Back To Resource Center

Published: March 1, 2023

What CMMC Levels Do You Need?

By Annie articles

Discover the different levels of CMMC compliance

The Cybersecurity Maturity Model Certification (CMMC) of the US Department of Defense (DoD) is an assessment standard meant to guarantee that defense contractors comply with current security criteria for securing sensitive defense information.

To prepare, there are three key objectives defined by CMMC Compliance assessors:

  • Safeguard sensitive defense data from cyberattacks and nation-state actors.
  • Develop common cybersecurity requirements for defense contractors.
  • Ensure responsibility for defense contractors in charge of securing federal data.

In 2021, the Department of Defense announced CMMC 2.0, a much-streamlined version of the initial CMMC framework. The redesigned program reflects two main DoD goals: first, cost reduction, particularly for small and medium-sized companies (SMBs), and second, clarification and alignment of cybersecurity standards with other government requirements.

CMMC 2.0 rulemaking will be finalized by  May 2023, after which CMMC requirements will begin appearing in contracts, although the exact date is still unknown. Organizations must achieve CMMC compliance whether they handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

The DoD has introduced cybersecurity controls at the contractor and subcontractor levels via CMMC. Most defense contractors working for the DoD, except those managing Commercial Off The Shelf (COTS), must gain CMMC certification by 2026

Your DoD contract will specify the CMMC level you must attain and maintain and the data that must be secured.

You can find a more advanced CMMC 2.0 preparedness guide here.

Understanding the CMMC Levels

The most recent CMMC 2.0 model is divided into three tiers (replacing the five-tier system in CMMC 1.02). 

The three CMMC levels announced in 2021 are Level 1 (Foundational), Level 2 (Advanced), and Level 3. (Expert). The CMMC assessment requirements differ depending on the level of certification required.

The three levels of CMMC compliance analyze and measure cybersecurity techniques and processes, certifying a DoD contractor’s capacity to safeguard the CUI and FCI inside the supply chain system.

Each CMMC level builds on the preceding one, incorporating technical and non-technical criteria. While self-assessment and successful third-party assessments are essential elements in the compliance process, the ultimate purpose of CMMC is to enable enterprises to tackle new risks as they emerge, ensuring that organizations never let their guard down.

CMMC Level 1: Foundational

Level 1 requires firms to implement basic cyber hygiene measures. They may, however, be able to implement these activities ad hoc without depending on paperwork and may achieve certification through an annual self-assessment.

As a result, Third Party Assessment Organizations (C3PAO) do not measure level 1 process maturity. Because activities at this level are primarily concerned with the protection of FCI, level 1 only contains practices that fulfill the fundamental safeguarding requirements outlined in 48 CFR 52.204-21.

Who needs Level 1 Compliance?

DoD contractors and subcontractors that handle Federal Contract Information (FCI) will need to be certified at the CMMC level 1. FCI is content that is not meant for public dissemination. Typically, the designation is contained in document markings or specified in the contract.

However, FCI does not include the essential accounting and transaction data necessary for invoicing and receiving payments.

CMMC Level 2: Advanced

Level 2 requires businesses to describe their processes to steer their efforts toward CMMC Level 2 maturity. This documentation must also make it possible for users to replicate these processes.

To acquire this degree of maturity, organizations must follow their specified processes.

Level 2 procedures are defined as advanced cyber hygiene practices (sometimes known as intermediate cyber hygiene) and are a step up from level 1.

According to the National Institute of Standards and Technology Special Publication (NIST SP) 800-171, CMMC 2.0 Level 2 is identical to CMMC 1.02 Level 3. Therefore, it keeps all 14 domains and 110 security controls from CMMC 1.02 but removes all 20 Level 3 practices and procedures unique to CMMC 1.02.

Level 2 compliance assessment standards vary depending on whether the CUI data handled is critical to national security.

For example, organizations with prioritized acquisitions that take significant national security data must undergo a higher-level third-party assessment with the CMMC accreditation body every three years to ensure they continue to develop their maturity level.

In contrast, non-prioritized acquisitions that handle non-critical national security data can complete an annual self-assessment.

Who needs Level 2 Compliance?

The DoD contractor must get at least CMMC Level 2 certification if the job requires sharing and processing CUI data. This level necessitates adherence to all 110 practices from Levels 1 and 2.

