Define Your Required CMMC Level

    In this blog, we'll outline the first step in the journey to CMMC compliance for SMBs: Determine Your Required Level of CMMC 2.0.

    3 Minutes Read

    Define Your Required CMMC Level

    CMMC compliance is a critical part of doing business with The Department of Defense (DoD), yet it can be challenging to know where to start, especially if you are a small to medium-sized contractor. In this blog series, we’re going to define the 7 steps that Defense Industrial Base contractors should take when approaching their CMMC compliance journey. As contract requirements for the Spring of 2023 approach, aerospace and defense organizations should be considering how they are going to technically, as well as strategically, mitigate CMMC 2.0 requirements.  

    In this blog, we'll outline the first step in the process of your CMMC compliance journey: Determine Your Required Level of CMMC 2.0.

    The DoD introduced the Cybersecurity Maturity Model Certification (CMMC) to protect sensitive data such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC compliance is necessary for contract awards from the DOD, and in most cases will require a third-party assessment of your IT infrastructure. CMMC 2.0 affects organizations supporting the Department of Defense in handling the following types of data:

    • Federal Contract Information (FCI)
    • Controlled Unclassified Information (CUI) / Covered Defense Information (CDI) / Controlled Technical Information (CTI)
    • ITAR or export-controlled data etc.



    How to find your CMMC 2.0 Level

    To start your CMMC compliance journey you must first identify which Level of CMMC your organization must adhere to. CMMC 2.0 is broken down into three levels:

    • Level 1 (Foundational)
    • Level 2 (Advanced)
    • Level 3 (Expert)

    The level you need is based on the type of data/information handled by your business. 

    Based on existing contract requirements, what CMMC Level will I have to be? 

    CMMC Level Graphic

    Level 1: Foundational 

    CMMC level 1 certification is necessary for those who want to bid on DoD contracts that handle only Federal Contract Information (FCI). For this reason, your organization must meet all 15 requirements found in the FAR 52.204-21 (17 CMMC Practices).   

    If the FAR 52.204-21 Requirement is in your current contracts, you are most likely in the CMMC Level 1 category.  

    CMMC 2.0 Level 1 is for those handling:  

    • Federal Contractor Information (FCI)  
    • Classified as "Basic" by the DoD  

    Level One consists of 17 basic cybersecurity practices. The requirement states that all contractors must implement these safeguard controls.  

    *As of the writing of this document, CMMC Level 1 will not require a third-party assessment, only self-attestation.   

    DoD CMMC 2.0 Level 1 Assessment Guide

    Level 2: Advanced 

    CMMC Level 2 compliance requires all 110 security controls from NIST 800-171. CMMC Level 2 certification is necessary for those who want to bid on DoD contracts that handle the following: 

    • Controlled Unclassified Information (CUI) / Controlled Defense Information
    • Controlled Technical Information (CTI)
    • ITAR or export-controlled data

    If the DFARS 252.204-7012 requirement is in your current contracts, you are most likely in the Level 2 category.  

    The CMMC Level 2 certification process will be conducted by a Cyber-AB CMMC Third Party Assessment Organization (C3PAO). When ready, you will be responsible for scheduling your assessment with a C3PAO. An assessment will remain valid for 3 years from the assessment certification. For select programs, only an annual self-assessment is required.

    How do I know if I have CUI in my environment? 

    When it comes to the CMMC framework, the scope of a CMMC assessment for an Organization Seeking Certification (OSC) is dictated by the flow of CUI throughout the environment. Properly identifying all the locations where CUI resides within that environment is critical for OSCs who want to successfully pass upcoming CMMC assessments. Unfortunately, many OSCs fail to properly complete this task, leaving CUI with inadequate security and privacy controls, increasing the risk of unauthorized access and/or distribution.  

    Classifying CUI can define the scope of an organization’s assessment so it is critical that it is done properly. For each classification, the amount of CMMC requirements that are applicable to the asset varies, and the determining factor for asset classification is the way in which the asset interacts with sensitive data. 

    Find a certified C3PAO

    Level 3: Expert 

    Disclaimer: The DoD has not officially released guidance for CMMC 2.0 Level 3.

    CMMC Level 3 compliance will be required for organizations that handle the highest priority information on behalf of the DoD. CMMC Level 3 will require all 110 security controls from the CMMC Framework plus a subset of NIST 800-172 requirements which have not yet been determined. CMMC Level 3 certification could be necessary for those handling:

    • Controlled Unclassified Information (CUI) / Controlled Defense Information 
    • Critical CUI
    • Export Control Data (ITAR)
    • Actively working on Sensitive Weapon, Aerospace, and/or Military Systems 

    These requirements are the same as Level 2 However, it has been determined that if DFARS 252.204-7012 is in your current contracts AND you have had a DCMA / DIBCAC Assessment, you are most likely in the Level 3 category due to the sensitive nature of the projects you are working on.


    Because of the type(s) of information that these companies handle (CUI/CDI/CTI/ITAR) all Level 3 organizations will have to undergo a CMMC Level 2 assessment by a C3PAO and then have a follow-up CMMC Level 3 assessment with DIBCAC/DCMA. 



    DFARS 7021 is the existing clause determining that organizations in the DIB must be meeting CMMC requirements. This clause focuses on DFARS and CMMC overlap. 

    Should I pursue a higher CMMC Level than I will need? 

    Many companies might find it beneficial to proactively prepare for a level above their current requirement, based on competitive advantages in the market and other factors in play. This strategy benefits companies looking at larger contracts or more Sub-Prime contractor opportunities. It can also provide opportunities for your organization to appeal to larger contractors looking to move forward with mergers and acquisitions in the Defense Industrial Base. 

    blue halo DL image


    The next blog covers identifying and organizing assets for CMMC compliance as required by DoD scoping guidance. Subscribe to the blog in order to receive notifications of new posts in this blog series. Read the next blog by clicking the image below.



    Daniel Akridge