Understanding the CMMC Levels: A Guide for Defense Contractors
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard developed by the Department of Defense (DoD) to ensure that contractors working with Controlled Unclassified Information (CUI) implement appropriate cybersecurity practices. Whether you’re a small subcontractor or a prime contractor handling sensitive government data, understanding the CMMC framework and your CMMC level is essential for maintaining compliance and protecting national security.
So, if you’re asking yourself, “What exactly are the CMMC levels? And how do I know what compliance level my organization needs to meet?” Here’s a breakdown of the three main CMMC levels, their requirements, and how they apply to organizations within the Defense Industrial Base (DIB).
CMMC Level 1: Foundational
Focus: Protection of Federal Contract Information (FCI)
Number of Security Practice Requirements: 15
Assessment Type: Annual self-assessment
Standards: Based on FAR 52.204-21
Examples of requirements:
- Use of antivirus software
- Regular password updates
- Physical access control to devices
Who needs this? Contractors who don’t handle sensitive government data (CUI) but still work with the DoD.
As stated in Federal Register’s 32 CFR, “Level 1 is a self-assessment to secure FCI processed, stored, or transmitted in the course of fulfilling the contract. The Organization Seeking Assessment (OSA) must comply with the 15 security requirements set by FAR clause 52.204–21. All 15 requirements must be met in full—no exceptions are allowed” (83095).
CMMC Level 2: Advanced
Focus: Stronger protection for CUI
Number of Security Practice Requirements: 110 (aligned with NIST SP 800-171)
Assessment Type:
- Annual self-attestation for non-prioritized contracts
- Third-party assessment for prioritized contracts
Examples of requirements:
- Detailed System Security Plan (SSP)
- Secure data storage
- Access control policies
- Change Control Processes
Who needs this? Contractors (and subcontractors) handling CUI, such as engineering drawings, blueprints, or other sensitive project data.
Regarding CMMC Level 2 certification, 32 CFR states, “Defense contracts involving the development or transfer of CUI to a non-government organization require applicable requirements of DFARS clause 252.204–7012.14. This clause paves the way for the rollout of CMMC and requires defense contractors to provide adequate security on all covered contractor information systems by implementing the 110 security requirements specified in NIST SP 800–171” (83094).
CMMC Level 3: Advanced
Focus: Advanced cybersecurity to protect against Advanced Persistent Threats (APTs)
Number of Security Practice Requirements: 110 from NIST 800-171 and 24 additional controls based on a subset of NIST SP 800-172
Assessment Type: Government-led assessment (DIBCAC)
- Still under development by the DoD
Examples of requirements:
- Continuous monitoring
- Incident response
- Recovery planning
Who needs this? Larger defense contractors working on highly sensitive or mission-critical contracts.
32 CFR states, “CMMC Level 3 is a government assessment of 24 additional requirements derived from NIST SP 800–172. The OSA must ensure that they have already achieved a CMMC Status of Final Level 2 before seeking CMMC Status of Final Level 3” (83095).
Why CMMC Compliance Matters
CMMC is not just about passing an audit, it’s about protecting the entire defense supply chain from cyber threats. Non-compliance can result in loss of contracts, reputational damage, and vulnerability to cyberattacks.
As of the most recent CMMC updates, the DoD has streamlined the certification to reduce the burden on small businesses while maintaining strong national defense protections. If you have any questions, reach out to us or check out our Climbing Mount CMMC podcast.