Previous All Posts Next

What CMMC Level Do I Need? Decision Tree

Posted: December 31, 1969 to Compliance.

If you hold a Department of Defense contract, or you are chasing one, the first compliance question is almost always the same: which CMMC level do I actually need? The answer drives your budget, your timeline, and whether you can keep the contract once the Cybersecurity Maturity Model Certification clauses appear in your awards. This guide from Petronella Technology Group walks you through a plain-English decision tree built around the two things the Department of Defense actually cares about: the type of information you handle and the clauses written into your contract.

There is a lot of noise around CMMC, much of it designed to scare small contractors into buying things they do not need. Our goal here is the opposite. By the end of this article you should be able to point to a single level, understand why it applies to you, and know what your next concrete step is. If you would rather skip straight to a definitive overview of the program, our CMMC compliance pillar covers the full framework, timelines, and how a certified Registered Provider Organization supports each phase.

Start here: what kind of data touches your business?

Every CMMC determination starts with one question: what type of federal information flows through your systems? The program sorts contractors into levels based on the sensitivity of the data they store, process, or transmit. You only need to understand two categories.

  • Federal Contract Information (FCI) is information provided by or generated for the government under a contract, that is not intended for public release. Think contract line items, delivery schedules, statements of work, and basic specifications. Almost every Department of Defense contractor handles FCI.
  • Controlled Unclassified Information (CUI) is information the government owns or controls that requires safeguarding under law, regulation, or government-wide policy. Think technical drawings, engineering data, security plans, controlled technical information, and certain research data. CUI is the dividing line that pushes you from a self-assessment into a third-party assessment.

If your business only ever handles FCI, you are looking at Level 1. If you store, process, or transmit CUI, you are looking at Level 2 or higher. If you support the most sensitive national-security programs and the contract specifically calls for it, Level 3 enters the picture. The rest of this guide turns that high-level rule into a step-by-step tree.

The three CMMC levels at a glance

Before the decision tree, here is the lay of the land. CMMC 2.0 has three levels, each mapped to an established security standard and an assessment method. Petronella Technology Group consults across all three levels, so the comparison below reflects what each tier actually demands rather than a sales pitch for the most expensive option.

Level 1 (Foundational) covers basic safeguarding of Federal Contract Information. It maps to the 15 basic safeguarding requirements in FAR 52.204-21 and allows an annual self-assessment with an executive affirmation in the Supplier Performance Risk System (SPRS). There is no outside assessor at this level, but the affirmation is a legal attestation, so accuracy matters.

Level 2 (Advanced) covers protection of Controlled Unclassified Information. It maps to the 110 security requirements in NIST SP 800-171. For most contracts that involve CUI, Level 2 requires a certification assessment performed by a Certified Third-Party Assessment Organization (C3PAO) on a recurring cycle, with annual affirmations between assessments. A narrow set of programs may permit a self-assessment at Level 2, but the safe planning assumption for any CUI contractor is a third-party assessment.

Level 3 (Expert) covers the most sensitive programs and the highest-priority assets. It builds on the full Level 2 baseline and adds a selected subset of enhanced requirements from NIST SP 800-172. Level 3 assessments are conducted by the government rather than a commercial C3PAO. Relatively few contractors land here, and you will generally know because the requirement is written explicitly into the contract.

The decision tree: walk it step by step

Work through these questions in order. Stop at the first one that clearly describes your situation, then read the matching path below.

Question 1: Do you have, or are you pursuing, any DoD contract or subcontract?

If the answer is no and you have no plans to bid on defense work, CMMC does not currently apply to you. That said, the underlying controls (NIST SP 800-171) are increasingly showing up in commercial supply chains, aerospace, and critical-infrastructure work, so the maturity you build now rarely goes to waste. If the answer is yes, continue.

Question 2: Does any contract, or any flowdown from a prime, mention CUI or DFARS 252.204-7012?

This is the single most important question. DFARS clause 252.204-7012 obligates a contractor to safeguard covered defense information (a form of CUI) and to follow NIST SP 800-171. If that clause appears in your contract, or a prime contractor flows it down to you as a subcontractor, you are handling CUI in the eyes of the Department of Defense. That puts you on the Level 2 path, regardless of how small the contract is.

  • No CUI, no 7012 flowdown, FCI only: go to the Level 1 path.
  • CUI present, or 7012 in your contract or flowdown: go to the Level 2 path.

Question 3: Does the contract explicitly require Level 3, or name a highly sensitive program or advanced persistent threat protection?

Level 3 is not something you opt into. It is invoked by the government for specific, high-priority programs. If your solicitation or contract calls out Level 3, enhanced NIST SP 800-172 requirements, or protection against advanced persistent threats, follow the Level 3 path. If it does not, you do not need Level 3, even if you handle a lot of CUI.

Path A: You handle FCI only (Level 1)

This is the most common starting point for small businesses, distributors, and service providers who touch contract logistics but never see sensitive technical data. Your obligations are real but manageable.

