CMMC Levels Breakdown: What Each Level Means for Your Organization

Today's defense contractors have a clear mandate: achieve CMMC compliance or lose access to DoD contracts. The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard from the Department of Defense designed to protect sensitive information across the Defense Industrial Base through three progressive levels of security maturity.

The framework replaced voluntary self-attestation with verified compliance, and contracts now explicitly require certification at Level 1, 2, or 3 depending on the data you handle. This guide breaks down what each level requires, how to determine which applies to your organization, and how to achieve certification without drowning in manual compliance work.

What Is the Cybersecurity Maturity Model Certification?

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard from the Department of Defense (DoD) designed to protect sensitive information across the Defense Industrial Base. The framework has three levels: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert), with each level corresponding to different requirements for protecting sensitive data.

If you work with the DoD as a contractor or subcontractor, CMMC compliance is becoming a contractual requirement. The framework addresses a real vulnerability: thousands of defense contractors handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) without consistent security standards. Previous regulations relied on self-attestation, which left gaps. CMMC changes that by requiring third-party assessments and embedding compliance directly into contract awards.

How Many CMMC Levels Exist in Version 2.0?

CMMC 2.0 streamlines the original five-level model down to three distinct levels. After extensive industry feedback about complexity and cost, the DoD simplified the framework while maintaining security rigor.

Each level builds on the previous one, with requirements tied to the sensitivity of data you handle. Most contractors will fall into Level 1 or Level 2, while Level 3 applies only to high-priority programs involving advanced persistent threats.

Federal Contract Information vs Controlled Unclassified Information

Federal Contract Information includes basic details like contract performance data, financial information, and proprietary business information provided by or generated for the government. Think of FCI as information that isn't public but doesn't require stringent protection.

Controlled Unclassified Information represents a higher tier of sensitivity. CUI includes technical data, export-controlled information, procurement details, and other information that could harm national security if disclosed. The government marks CUI explicitly, and mishandling it carries significant legal and contractual consequences.

Required Assessment Type for Each Level

Level 1 allows annual self-assessments where you affirm compliance with basic safeguards. This approach keeps costs manageable for smaller contractors handling only FCI.

Level 2 offers two paths. For non-prioritized contracts, you can perform annual self-assessments with senior leadership affirmation. Prioritized acquisitions require a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) every three years. The DoD determines prioritization based on national security criticality.

Level 3 involves direct government assessment for the most sensitive programs.

Level 1 Foundational Security Requirements

Level 1 establishes basic cyber hygiene practices that every organization handling FCI implements. The 17 practices align with Federal Acquisition Regulation (FAR) clause 52.204-21 and focus on fundamental security controls.

The requirements cover essential safeguards like limiting system access to authorized users, verifying user identities before granting access, protecting media containing FCI, securing physical access to systems, and maintaining system integrity through updates and monitoring.

17 Practices Overview

The foundational practices span six control families:

• Access Control: Limit system access to authorized users and devices
• Identification and Authentication: Verify user identities before granting access
• Media Protection: Sanitize or destroy media containing FCI before disposal
• Physical Protection: Control physical access to systems and facilities
• System and Communications Protection: Monitor and control communications at system boundaries
• System and Information Integrity: Identify and manage information system flaws, provide malware protection, and update malicious code protection mechanisms

Common Gaps in Level 1 Assessments

Even though Level 1 represents basic cyber hygiene, many organizations struggle with consistent implementation. The most frequent gaps include incomplete documentation of security practices, lack of formalized policies and procedures, inconsistent access reviews and user provisioning, missing or outdated asset inventories, and inadequate patch management processes.

Organizations often have informal practices in place but lack the documentation that assessments require. Closing gaps typically involves formalizing existing processes rather than implementing entirely new controls.

Level 2 Advanced Security for Controlled Unclassified Information

Level 2 represents the most common CMMC requirement for defense contractors. It aligns with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which establishes 110 security requirements across 14 control families.

If you handle CUI, Level 2 compliance becomes your baseline. The requirements go well beyond basic cyber hygiene, demanding mature security practices, documented policies, and consistent implementation across your entire environment.

