The Cybersecurity Maturity Model Certification (CMMC) program was created to strengthen the cybersecurity posture of the Defense Industrial Base (DIB) and protect sensitive information shared across defense supply chains. CMMC 2.0 groups cybersecurity requirements into three maturity levels, each tied to the type of data your organization processes and the security practices needed to protect it.

Understanding your required maturity level is one of the earliest and most important steps in the CMMC certification process, because it determines which controls you must implement, which assessors will evaluate your environment, and the level of effort needed to maintain compliance over time.

Below we’ll provide an overview of each level and tips for how you can determine the one that’s right for you. 

CMMC certification levels explained

CMMC 2.0 compliance streamlines the original CMMC 1.0 framework into three certification levels, each aligned to well-established U.S. Department of Defense requirements and NIST publications. These three levels of CMMC provide a clear, tiered cybersecurity baseline for defense contractors across the DIB, ensuring that the required practices align with the type of sensitive data being protected.

Here’s an overview of the three CMMC 2.0 certification levels:

CMMC Level 1: Foundational protection for FCI

Level 1 focuses on implementing basic cybersecurity practices to protect FCI handled by DoD contractors. These are fundamental security practices, such as safeguarding access, authentication, media protection, physical security, communications protection, and system integrity.

Here’s an overview of this level:

• Focus: Basic cyber hygiene
• Practices: 15 cybersecurity practices based on FAR 52.204-21 (Federal Acquisition Regulation), covering essentials such as access control, authentication, physical security, and media protection.
• Assessment Requirements: Annual self-assessments with annual affirmations by a senior company official.
• Who needs it? This level is intended for organizations that handle Federal Contract Information (FCI), which is information provided by or generated for the government under contract but not intended for public release.

Level 1 is the entry point of the CMMC framework and is designed to be achievable for small contractors while still reducing common vulnerabilities in the supply chain.

CMMC Level 2: Advanced protection for CUI

CMMC 2.0 Level 2 aims to ensure that organizations implement good cybersecurity practices to protect CUI from both external and internal threats.

Here’s an overview of this level: 

• Focus: Advanced cyber hygiene aligned with the NIST SP 800-171 Rev. 2 framework, which covers the protection of Controlled Unclassified Information (CUI)
• Practices: 110 practices covering areas such as configuration management, incident response, access control, audit logging, and continuous monitoring of potential vulnerabilities..
• Assessment Requirements: Triennial third-party assessments by a C3PAO for for contracts with CUI critical to national security. Annual self-assessments submitted through the Supplier Performance Risk System (SPRS) for non-critical CUI.
• Who needs it? Organizations that handle CUI under DFARS contracts, including DFARS clause 252.204-7012. 

CMMC Level 3 Certification: Expert protection against advanced threats

CMMC 2.0 Level 3 is the highest level, designed for companies that need to implement the most rigorous cybersecurity measures to protect against advanced persistent threats (APTs). It includes enhanced practices from NIST SP 800-172 to secure critical CUI against sophisticated cyber threats.

Here’s an overview of this level: 

• Focus: Expert cyber hygiene
• Practices: Over 110 practices aligned with NIST 800-171 and additional requirements from a subset of NIST SP 800-172 controls, including advanced monitoring, anomaly detection, and enhanced incident response.
• Assessment requirements: Government-led security assessments are required every three years, with assessments conducted by government officials
• Who needs it? This level is targeted at organizations that handle the most sensitive government information and are part of the DoD’s highest-priority contracts.

How to determine which CMMC level you need

Following the steps below can help you determine the CMMC certification level that’s right for you in the short and long term.

1. Review your contract requirements

Review the DoD contracts you’re bidding on or currently involved with. Any solicitation, requests for information (RFIs), or contracts should specify the required CMMC level.

If the CMMC level is not explicitly stated in your contract, consult with your contracting officer or legal team to clarify the security requirements based on the information handled.

If you are a subcontractor, communicate with your prime contractors to understand any applicable CMMC flowdown requirements from the main contract. Prime contractors should be able to provide guidance on the required CMMC level for their subcontractors.

2. Identify the type of information you handle

The type of information you’re handling can help determine the level of certification you need. Here’s a general rule of thumb:

• If you handle FCI: Most organizations that deal only with FCI will need Level 1 certification. This level covers basic cybersecurity practices to protect government information.
• If you handle CUI: If your organization deals with CUI, you will likely need a higher level of certification—typically Level 2 or higher. These levels include more stringent security controls designed to protect sensitive information. However, if you are a subcontractor and your prime contractor handles CUI but only flows down select information, a lower CMMC level may apply to you as the subcontractor.

3. Assess your role in the defense supply chain

Next, consider your role in the DoD supply chain. 

If you’re a prime contractor working directly with the DoD, for example, you may be required to achieve a higher CMMC level depending on the type of contracts you’re handling than a subcontractor. 

Whether the data your process is critical to national security may also affect your certification level or assessment requirements. 

As mentioned above, if you process CUI, then you’re likely a Level 2 or 3. The exact level and/or assessment requirement varies depending on the sensitivity of that data.

For example, if your organization manages CUI that is critical to national security, then you are Level 2 and must pass a higher-level third-party assessment (C3PAOs) every three years. If your organization manages CUI that is not critical to national security, you are also Level 2 an annual self-assessment may be sufficient.

Level 3 is reserved for the highest priority, most critical defense programs. If your organization plays a critical role in national security and handles highly sensitive information, you may belong to this level and must pass government-led assessments every three years. 

4. Consider your long-term goals

When deciding on a CMMC level, try to think beyond your immediate needs. If your organization plans to grow, take on more sensitive projects, or expand its DoD contracts, aiming for a higher CMMC level might be a strategic move to future-proof your business.

For example, while your current contracts may only require CMMC Level 1, pursuing Level 2 non-critical certification could position your organization to handle more complex and lucrative contracts in the future that involve CUI.

5. Consult with a CMMC or DFARS expert

Completing the steps above can be difficult, especially if your organization is new to CMMC or if you handle a mix of FCI and CUI. 

If you’re unsure which level is required, consulting with a CMMC consultant or cybersecurity expert can be invaluable. These experts can assess your operations, the type of information you handle, and what security measures you currently have in place and provide guidance on the appropriate level of certification.

Secureframe compliance managers, for example, have CMMC, FedRAMP, and FISMA assessment and readiness experience and can help you navigate your CMMC compliance requirements and readiness efforts. 

In addition to referring to the CMMC Accreditation Body (CMMC-AB) website and the Department of Defense CMMC page for official guidance and resources on CMMC requirements and levels, you can use the high-level decision tree below to determine what level is right for you.