  • Standard: the 15 basic safeguarding requirements of FAR 52.204-21.
  • Assessment: annual self-assessment, with an executive who affirms compliance in SPRS.
  • Typical effort: access control basics, account management, malware protection, physical access limits, and limiting system access to authorized users. Most organizations can reach Level 1 readiness in weeks rather than months when they already run a maintained IT environment.

The trap at Level 1 is overconfidence. Because there is no outside assessor, contractors sometimes affirm compliance they cannot actually demonstrate. The affirmation is a legal statement, and a False Claims Act exposure is a far more expensive problem than the controls themselves. Document your 15 requirements, keep evidence, and treat the self-assessment with the seriousness of an audit.

Path B: You handle CUI (Level 2)

If DFARS 252.204-7012 is in your contract or flowed down to you, this is your path. Level 2 is where most of the budget, the timeline, and the anxiety live, because it requires real implementation of all 110 NIST SP 800-171 requirements and, for most CUI contracts, a third-party assessment.

  • Standard: all 110 security requirements in NIST SP 800-171, across 14 families ranging from access control and audit logging to incident response and system integrity.
  • Assessment: a certification assessment by a C3PAO on a recurring cycle for most contracts, plus annual affirmations.
  • SPRS score: you must compute and post a current self-assessment score using the DoD Assessment Methodology before you can rely on a C3PAO certification. Our SPRS score calculator guide walks through how the scoring works and why a negative starting score is normal.

The realistic Level 2 timeline is months, not weeks, especially if you need to deploy multifactor authentication, encryption for CUI at rest and in transit, audit logging, and a documented incident response capability. Two artifacts do most of the heavy lifting: a System Security Plan (SSP) that describes how each of the 110 requirements is met, and a Plan of Action and Milestones (POA&M) for any requirement not yet fully satisfied. Note that certain high-weighted requirements cannot be left open on a POA&M at assessment time, so plan to close those first.

Many subcontractors are surprised to learn they fall here. If you are a machine shop, an engineering firm, or an IT provider that receives drawings or technical data from a prime, you are almost certainly handling CUI. If you are unsure whether a given data type counts, our breakdown of CUI vs FCI helps you classify what is actually moving through your environment before you scope an assessment.

Path C: The contract requires Level 3

Level 3 is reserved for the highest-priority programs and the most sensitive CUI. You do not choose it, the government invokes it. If you are on this path, you already meet the full Level 2 baseline and you are adding a selected set of enhanced requirements drawn from NIST SP 800-172, focused on defending against advanced, persistent adversaries.

  • Standard: all of Level 2 (NIST SP 800-171) plus a government-selected subset of NIST SP 800-172 enhanced requirements.
  • Assessment: conducted by the government, not a commercial C3PAO.
  • Typical posture: threat-informed architecture, advanced monitoring, and the ability to detect and respond to a determined adversary, not just to satisfy a checklist.

If your contract names Level 3, the practical move is to treat Level 2 certification as the foundation and build the additional 800-172 protections deliberately on top. This is the tier where a private AI security stack and around-the-clock threat analysis stop being nice-to-haves and start being expectations.

Common scenarios: where real businesses land

The decision tree is cleaner in theory than in practice, so here is how it tends to resolve for the businesses we work with most often.

  • Small machine shop making parts to DoD drawings: those drawings are almost always controlled technical information, which is CUI. Expect Level 2, even on modest contract values.
  • IT managed service provider supporting a defense contractor: if you administer systems that store or process CUI, the requirements flow to you. You are typically Level 2, and your scoping has to account for the client data you can reach.
  • Distributor or logistics vendor handling contract details only: if you never see technical data and only handle FCI, Level 1 is the likely answer. Confirm there is no 7012 flowdown before you settle on Level 1.
  • Engineering or research firm under a prime: design data, test results, and specifications usually qualify as CUI. Expect Level 2, and expect the prime to ask for your SPRS score.
  • Prime on a flagship national-security program: if the contract calls for it, you may be Level 3. Build the Level 2 baseline first, then layer the enhanced controls.

A useful rule of thumb: if a prime contractor flows a clause down to you, you generally inherit the same safeguarding obligation for the data you receive. Do not assume you are exempt because you are a small subcontractor. The data classification, not your company size, sets your level.

How NIST SP 800-171 fits into all of this

Because Level 2 is built directly on NIST SP 800-171, contractors often ask whether CMMC and 800-171 are the same thing. They are closely related but not identical. NIST SP 800-171 is the underlying control set. CMMC is the certification program that verifies you actually implemented those controls, through a self-assessment at Level 1 or a third-party assessment at Level 2. If you have already done serious 800-171 work to meet DFARS 252.204-7012, you are well ahead on your CMMC journey. For a side-by-side breakdown, see our explainer on the key differences between CMMC and NIST SP 800-171.

Frequently asked questions

Do I need CMMC certification if I am only a subcontractor?

Often yes. CMMC obligations flow down through the supply chain. If a prime contractor passes you data that includes CUI, or flows down DFARS 252.204-7012, you inherit a safeguarding obligation for that data. Your required level depends on what you handle, not on whether you are a prime or a sub.

