← Back to Blog
March 7, 2026 · 8 min read

CMMC Levels Explained: Which One Do You Need?

If you're a defense contractor working with the Department of Defense (DOD), you've likely heard about CMMC—Cybersecurity Maturity Model Certification. But with three different levels, each with distinct requirements and assessment processes, determining which applies to your business can be confusing.

This guide breaks down each CMMC level, explains the differences, and helps you determine which one you need to pursue based on your contracts and the type of information you handle.

Understanding CMMC 2.0

CMMC 2.0, the current iteration of the framework, streamlines the original five-level model into three levels. Each level corresponds to the sensitivity of information you'll be handling and the cybersecurity controls required to protect it.

The three levels are:

  • Level 1 - Foundational: Basic cyber hygiene practices
  • Level 2 - Advanced: Comprehensive security controls for CUI
  • Level 3 - Expert: Enhanced protections for critical programs

CMMC Level 1: Foundational

Who Needs Level 1?

Level 1 applies to contractors who handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). FCI includes information provided by or generated for the government under a contract that's not intended for public release.

Requirements

Level 1 requires implementation of 17 basic safeguarding practices from FAR 52.204-21. These are fundamental cybersecurity controls that any business should have in place, including:

  • Limiting system access to authorized users
  • Using firewalls and antivirus software
  • Sanitizing or destroying information when no longer needed
  • Limiting physical access to systems
  • Conducting regular security updates and patches

Assessment Process

Level 1 requires an annual self-assessment rather than a third-party audit. You'll need to affirm compliance in the Supplier Performance Risk System (SPRS) and maintain evidence of your implementation.

Timeline and Cost

Most organizations can achieve Level 1 compliance in 30-60 days. Costs are minimal if basic security practices are already in place—typically $5,000-$15,000 for gap analysis and documentation assistance.

CMMC Level 2: Advanced

Who Needs Level 2?

Level 2 is required for contractors who handle CUI. This is the most common level, as most DOD contracts involve some form of CUI—technical data, procurement sensitive information, export-controlled information, or other sensitive but unclassified data.

Requirements

Level 2 requires implementation of all 110 security controls from NIST SP 800-171, organized into 14 security domains:

  • Access Control (22 controls)
  • Awareness and Training (3 controls)
  • Audit and Accountability (9 controls)
  • Configuration Management (9 controls)
  • Identification and Authentication (11 controls)
  • Incident Response (4 controls)
  • Maintenance (6 controls)
  • Media Protection (9 controls)
  • Personnel Security (2 controls)
  • Physical Protection (6 controls)
  • Risk Assessment (3 controls)
  • Security Assessment (4 controls)
  • System and Communications Protection (16 controls)
  • System and Information Integrity (6 controls)

Assessment Process

Level 2 requires a triennial third-party assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). The assessment validates that you've properly implemented all required controls and maintains appropriate documentation.

Timeline and Cost

Achieving Level 2 compliance typically takes 4-9 months, depending on your current security posture. Total costs range from $50,000-$250,000, including:

  • Gap assessment: $10,000-$25,000
  • Remediation and implementation: $30,000-$150,000
  • Documentation (SSP, POA&M): $10,000-$30,000
  • C3PAO assessment: $15,000-$45,000

CMMC Level 3: Expert

Who Needs Level 3?

Level 3 applies to contractors supporting the most critical national security programs, particularly those involving advanced persistent threats (APTs) or dealing with highly sensitive CUI. The DOD will explicitly specify when Level 3 is required in the contract.

Requirements

Level 3 builds on Level 2 by adding enhanced security controls from NIST SP 800-172. These controls focus on protecting against advanced threats and include measures like:

  • Advanced threat hunting capabilities
  • Enhanced incident detection and response
  • Supply chain risk management
  • Deception capabilities
  • Advanced monitoring and analytics

Assessment Process

Level 3 requires a government-led assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) or equivalent government entity. These assessments are more rigorous and include on-site evaluations.

Timeline and Cost

Level 3 compliance can take 12-18 months or longer. Costs vary widely but typically exceed $500,000, as enhanced controls often require significant infrastructure investment, dedicated security personnel, and ongoing advanced threat monitoring capabilities.

How to Determine Your Required Level

Your required CMMC level depends on two factors:

  1. Contract requirements: The DOD will specify the required CMMC level in the solicitation or contract.
  2. Information sensitivity: The type of data you'll access or generate determines the baseline level.

Here's a quick decision tree:

  • Only FCI, no CUI? → Level 1
  • Handling CUI? → Level 2 (minimum)
  • Critical national security program? → Level 3

When in doubt, review your contract language carefully. Look for phrases like "requires protection of CUI" or "CMMC Level X required." If you're still unsure, consult with a CMMC compliance expert before starting the certification process.

Need Help Determining Your CMMC Level?

Our compliance experts can review your contracts and help you understand exactly what's required.

Schedule Free Assessment

What If You're Pursuing Multiple Contracts?

If you're bidding on multiple contracts with different CMMC requirements, you'll need to achieve the highest level required across all your contracts. You can't have partial compliance—your entire organization must meet the same level.

However, you can scope your compliance boundary strategically. Some contractors choose to segment their operations, creating a separate environment for higher-level work while maintaining a lower-level environment for less sensitive contracts. This approach requires careful planning and documentation.

Common Misconceptions

Misconception #1: "Level 1 is good enough for most contractors"

Reality: Most defense contractors handle CUI and will need Level 2. Level 1 is relatively rare in practice.

Misconception #2: "I can self-certify for Level 2"

Reality: Level 2 requires third-party C3PAO assessment. Self-assessment is only allowed for Level 1.

Misconception #3: "CMMC levels are cumulative"

Reality: While Level 2 includes all Level 1 requirements, and Level 3 includes Level 2, you only pursue the level specified in your contract—not all three sequentially.

Next Steps

Once you've determined your required CMMC level:

  1. Conduct a gap assessment to identify where you currently stand versus requirements
  2. Develop a remediation plan with timelines and budget
  3. Implement required controls with proper documentation
  4. Prepare for assessment by conducting internal audits
  5. Schedule your formal assessment (for Levels 2-3)

Understanding your CMMC level is the first step toward compliance. With the right guidance and a structured approach, achieving certification is an achievable goal that opens doors to DOD contracts and demonstrates your commitment to cybersecurity.