NIST 800-171 Practice Families

The 14 control families in NIST SP 800-171 cover comprehensive security domains. Access Control limits information system access and enforces least privilege. Audit and Accountability creates, protects, and retains audit records. Configuration Management establishes and maintains baseline configurations.

Identification and Authentication identifies users and authenticates their identities. Incident Response establishes operational incident-handling capability. Maintenance performs and logs maintenance on systems. Media Protection protects and controls information system media.

Personnel Security screens individuals prior to authorizing access. Physical Protection limits physical access to systems and equipment. Risk Assessment periodically assesses risk to organizational operations. Security Assessment develops and implements plans to assess security controls.

Awareness and Training ensures personnel understand security responsibilities. System and Communications Protection monitors, controls, and protects communications. System and Information Integrity identifies, reports, and corrects system flaws.

Self-Assessment vs Third-Party Assessment

Level 2 offers two assessment paths depending on your contract designation. For non-prioritized contracts, you can conduct annual self-assessments where senior leadership affirms your compliance.

Prioritized acquisitions require third-party assessment by a certified C3PAO every three years. Between assessments, you'll still conduct annual self-assessments to maintain compliance. The DoD determines prioritization based on factors like information sensitivity, criticality to warfighting capabilities, and threat environment.

Level 3 Expert Security for High-Value Programs

Level 3 applies to a small subset of defense contractors working on the most sensitive programs. Contracts at this level involve CUI that requires protection against advanced persistent threats, which are sophisticated, well-resourced adversaries who target defense supply chains.

Level 3 builds on Level 2 requirements by incorporating enhanced security practices from NIST SP 800-172. The advanced controls focus on detecting and responding to sophisticated attacks that basic security measures can't prevent.

Integration of NIST 800-172 Controls

NIST SP 800-172 introduces enhanced security requirements designed specifically for high-value assets. The controls emphasize advanced threat detection and response capabilities, cyber resiliency to maintain operations under attack, enhanced monitoring and analytics to identify anomalous behavior, and rigorous incident handling with forensic capabilities.

The enhanced security controls assume adversaries will attempt to breach your systems. They focus on limiting damage, maintaining critical functions, and rapidly detecting intrusions.

Expected Government-Led Assessments

Unlike Levels 1 and 2, Level 3 assessments come directly from DoD assessment teams. The government conducts evaluations because of the national security implications and the sophisticated threat environment.

Assessments involve extensive planning, comprehensive evidence reviews, technical validation of controls, and ongoing oversight throughout the contract lifecycle. Organizations pursuing Level 3 contracts work closely with DoD cybersecurity officials from the earliest planning stages.

How to Determine Your Required CMMC Level

Your required CMMC level comes directly from your contract clauses. The DoD embeds specific Defense Federal Acquisition Regulation Supplement (DFARS) clauses in solicitations and contracts that specify which level you need.

The determination follows a logical progression based on what you handle. If you only process FCI with no CUI involved, you'll typically need Level 1. If your contract involves CUI, you'll need Level 2. For high-priority programs involving critical CUI and advanced threats, the DoD will specify Level 3.

Contract Clauses and Flow-Down Requirements

Several DFARS clauses trigger CMMC requirements. DFARS 252.204-7012 addresses safeguarding covered defense information and cyber incident reporting. DFARS 252.204-7019 requires NIST SP 800-171 assessment methodology. The forthcoming DFARS 252.204-7021 will explicitly require CMMC certification.

Prime contractors carry responsibility for flowing down requirements to subcontractors. If you're a subcontractor, your prime will specify your CMMC obligations based on what information you'll access or process.

Data Types You Handle

Federal Contract Information includes basic contract details, pricing information, and general business data related to government contracts. This information requires protection from public disclosure but doesn't involve national security concerns.

Controlled Unclassified Information encompasses a broader range of sensitive data, including technical specifications, export-controlled technical data, procurement sensitive information, critical infrastructure information, and law enforcement sensitive information. The government explicitly marks CUI, and handling it triggers Level 2 requirements at minimum.

Steps to Earn CMMC Compliance Certification

Achieving CMMC certification follows a structured process that typically takes six to twelve months for Level 2, depending on your starting point. Organizations with mature security programs move faster, while those building from scratch need more time.