What is the difference between a self-assessment and a C3PAO assessment?

At Level 1, you assess your own compliance annually and an executive affirms it in SPRS. At Level 2, most CUI contracts require a Certified Third-Party Assessment Organization (C3PAO) to perform the certification assessment, with annual affirmations in between. The third-party requirement is the biggest practical jump between Level 1 and Level 2.

How many controls are there at each level?

Level 1 maps to the 15 basic safeguarding requirements in FAR 52.204-21. Level 2 maps to all 110 requirements in NIST SP 800-171. Level 3 adds a government-selected subset of enhanced requirements from NIST SP 800-172 on top of the full Level 2 baseline.

Can I get certified before I have implemented everything?

You can post a self-assessment score in SPRS that reflects gaps, and you can use a Plan of Action and Milestones (POA&M) to track remaining work. However, certain high-weighted requirements generally cannot remain open on a POA&M at the time of a Level 2 assessment, so a realistic plan closes those first. Do not assume an open POA&M will carry you through certification for the highest-value controls.

How long does it take to reach Level 2?

It depends heavily on your starting point. An organization with mature IT and existing 800-171 work may need a few months to close gaps and document evidence. An organization starting from a basic office network can take considerably longer, especially when multifactor authentication, encryption, logging, and incident response all need to be stood up. Scope your environment first, because the size of your CUI boundary drives most of the cost and time.

Your next step

If you have walked the tree and you are still unsure whether a particular data type tips you into Level 2, that uncertainty is exactly where most contractors waste money, either by over-engineering for a level they do not need or by under-protecting CUI and risking the contract. The fix is a proper scoping conversation before you spend a dollar on tooling.

Petronella Technology Group is a CMMC Registered Provider Organization (RPO #1449) with a full team of Registered Practitioners, and we consult across all three CMMC levels. We can help you classify your data, confirm your required level, compute a realistic SPRS score, and build the System Security Plan and remediation roadmap that an assessor will actually accept. Pricing depends on the size of your CUI boundary and your current posture, so engagements are scoped before they are quoted. To start, request a free CMMC scoping consultation through our contact page, or call our team at (919) 348-4912. For the complete framework, deadlines, and how the assessment process works end to end, return to our CMMC compliance hub.

Need help implementing these strategies? Our cybersecurity experts can assess your environment and build a tailored plan.
Get Free Assessment
Explore Our Services
Cybersecurity AI Services Compliance HIPAA CMMC Managed IT

Related Articles

CMMC vs NIST 800-171: Complete Comparison 2026 CMMC vs NIST 800-171: Complete Comparison 2026 CUI vs FCI: Defense Contractor Guide (2026) CUI vs FCI: Defense Contractor Guide (2026) ComplianceForge Alternative: 7 Trade-offs (2026) ComplianceForge Alternative: 7 Trade-offs (2026) How to Calculate Your SPRS Score for CMMC (2026) How to Calculate Your SPRS Score for CMMC (2026)

About the Author

Craig Petronella, CEO and Founder of Petronella Technology Group
CEO, Founder & AI Architect, Petronella Technology Group

Craig Petronella founded Petronella Technology Group in 2002 and has spent 20+ years professionally at the intersection of cybersecurity, AI, compliance, and digital forensics. He holds the CMMC Registered Practitioner credential issued by the Cyber AB and leads Petronella as a CMMC-AB Registered Provider Organization (RPO #1449). Craig is an NC Licensed Digital Forensics Examiner (License #604180-DFE) and completed MIT Professional Education programs in AI, Blockchain, and Cybersecurity. He also holds CompTIA Security+, CCNA, and Hyperledger certifications.

He is an Amazon #1 Best-Selling Author of 15+ books on cybersecurity and compliance, host of the Encrypted Ambition podcast (95+ episodes on Apple Podcasts, Spotify, and Amazon), and a cybersecurity keynote speaker with 200+ engagements at conferences, law firms, and corporate boardrooms. Craig serves as Contributing Editor for Cybersecurity at NC Triangle Attorney at Law Magazine and is a guest lecturer at NCCU School of Law. He has served as a digital forensics expert witness in federal and state court cases involving cybercrime, cryptocurrency fraud, SIM-swap attacks, and data breaches.

Under his leadership, Petronella Technology Group has served hundreds of regulated SMB clients across NC and the southeast since 2002, earned a BBB A+ rating every year since 2003, and been featured as a cybersecurity authority on CBS, ABC, NBC, FOX, and WRAL. The company leverages SOC 2 Type II certified platforms and specializes in AI implementation, managed cybersecurity, CMMC/HIPAA/SOC 2 compliance, and digital forensics for businesses across the United States.

CMMC-RP NC Licensed DFE MIT Certified CompTIA Security+ Expert Witness 15+ Books
Related Service
Achieve Compliance with Expert Guidance

CMMC, HIPAA, NIST, PCI-DSS - we have 80% of documentation pre-written to accelerate your timeline.

Learn About Compliance Services
Previous All Posts Next
Free cybersecurity consultation available Schedule Now