CMMC 2.0 Levels Explained (1, 2, and 3): A Complete Guide

NIST 800-171/CMMC

TABLE OF CONTENT

Understanding the Three CMMC 2.0 Levels

CMMC 2.0 consists of three levels—Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert)—each with increasing security requirements. Understanding these levels is essential for companies that work with the DoD, as compliance determines eligibility for federal contracts.

This guide breaks down CMMC 2.0 Levels 1, 2, and 3, explaining who needs them, what security measures are required, and how businesses can prepare for certification. Whether you're a small subcontractor handling basic government information or a prime contractor working on national security projects, this article will help you navigate CMMC 2.0 and ensure compliance with federal cybersecurity standards.

CMMC 2.0 Level 1: Foundational Cybersecurity

CMMC 2.0 Level 1, also known as Foundational Cybersecurity, serves as the entry-level tier for organizations that work with the Department of Defense (DoD) but do not handle Controlled Unclassified Information (CUI). This level is designed to ensure that businesses implement basic cybersecurity hygiene practices to protect Federal Contract Information (FCI) from unauthorized access.

Who Needs CMMC Level 1 Compliance?

CMMC Level 1 compliance is required for companies that:

  • Handle Federal Contract Information (FCI) but do not store, process, or transmit Controlled Unclassified Information (CUI).
  • Provide services to the Department of Defense (DoD) as a prime contractor or subcontractor on federal contracts.
  • Support DoD projects in ways that do not involve highly sensitive or classified information.

This level is most relevant to small and medium-sized businesses that serve as subcontractors in the defense supply chain and perform essential but non-sensitive work for the government.

Security Requirements for CMMC Level 1

CMMC Level 1 is based on 17 security controls from the Federal Acquisition Regulation (FAR) 52.204-21, which outlines Basic Safeguarding of Covered Contractor Information Systems. These controls focus on essential cybersecurity practices that help prevent unauthorized access and data breaches.

Category Security Requirements
Access Control Limit access to FCI to authorized users only.
Identification and Authentication Use unique user identification to track access.
Media Protection Properly dispose of sensitive information to prevent leaks.
Physical Protection Restrict physical access to IT systems and FCI.
System and Communications Protection Protect data during transmission over public networks.
System and Information Integrity Update and patch systems regularly to prevent vulnerabilities.

Self-Assessment vs. Third-Party Assessment

One of the biggest changes in CMMC 2.0 Level 1 is that organizations can now conduct self-assessments rather than requiring an independent third-party audit. This makes compliance more accessible, especially for small businesses, as it:

  • Reduces compliance costs by eliminating the need for external assessors.
  • Simplifies the process by allowing businesses to evaluate and report their own security practices.
  • Requires an annual affirmation by a senior company official that their cybersecurity measures meet the required standards.

Although self-assessments make compliance easier, organizations should still prepare thoroughly to ensure they meet the necessary cybersecurity requirements before submitting their assessment.

Key Challenges in Achieving Level 1 Compliance

Even though CMMC Level 1 is considered the entry-level certification, many businesses still struggle with:

  1. Understanding security requirements – Small businesses often lack dedicated IT teams to interpret and implement cybersecurity controls.
  2. Implementing access controls – Ensuring only authorized users can access FCI is challenging without proper identity management solutions.
  3. Training employees on cybersecurity best practices – Many security breaches result from human error, such as weak passwords or phishing attacks.
  4. Maintaining compliance over time – Since CMMC requires an annual self-assessment, businesses must continuously monitor and improve their cybersecurity posture.

Best Practices for Achieving CMMC Level 1 Certification

To successfully meet CMMC Level 1 requirements, organizations should:

  • Develop a cybersecurity policy that outlines how the company protects FCI.
  • Use multi-factor authentication (MFA) to enhance user security.
  • Train employees on password management, phishing awareness, and safe internet usage.
  • Regularly update software to prevent security vulnerabilities.
  • Limit physical and digital access to sensitive systems and information.