CUI is an FCI that includes additional instructions for particular safeguarding or handling restrictions. Therefore, the DoD contract should explicitly identify and describe CUI. In addition, NIST 800-171 contains instructions for recognizing and dealing with CUI.

CMMC Level 3: Expert

The level 3 CMMC model decreases a system’s exposure to Advanced Persistent Threats (APTs) by forcing an organization to design, maintain, and resource a strategy to manage the actions required to implement its cyber security practices.

This plan may include information on various subjects, such as objectives, missions, projects, resourcing, training, and the participation of organizational stakeholders.

This level’s cybersecurity practices are good cyber hygiene procedures that focus on protecting CUI. However, they include the security requirements specified in NIST SP 800-171 and the additional 20 practices for CMMC level 2.

The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 remains in effect, imposing additional duties beyond NIST SP 800-171, such as reporting security incidents.

The DoD is presently establishing its security criteria; it is akin to CMMC 1.02 Level 5. However, it has already been stated that the Level 3 standards would be based on NIST SP 800-171’s 110 controls and a subset of NIST SP 800-172 controls.

Who needs Level 3 Compliance?

Companies that manage CUI for DoD programs with the highest priority are subject to CMMC 2.0 Level 3. It should be noted that the CMMC sets standards for Level 3, but the evaluation guide has not yet been published.

Take Your CMMC Prep to The Next Level With TalPoint

Preparing for and obtaining a CMMC certification requires additional specialized work, which can strain your IT and compliance teams tremendously.

This is why many firms use outside specialists to assist them in preparing for and completing their CMMC self assessment or audit, and TalPoint is here to help you get it done.

You can find CMMC experts at TalPoint to help you with every stage, from early scoping to completion and beyond as you continue to develop your CMMC program and adapt for emerging cyber threats.

How Can TalPoint Help Me Prepare for CMMC Certification?

Here’s an example of CMMC audit duties that might be delegated to a subject-matter expert with TalPoint.

Conduct a Gap Analysis: A gap analysis is essential for reviewing a current cybersecurity program and finding gaps that must be filled for your company to be audit-ready. An Expert can guide your organization in creating a Plan of Action and Milestones (POAM) for Level 1 CMMC compliance.

Acquire and apply technical controls: if there is a gap, specialists can help firms implement the rules needed to boost security and ensure compliance.

Adjust policies and processes: As previously stated, policies and procedures are expected to be audit-ready after efforts are made to make them accordingly.

Create content: the information created will be essential documentation for a CMMC audit. Policies, procedures, and reports are all things that may be developed and executed.

Handle the audit project: They can manage the entire audit project, such as the recent DFARS Interim Rule for NIST 800-171 assessment results, using the Supplier Performance Risk System (SPRS). Without the necessary know-how, this procedure can be time-consuming, and an expert can make you greatly decrease the time spent on it.

Conduct vendor evaluations: vendor management is a critical component of any CMMC compliance program. If a company does not already do this, it may be advantageous to outsource the task to an expert.

Conduct an “External Internal Audit”: Internal audits are critical for CMMC compliance since level 1 companies require a thorough self-assessment. For level 2 companies, they can ensure your business has completed all necessary steps before the auditor comes. Because some firms lack an internal audit function, having an “Internal Auditor on Demand” who is familiar with the standards and can keep the organization accountable is advantageous.

Choose an Auditor: An expert will know what makes a great CMMC auditor and may relieve you of the stress of auditor choosing.

Ready to work with us? Schedule a discovery call with us here.

Our large and diverse network of experts is here to help...

Charles M.


Charlies is a 14 year cyber security expert. He started his career in the U.S. armed forces and then transitioned into commercial roles. A security engineer by training, he's well-versed in tool deployment and administration.

Ellen K.

GRC Expert

Ellen bring a decade of GRC expertise to the TalPoint community. She's knowledgeable on a variety of frameworks and employs a methodical approach to compliance. She's available for needs assessments, gap assessments, internal audits, and for certain frameworks running independent 3rd party audits.

Zachary C.

Founder and CRO

Zachary bring a 20+ year career in risk management to the TalPoint community. He's worked across healthcare, finance, and supply chain manufacturing. His broad experience offers both a holistic view of risk as well as a common sense approach to risk management.