availability can be limited, it is often advisable to schedule these engagements well in advance

Step 5: Implement Required Technical and Procedural Controls

Organizations must implement the necessary technical and procedural controls required for their certification level. This may include measures such as enabling multi-factor authentication (MFA), deploying centralized logging and monitoring tools, enforcing access controls, and establishing incident response procedures.

Employee training also plays an important role, ensuring staff understand how to properly handle Controlled Unclassified Information (CUI) and follow established security practices.

Step 6: Schedule and Maintain Ongoing Compliance

CMMC certification is not a one-time activity. While formal third-party assessments typically occur every three years for applicable levels, organizations must continue maintaining their security controls and submit required annual affirmations of compliance. Continuous monitoring, regular policy updates, and ongoing employee training are essential to sustaining certification. 

In Summary

CMMC 2.0 introduces a structured approach to cybersecurity across the defense supply chain, with three certification levels designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The level required for your organization depends primarily on the type of data you handle and the requirements outlined in your DoD contracts.

Identifying your required CMMC level early allows organizations to plan the resources, security controls, and assessments needed to achieve compliance and maintain eligibility for future defense contracting opportunities.

Back to Resource Center

Explore More In-Depth Compliance Resources

View Our Resources