CMMC Levels Explained: Complete Guide to CMMC 2.0 Certification Levels

What it protects: Federal Contract Information (FCI) — non-public information provided by or generated for the government under contract.

Requirements: 17 basic cybersecurity practices derived from FAR clause 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). These 17 practices represent fundamental cyber hygiene including using antivirus software, applying security patches, controlling physical access, using authentication to control system access, sanitizing media before disposal, and limiting information system access to authorized users. These are practices that every organization should already have in place as a baseline security posture.

Assessment type: Annual self-assessment. Organizations evaluate their own compliance and submit the results. No third-party assessment is required. A senior company official must affirm the assessment results, attesting that the organization meets all 17 practices.

Who needs it: All DoD contractors that handle FCI but do not process, store, or transmit CUI. This includes subcontractors and suppliers whose contracts involve only FCI. If any of your DoD contracts involve CUI, you need Level 2 instead.

Cost and timeline: Level 1 is the least expensive and fastest to achieve. Most organizations with basic IT infrastructure can satisfy these 17 practices within 1-3 months with minimal investment, often under $10,000 for assessment and any necessary remediation. Organizations that already follow basic cybersecurity hygiene may already be compliant.

Key considerations: Level 1 is a starting point, not a destination. Many contractors initially assume their contracts require only Level 1 but discover upon closer examination that CUI is flowing through their environment, requiring Level 2. Petronella Technology Group, Inc. can help you analyze your contracts and data flows to determine whether Level 1 truly satisfies your requirements or whether Level 2 preparation should begin.

What it protects: Controlled Unclassified Information (CUI) — sensitive but unclassified information requiring safeguarding per executive orders, federal regulations, and government-wide policies. CUI categories include export-controlled technical data, International Traffic in Arms Regulations (ITAR) data, Critical Infrastructure Security Information, and many other categories defined in the CUI Registry.

Requirements: All 110 security requirements from NIST Special Publication 800-171 Revision 2, organized across 14 control families: Access Control (22 requirements), Awareness and Training (3), Audit and Accountability (9), Configuration Management (9), Identification and Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System and Communications Protection (16), and System and Information Integrity (7). The jump from Level 1's 17 practices to Level 2's 110 requirements is substantial and demands comprehensive security infrastructure, formal policies and procedures, trained personnel, and documented evidence of effective operation.

Assessment type: Two pathways exist. For contracts involving critical national security information, a triennial (every three years) third-party assessment by a C3PAO authorized by the Cyber AB is required. For some Level 2 programs involving less critical CUI, annual self-assessment may be permitted. The contract solicitation will specify which assessment type applies. C3PAO assessments involve certified assessors who evaluate your environment over 3-5 days on-site, reviewing documentation, inspecting configurations, testing controls, and interviewing personnel.

Who needs it: Any defense contractor that processes, stores, or transmits CUI under a DoD contract. This is the most common level for organizations in the defense supply chain because most DoD contracts involve some form of CUI. Prime contractors, engineering firms, IT service providers, manufacturers, and logistics companies supporting defense programs typically require Level 2.

Cost and timeline: Total cost for CMMC Level 2 certification including preparation and C3PAO assessment typically ranges from $100,000 to $500,000+ depending on organizational size, current security maturity, and assessment boundary scope. CUI enclave solutions can reduce cost by narrowing the scope. Preparation timelines range from 6-18 months depending on starting maturity. Organizations with existing NIST SP 800-171 programs can move faster; those starting from scratch need the full 12-18 months.

Key considerations: Level 2 requires both implementation and evidence. It is not enough to install security tools; you must document how each control operates in your SSP, maintain evidence that controls function effectively, and prepare personnel who can explain the controls to assessors. Many organizations underestimate the documentation and training requirements and focus only on technology. A professional gap assessment reveals your true readiness across all dimensions.

What it protects: CUI against Advanced Persistent Threats (APTs) — sophisticated, state-sponsored adversaries with significant resources, capabilities, and persistence. Level 3 targets the highest-priority defense programs where adversary compromise would cause the most severe national security impact.

Requirements: All 110 NIST SP 800-171 Rev 2 requirements from Level 2, plus additional requirements selected from NIST SP 800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information). NIST SP 800-172 defines enhanced security measures designed specifically to counter APTs, including penetration-resistant architectures, advanced threat hunting, security orchestration and automation, and supply chain risk management. The DoD has selected a subset of 800-172 requirements for Level 3, though the exact count and specific requirements are still being finalized in some areas.

Assessment type: Triennial government-led assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Unlike Level 2 C3PAO assessments, Level 3 assessments are performed directly by government assessors with the highest level of scrutiny. Organizations must first achieve Level 2 C3PAO certification before pursuing Level 3.

