CMMC 2.0 compliance and assessment requirements vary based on your organization’s 

relationship with the DoD and the type of information you handle. 

So one of the first steps in the CMMC compliance process is determining your CMMC level. Below we’ll provide an overview of each level and tips for how you can determine the one that’s right for you. 

CMMC certification levels

The CMMC 2.0 model simplifies the original framework into three certification levels. These three levels provide a clear, tiered approach to cybersecurity, ensuring that the required practices align with the type and sensitivity of the information being protected.

Here’s an overview of the three CMMC 2.0 certification levels:

description of cmmc 2.0 levels

CMMC Level 1 Certification: Foundational

Level 1 focuses on implementing basic cybersecurity practices to protect FCI. These are fundamental security practices, such as safeguarding access, authentication, media protection, physical security, communications protection, and system integrity.

Here’s an overview of this level:

  • Focus: Basic cyber hygiene
  • Practices: 17 cybersecurity practices based on FAR 52.204-21 (Federal Acquisition Regulation)
  • Assessment Requirements: Annual self-assessments with annual affirmations by a senior company official.
  • Who needs it? This level is intended for organizations that handle Federal Contract Information (FCI), which is information provided by or generated for the government under contract but not intended for public release.

CMMC Level 2 Certification: Advanced

CMMC 2.0 Level 2 aims to ensure that organizations implement good cybersecurity practices to protect CUI from both external and internal threats.

Here’s an overview of this level: 

  • Focus: Advanced cyber hygiene
  • Practices: 110 practices aligned with the NIST SP 800-171 Rev. 2 framework, which covers the protection of Controlled Unclassified Information (CUI).
  • Assessment Requirements: Triennial assessments performed by a C3PAO for critical national security information and annual self-assessments for non-critical information submitted through the Supplier Performance Risk System (SPRS).). 
  • Who needs it? Organizations that handle CUI and are involved in contracts that contain information critical to national security. 

CMMC Level 3 Certification: Expert

CMMC 2.0 Level 3 is the highest level, designed for companies that need to implement the most rigorous cybersecurity measures to protect against advanced persistent threats (APTs). It includes comprehensive practices and processes to secure critical CUI against sophisticated cyber threats.

Here’s an overview of this level: 

  • Focus: Expert cyber hygiene
  • Practices: Over 110 practices aligned with NIST 800-171 and additional requirements from a subset of NIST SP 800-172 controls
  • Assessment requirements: Government-led assessments are required every three years, with assessments conducted by government officials
  • Who needs it? This level is targeted at organizations that handle the most sensitive government information and are part of the DoD’s highest-priority contracts.

What CMMC level do I need?

Following the steps below can help you determine the CMMC certification level that’s right for you in the short and long term.

How to Determine your CMMC Certification Level

1. Review your contract requirements

Review the DoD contracts you’re bidding on or currently involved with. Any solicitation, requests for information (RFIs), or contracts should specify the required CMMC level.

If the CMMC level is not explicitly stated in your contract, consult with your contracting officer or legal team to clarify the security requirements based on the information handled.

If you are a subcontractor, communicate with your prime contractors to understand any applicable CMMC requirements flowing down from the main contract. Prime contractors should be able to provide guidance on the required CMMC level for their subcontractors.

2. Identify the type of information you handle

The type of information you’re handling can help determine the level of certification you need. Here’s a general rule of thumb:

  • If you handle FCI: Most organizations that deal only with FCI will need Level 1 certification. This level covers basic cybersecurity practices to protect government information.
  • If you handle CUI: If your organization deals with CUI, you will likely need a higher level of certification—typically Level 2 or higher. These levels include more stringent security controls designed to protect sensitive information. However, if you are a subcontractor and your prime contractor handles CUI but only flows down select information, a lower CMMC level may apply to you as the subcontractor.

3. Assess your role in the DoD supply chain

Next, consider your role in the DoD supply chain. 

If you’re a prime contractor working directly with the DoD, for example, you may be required to achieve a higher CMMC level depending on the type of contracts you’re handling than a subcontractor. 

Whether the data your process is critical to national security may also affect your certification level or assessment requirements. 

As mentioned above, if you process CUI, then you’re likely a Level 2 or 3. The exact level and/or assessment requirement varies depending on the sensitivity of that data. For example, if your organization manages CUI that is critical to national security, then you are Level 2 and must pass a higher-level third-party assessment (C3PAOs) every three years. If your organization manages CUI that is not critical to national security, you are also Level 2 but may conduct an annual self-assessment instead of a third-party one.

Level 3 is reserved for the highest priority, most critical defense programs. If your organization plays a critical role in national security and handles highly sensitive information, you may belong to this level and must pass government-led assessments every three years. 

4. Consider your long-term goals

When deciding on a CMMC level, try to think beyond your immediate needs. If your organization plans to grow, take on more sensitive projects, or expand its DoD contracts, aiming for a higher CMMC level might be a strategic move to future-proof your business.

For example, while your current contracts may only require CMMC Level 1, pursuing Level 2 non-critical certification could position your organization to handle more complex and lucrative contracts in the future that involve CUI.

5. Consult with a CMMC expert

Completing the steps above can be difficult, especially if your organization is new to CMMC or if you handle a mix of FCI and CUI. 

If you’re unsure which level is required, consulting with a CMMC consultant or cybersecurity expert can be invaluable. These experts can assess your operations, the type of information you handle, and what security measures you currently have in place and provide guidance on the appropriate level of certification.

Secureframe compliance managers, for example, have CMMC, FedRAMP, and FISMA assessment and readiness experience and can help you navigate your CMMC compliance requirements and readiness efforts. 

In addition to referring to the CMMC Accreditation Body (CMMC-AB) website and the Department of Defense CMMC page for official guidance and resources on CMMC requirements and levels, you can use the high-level decision tree below to determine what level is right for you.

decision tree guiding user to determine what cmmc level they need through series of questions

FAQs

Who determines CMMC level?

The CMMC level required for your organization is typically determined by the Department of Defense (DoD) based on the type of information you handle. Contractors and subcontractors working with the DoD must comply with a specific CMMC level depending on the sensitivity of the information they access or manage, such as Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The contracting officer or the DoD agency usually specifies the required CMMC level in the contract or request for information (RFI).

What is the difference between CMMC Level 1 and Level 2?

Below is an overview of the key differences between CMMC Level 1 and 2:

  • CMMC Level 1 focuses on basic cybersecurity hygiene and safeguarding Federal Contract Information (FCI). It includes 17 basic security practices derived from FAR 52.204-21, such as using antivirus software and limiting information access.
  • CMMC Level 2 is a more rigorous requirement, designed to protect Controlled Unclassified Information (CUI). It incorporates 110 security controls, aligning with the practices outlined in NIST SP 800-171. CMMC Level 2 is intended for organizations handling more sensitive DoD data and requires a higher degree of cybersecurity maturity.

What CMMC 2.0 level do I need?

The CMMC 2.0 level you need depends on the type and sensitivity of information your organization handles:

  • CMMC Level 1 is sufficient if you only handle Federal Contract Information (FCI).
  • CMMC Level 2 is required if your organization works with Controlled Unclassified Information (CUI) and is involved in contracts that contain information critical to national security. 
  • CMMC Level 3 (to be finalized later) will be necessary for organizations that handle the most sensitive government information and are part of the DoD’s highest-priority contracts.

You should review your contract requirements or consult with your contracting officer to determine the exact level needed.