1. Gap Analysis

Start by assessing your current security posture against required CMMC controls. This gap analysis identifies which practices you've already implemented, which need enhancement, and which you're missing entirely.

A thorough gap analysis examines technical controls, policies and procedures, documentation and evidence, and organizational processes.

2. Remediation Plan

Once you've identified gaps, develop a prioritized remediation plan. This roadmap outlines what you'll implement, when, and who's responsible.

Focus first on high-risk gaps that could lead to assessment failures or security incidents. Quick wins build momentum.

3. Evidence Collection

CMMC assessments rely on documented evidence proving you've implemented required controls. Evidence includes security policies and procedures, system configurations and screenshots, access control records and logs, training completion records, incident response documentation, and vendor management records.

Organizations that collect evidence continuously rather than scrambling before assessments maintain better security and experience less audit stress.

4. Formal Assessment

When you're ready, you'll engage with your chosen assessment approach. For Level 1, you'll complete a self-assessment affirming your compliance. Level 2 non-prioritized contracts allow self-assessment with senior leadership attestation, while prioritized contracts require a C3PAO assessment.

Third-party assessments typically involve document review, personnel interviews, technical testing, and sampling of evidence across all control families.

5. Certification Maintenance

CMMC certification isn't a one-time achievement. You'll conduct annual self-assessments regardless of your level, maintain documentation for environmental changes, address findings promptly when controls drift, and prepare for reassessment at the required intervals.

Continuous Monitoring and Maintaining CMMC Security Compliance

Manual monitoring creates gaps. Systems change daily, users come and go, configurations drift, and vulnerabilities emerge. Annual assessments provide only a snapshot, leaving you exposed between reviews when continuous compliance would maintain ongoing security validation.

Automating Control Monitoring

Automated control monitoring integrates with your existing security tools to provide continuous validation. Rather than manually checking configurations, reviewing access logs, or collecting screenshots, automation continuously tests controls and alerts you to drift.

Real-time visibility means you catch issues immediately rather than discovering them during assessments. Faster remediation reduces risk exposure, and continuous evidence collection eliminates pre-audit scrambles.

Annual Self-Assessments and Documentation Updates

Even with automation, you'll complete formal annual assessments. These structured reviews validate your compliance posture and provide leadership attestation where required.

Annual assessments also drive documentation updates. As your environment evolves, your documentation evolves with it. This includes system security plans describing your environment and controls, policies and procedures reflecting current practices, and Plans of Action and Milestones (POA&Ms) tracking any temporary deficiencies.

Automating CMMC Maturity Levels With Drata

Drata transforms CMMC compliance from a manual documentation exercise into an automated, continuous process. Drata transforms CMMC compliance from a manual documentation exercise into an automated, continuous process through compliance automation. The platform integrates with your existing security tools to monitor controls in real time, collect evidence automatically, and maintain audit readiness across all CMMC levels.

For organizations pursuing multiple frameworks like SOC 2, ISO 27001, or HIPAA alongside CMMC, Drata maps controls across frameworks. A single control implementation can satisfy requirements across multiple standards, and evidence collected once serves multiple audits.

See Continuous Compliance in Action

Manual CMMC compliance consumes resources that could drive your business forward. Book a demo to see how Drata automates evidence collection, control monitoring, and compliance reporting.

FAQs About CMMC 2.0 Levels

Do organizations need to progress through each CMMC level sequentially?

No, you only achieve the specific level your contracts require. If your work involves CUI and your contract specifies Level 2, you'll implement Level 2 controls directly without first certifying at Level 1.

How long does CMMC certification remain valid?

CMMC certification lasts three years, though you'll conduct annual self-assessments to maintain compliance during that period. Changes to your environment, significant security incidents, or contract modifications may trigger earlier reassessment.

Can existing SOC 2 or ISO 27001 controls satisfy CMMC requirements?

Many existing cybersecurity controls support CMMC compliance, but direct mapping remains essential. SOC 2 and ISO 27001 overlap significantly with CMMC requirements, particularly at Level 2, but CMMC has specific evidence requirements and control specifications. You'll likely find substantial alignment but will need additional controls or enhanced documentation to achieve full CMMC certification.