Final Thoughts on CMMC Level 1

While CMMC 2.0 Level 1 is the most basic level of compliance, it plays a critical role in strengthening cybersecurity across the defense industrial base. By implementing these foundational cybersecurity controls, businesses can protect sensitive government data and position themselves for future DoD contract opportunities.

CMMC 2.0 Level 2: Advanced Cybersecurity

CMMC 2.0 Level 2, also known as Advanced Cybersecurity, is a significant step up from Level 1. This level is designed for organizations that handle Controlled Unclassified Information (CUI) and require stronger security measures to protect sensitive government data. It aligns closely with the NIST Special Publication (SP) 800-171 framework, which defines best practices for protecting CUI.

Who Needs CMMC Level 2 Compliance?

CMMC Level 2 is required for companies that:

  • Handle, process, or store Controlled Unclassified Information (CUI) in support of DoD contracts.
  • Work with sensitive but not classified government information, such as technical specifications, research data, and financial records.
  • Provide services or products to the DoD as a prime contractor or subcontractor where the security of CUI is critical.

Companies that fail to achieve Level 2 compliance may lose contract opportunities where CUI protection is a requirement.

Security Requirements for CMMC Level 2

CMMC Level 2 is based on the 110 security controls outlined in NIST SP 800-171. These controls focus on protecting CUI from cyber threats and ensuring that only authorized users can access sensitive data.

Key Security Domains in CMMC Level 2

Category Security Requirements
Access Control (AC) Restrict system access to authorized users only.
Audit and Accountability (AU) Implement logging to track and monitor security events.
Incident Response (IR) Develop a response plan for cybersecurity incidents.
Risk Assessment (RA) Identify and mitigate security risks proactively.
Security Assessment (CA) Conduct periodic security evaluations and improvements.
System and Communications Protection (SC) Encrypt sensitive data and secure network communications.
Identification and Authentication (IA) Use strong authentication methods, including MFA.

Unlike CMMC Level 1, where security measures focus on basic protections, Level 2 requires businesses to adopt proactive and preventive cybersecurity strategies.

Third-Party vs. Self-Assessments for Level 2

A major change in CMMC 2.0 Level 2 is the split between self-assessments and third-party audits based on contract sensitivity.

  • Companies handling non-prioritized CUI: Allowed to perform annual self-assessments (similar to Level 1).
  • Companies working with prioritized CUI: Required to undergo a third-party certification assessment (C3PAO) every three years.

A C3PAO (Certified Third-Party Assessor Organization) is an independent, accredited entity that verifies a company’s cybersecurity readiness. Organizations handling higher-risk CUI must work with a C3PAO to validate compliance before they can secure DoD contracts.

Why CMMC Level 2 Matters

Achieving CMMC Level 2 is critical for businesses that want to:

  1. Qualify for high-value DoD contracts that involve handling sensitive government data.
  2. Demonstrate strong cybersecurity to reduce risks of data breaches and cyber threats.
  3. Build trust with government agencies and partners by proving compliance with federal security standards.

Challenges in Achieving Level 2 Compliance

Companies seeking CMMC Level 2 certification often face the following challenges:

  • Implementing all 110 NIST SP 800-171 controls – This requires significant investment in security measures, documentation, and audits.
  • Understanding CUI requirements – Many businesses struggle to classify and protect CUI properly.
  • Managing assessment costs – Third-party audits can be expensive, making compliance a financial burden for small businesses.
  • Keeping up with evolving threats – Cybersecurity is not a one-time effort; continuous monitoring, patching, and updating is required.

Best Practices for Achieving CMMC Level 2 Certification

To prepare for CMMC 2.0 Level 2, organizations should:

  • Conduct a gap analysis to assess their current security posture against NIST SP 800-171.
  • Develop and enforce cybersecurity policies that align with DoD requirements.
  • Train employees on cybersecurity best practices, including phishing awareness and secure data handling.
  • Use encryption and access controls to limit unauthorized access to CUI.
  • Partner with a C3PAO early if a third-party audit is required.

Final Thoughts on CMMC Level 2

CMMC Level 2 is a major milestone for companies working in the defense sector. It ensures that businesses have the necessary security controls to safeguard sensitive government data. While achieving Level 2 compliance can be complex, the investment positions businesses for long-term success in government contracting.