Who needs it: A relatively small number of defense contractors working on the most sensitive, highest-priority defense programs. Level 3 is reserved for programs where CUI compromise by an APT would cause exceptionally grave damage to national security. The DoD will specify Level 3 in contract solicitations for these programs. Most defense contractors will not require Level 3.

Cost and timeline: Level 3 preparation represents the most significant investment in the CMMC framework. Beyond the costs associated with Level 2 compliance, organizations must implement enhanced security architectures, advanced threat detection and hunting capabilities, security automation and orchestration platforms, and supply chain security programs. Total investment can range from $500,000 to several million dollars. Preparation timelines extend beyond Level 2, with most organizations needing an additional 12-24 months after achieving Level 2 certification to implement the enhanced Level 3 requirements.

Key considerations: Level 3 is not something organizations should pursue unless their contracts specifically require it. The enhanced requirements from NIST SP 800-172 demand specialized security capabilities that go far beyond standard enterprise security programs. If your contract solicitation specifies Level 3, engage with Petronella Technology Group, Inc. early in the process — the preparation timeline and investment requirements are substantial, and starting late puts contract eligibility at risk.

Your required CMMC level is determined by the type of information your DoD contracts involve, not by organizational size or preference. Follow this decision framework:

Step 1: Review your current and anticipated DoD contracts. Look for DFARS clauses 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021. Check solicitations for CMMC level requirements. If you are a subcontractor, ask your prime contractor what level they will require.

Step 2: Determine what type of information flows through your systems. If you only handle FCI (non-public contract information that is not CUI), Level 1 may suffice. If you handle CUI in any form — technical data, ITAR information, export-controlled data, or other CUI categories — you need Level 2 at minimum.

Step 3: Check whether your contracts are designated as critical national security programs requiring Level 3. This will be explicitly stated in the contract or solicitation.

Important caveat: Many contractors underestimate the amount of CUI in their environment. Technical drawings, engineering specifications, test data, logistics information, and even certain administrative data related to defense programs may qualify as CUI. If you are unsure whether your data includes CUI, a professional assessment by Petronella Technology Group, Inc. can review your contracts, data flows, and systems to determine the correct CMMC level and avoid the costly mistake of preparing for the wrong level.

CMMC 2.0 made several significant changes from the original 1.0 framework:

Level consolidation: Five levels reduced to three. The original Levels 2 and 4 (transitional levels) were eliminated. CMMC 1.0 Level 1 became CMMC 2.0 Level 1. CMMC 1.0 Level 3 became CMMC 2.0 Level 2. CMMC 1.0 Level 5 became CMMC 2.0 Level 3.

Elimination of CMMC-unique practices: CMMC 1.0 included practices and maturity processes that were unique to the CMMC framework, not derived from existing NIST standards. CMMC 2.0 eliminated these, aligning requirements directly with NIST SP 800-171 (Level 2) and NIST SP 800-172 (Level 3). This simplification allows organizations already working toward NIST compliance to leverage that effort directly toward CMMC certification.

Self-assessment allowance: CMMC 1.0 required third-party assessment for all levels above Level 1. CMMC 2.0 allows self-assessment for Level 1 and some Level 2 programs, reducing cost and burden for contractors handling less critical information.

POA&M flexibility: CMMC 2.0 allows limited use of Plans of Action and Milestones, giving organizations time to close specific gaps after conditional certification. CMMC 1.0 required all practices to be fully implemented before any certification could be issued. The POA&M window is 180 days, and not all requirements are POA&M-eligible.

Each CMMC level is built on specific NIST publications that define the security requirements:

Level 1 aligns with FAR clause 52.204-21, which derives its 17 basic safeguarding requirements from NIST SP 800-171's most fundamental controls. These represent the minimum cybersecurity practices expected of any government contractor.

Level 2 aligns directly with NIST Special Publication 800-171 Revision 2, implementing all 110 security requirements across 14 control families. Organizations that have already achieved NIST 800-171 compliance have done the majority of the work required for CMMC Level 2 certification. The CMMC assessment methodology validates that 800-171 requirements are implemented and operating effectively, adding the independent verification layer that self-attestation lacked.

Level 3 builds on Level 2 by adding selected requirements from NIST Special Publication 800-172 (Enhanced Security Requirements for Protecting CUI: A Supplement to NIST SP 800-171). These enhanced requirements target APT defense through advanced security architectures, threat intelligence integration, and proactive security operations. Organizations pursuing Level 3 must first achieve Level 2 certification, then implement the additional 800-172 requirements and pass a government-led DIBCAC assessment.