CMMC 2.0 Level 3: Expert Cybersecurity

CMMC 2.0 Level 3, also known as Expert Cybersecurity, represents the highest tier of cybersecurity compliance within the CMMC framework. This level is intended for organizations handling Controlled Unclassified Information (CUI) related to national security and requires the most stringent cybersecurity measures. Companies that achieve Level 3 certification must demonstrate a mature, proactive cybersecurity posture that effectively defends against advanced persistent threats (APTs)—state-sponsored or highly sophisticated cyber threats.

Who Needs CMMC Level 3 Compliance?

CMMC Level 3 is required for:

  • Organizations handling high-priority CUI where the data is critical to national security.
  • Prime contractors and subcontractors working on DoD projects with classified or sensitive research.
  • Companies involved in the Defense Industrial Base (DIB) that work on weapons systems, aerospace technology, and other high-risk national security projects.

Unlike Level 1 and Level 2, which apply to a broad range of defense contractors, CMMC Level 3 is reserved for a smaller subset of companies that deal with top-tier security concerns.

Security Requirements for CMMC Level 3

CMMC Level 3 is based on:

  • All 110 security controls from NIST SP 800-171 (same as Level 2).
  • A subset of enhanced controls from NIST SP 800-172, designed to protect against sophisticated cyber threats.

Key Security Domains in CMMC Level 3

Category Security Enhancements
Advanced Threat Detection Deploy proactive monitoring tools for detecting APTs.
Zero-Trust Architecture Require multi-factor authentication and least-privilege access.
Incident Response Implement advanced threat intelligence and automated response.
Data Encryption Encrypt all CUI at rest and in transit using government-approved cryptographic methods.
Supply Chain Security Enforce strict cybersecurity controls for all subcontractors and third-party vendors.
Continuous Monitoring Maintain real-time network surveillance and automated threat reporting.

CMMC Level 3 demands a much higher level of security maturity, including automated protections, extensive monitoring, and proactive threat response mechanisms.

Government-Led Assessments for Level 3

Unlike CMMC Level 1 and Level 2, where some organizations can perform self-assessments or third-party audits, Level 3 requires:

  • A government-led assessment every three years conducted by the DoD or a designated federal agency.
  • Strict oversight and compliance validation to ensure organizations meet national security standards.

The government assessment process is rigorous, and businesses must be fully prepared before engaging in a Level 3 audit.

Why CMMC Level 3 Matters

Companies that achieve CMMC Level 3 certification:

  1. Gain access to the most sensitive DoD contracts, securing high-value defense projects.
  2. Enhance national security by protecting critical data from state-sponsored attacks.
  3. Demonstrate cybersecurity leadership, improving trust with government agencies.
  4. Reduce the risk of data breaches, ensuring compliance with the highest federal security standards.

Challenges in Achieving Level 3 Compliance

Meeting CMMC Level 3 requirements is an extensive and resource-heavy process. Common challenges include:

  • High implementation costs – The need for advanced security infrastructure, continuous monitoring, and cybersecurity expertise increases costs significantly.
  • Stringent requirements for contractors and subcontractors – Organizations must enforce strict cybersecurity policies across their entire supply chain.
  • Constant security monitoring – Unlike Level 1 and 2, which allow periodic security checks, Level 3 requires continuous monitoring and rapid response to threats.
  • Limited C3PAO availability – Since Level 3 audits are government-led, companies have less control over assessment timelines and processes.

Best Practices for Achieving CMMC Level 3 Certification

Organizations preparing for CMMC Level 3 should:

  • Invest in advanced cybersecurity tools, including SIEM (Security Information and Event Management) systems and endpoint detection solutions.
  • Implement Zero-Trust security principles, ensuring strict user access controls and continuous authentication.
  • Harden IT infrastructure by removing outdated software, enforcing strict patch management, and securing cloud environments.
  • Train personnel on advanced cybersecurity threats, including nation-state attacks and social engineering tactics.
  • Establish a Cybersecurity Operations Center (SOC) for real-time threat detection and incident response.
  • Regularly conduct penetration testing and red team exercises to simulate and defend against cyberattacks.

Final Thoughts on CMMC Level 3

CMMC Level 3 is the gold standard for cybersecurity in the defense sector. While only a small percentage of companies need to meet these requirements, those that do gain access to the most sensitive government contracts.

Achieving Level 3 certification requires significant investment, strict compliance efforts, and a proactive security mindset. However, for organizations handling highly sensitive national security information, the effort is necessary to protect against cyber threats and maintain national defense integrity.

Conclusion

CMMC 2.0 is a crucial framework for ensuring the cybersecurity of defense contractors and protecting sensitive government data. With three distinct levels—Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert)—organizations must implement security practices that match the sensitivity of the information they handle.

Achieving compliance with CMMC 2.0 is not just about meeting regulatory requirements; it’s about safeguarding national security, strengthening cyber resilience, and maintaining a competitive edge in the defense sector. Whether your organization is preparing for a self-assessment at Level 1 or a government-led audit at Level 3, taking proactive steps toward compliance will help secure DoD contracts and protect critical data from cyber threats.

By understanding CMMC 2.0 levels and taking the necessary measures to comply, businesses can ensure they are prepared for future security challenges while maintaining eligibility for government contracts.

Learn More From an  Expert

Get In Touch

Kyle Schrader

Compliance Professional

Related Articles

Understanding the Role of C3PAOs in CMMC 2.0 Certification
March 1, 2023
CMMC 2.0 Explained: Key Changes, Benefits, and Impact on Cybersecurity for DoD Contractors
March 1, 2023
CMMC vs Other Security Frameworks
March 1, 2023
Compliance to System and Information Integrity Controls for CMMC 2.0
March 1, 2023
Ultimate Guide: System and Communications Protection Controls for CMMC 2.0
March 1, 2023
Compliance to Risk Management Controls for CMMC 2.0
March 1, 2023
CMMC 2.0 Physical Protection Controls Compliance Guide
March 1, 2023
Compliance to Personnel Security Controls for CMMC 2.0: A Complete Guide
March 1, 2023
Compliance to Media Protection Controls for CMMC 2.0
March 1, 2023
Compliance to Maintenance Controls for CMMC 2.0: A Complete Guide
March 1, 2023
Compliance to Incident Response Controls for CMMC 2.0
March 1, 2023
Identification and Authentication Compliance for CMMC 2.0
March 1, 2023
Overview of Configuration Management Controls for CMMC 2.0 Compliance
March 1, 2023
Compliance to Security Assessment for Controls CMMC 2.0
March 1, 2023
Mastering CMMC 2.0 Audit and Accountability Controls
March 1, 2023
Mastering CMMC 2.0 Awareness & Training Controls
March 1, 2023
Mastering CMMC 2.0 Access Control: The Ultimate Guide
March 1, 2023
How a Consultant Can Guide Your CMMC Compliance Journey
March 1, 2023
Ultimate Guide: Who Is Responsible for Protecting CUI?
March 1, 2023
CMMC Compliance Checklist: Everything You Need to Know
March 1, 2023
What is a POAM? [Comprehensive Guide]
March 1, 2023
Understanding Controlled Unclassified Information (CUI): A Complete Guide for Secure Handling and Compliance
March 1, 2023
The Ultimate NIST 800-171 Compliance Checklist [Guide]
March 1, 2023
Self-Assessment Guide for DoD Suppliers Under NIST 800-171
March 1, 2023
How To Implement NIST 800-171 Physical Security Controls
March 1, 2023
What Is NIST 800-171 Compliance? Here's A Complete Overview
March 1, 2023
NIST 800-171 vs 800-53: Why They're Different [Comparison]
March 1, 2023
5 Steps To Build a NIST 800-171 System Security Plan (SSP)
March 1, 2023
An Overview of NIST 800-171 Controls Implementation
March 1, 2023
Company
Quality
CUI Data Protection
Standards
Copyright 2025 Encompass Consultants. All rights reserved.
Privacy Policy