CMMC Levels Guide

From CMMC 1.0 to CMMC 2.0

For years, defense contractors have been required to comply with cybersecurity requirements under the DFARS clause 252.204-7012, which mandates alignment with NIST SP 800-171. However, compliance was largely self-attested, and the U.S. Department of Defense (DoD) (also known as the Department of War) determined that inconsistent implementation left controlled unclassified information (CUI) vulnerable. The Cybersecurity Maturity Model Certification (CMMC) program, formally introduced in June 2019, was designed to create a unified verification framework tied directly to contract awards, ensuring that companies bidding on DoD contracts could demonstrate measurable cybersecurity maturity before handling sensitive data.

The original CMMC 1.0 model, released in January 2020, established a five-level maturity system ranging from basic cyber hygiene to advanced, proactive security practices. Each level built on the previous one and introduced increasing process maturity and institutionalization requirements.

However, after industry feedback highlighted cost, complexity, and implementation challenges—particularly for small and mid-sized defense contractors—the DoD announced CMMC 2.0 on November 4, 2021. The updated framework streamlined the structure from five levels down to three, eliminated certain maturity process requirements, and aligned more closely with existing NIST standards.

Under CMMC 2.0, there are three levels:

• Level 1 (Foundational) - Basic safeguarding of FCI through 17 practices attested through annual self-assessment.
• Level 2 (Advanced) - Protection of CUI aligned to NIST SP 800-171, typically requiring third-party certification.

Level 3 (Expert) - Enhanced protection for high-priority CUI, adding advanced assessment requirements from NIST SP 800-172.

These three certification levels were formally codified through the CMMC Program Rule in 32 CFR Part 170, which was published in the Federal Register on October 15, 2024, and became effective on December 16, 2024. The 48 CFR Final Rule, which was published on September 10, 2025, and became effective on November 10, 2025, implements a 4-phase rollout that embeds those requirements into contract language, meaning CMMC certification becomes a prerequisite for eligibility and contract awards.

CMMC Level 1 (Foundational)

Level 1 is the foundational tier of the Cybersecurity Maturity Model Certification (CMMC). It ensures that contractors meet basic cybersecurity standards necessary to protect Federal Contract Information (FCI). Unlike higher levels, it’s geared toward simple practices that establish cybersecurity hygiene rather than advanced measures.

Key Features:

• Protects Federal Contract Information (FCI) but does not involve Controlled Unclassified Information (CUI).
• Requires adherence to 17 basic practices drawn from FAR 52.204-21 (Federal Acquisition Regulation clause).
• Allows for self-assessment rather than requiring third-party audits, making it less resource-intensive than higher levels.
  
  

Who Needs CMMC Level 1 Certification?

CMMC Level 1 is for DoD contractors—both prime and subcontractors—who handle FCI but not CUI. If you don’t handle CUI but are contractually obligated to be able to, you would fall under Level 2, not Level 1.

When CMMC Level 1 Appears in Contracts

As of November 10, 2025, CMMC Level 1 (and limited Level 2 self-assessment) requirements have begun appearing in applicable solicitations and contracts as a condition of award. Contractors must have the required CMMC status and affirmation recorded in SPRS as a condition of award.

CMMC Level 1 Requirements and Practices

CMMC Level 1 focuses on basic safeguarding practices across 7 domains with 17 distinct safety controls. These practices are straightforward and designed to ensure contractors meet a minimal standard of cybersecurity.

• Access Control (AC)

• Awareness and Training (AT)

• Identification and Authentication (IA)

• Media Protection (MP)

• Physical Protection (PE)

• System and Communications Protection (SC)

• System and Information Integrity (SI)

The Level 1 Assessment Process

CMMC Level 1 requires an annual self-assessment and annual affirmation. It’s unique in allowing contractors to self-assess their compliance rather than relying on third-party evaluations. This approach reduces the financial and administrative burden for smaller contractors while maintaining a baseline of cybersecurity. 

Key Steps in Level 1 Self-Assessment

• Review Requirements

• Implement Necessary Controls

• Complete the DoD Assessment Methodology

• Submit Your Self-Assessment Score to the SPRS (Supplier Performance Risk System)

• Maintain Compliance

 

CMMC Level 2 (Advanced)

The vast majority of DoD contractors will fall under CMMC Level 2. It’s designed specifically to ensure that CUI is protected from unauthorized access and advanced threats. Level 2 requires full implementation of the 110 practices across 14 domains outlined in NIST SP 800-171.

Key Features:

• Level 2 is designed to protect CUI and applies to all companies handling CUI or contractually required to be able to handle CUI. 
• Unlike Level 1, which allows self-assessments, Level 2 requires evaluations by Certified Third-Party Assessment Organizations (C3PAOs) to ensure compliance.
• Contractors must maintain robust documentation, including a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M), to demonstrate compliance and address gaps.

Who Needs Level 2 Certification?

CMMC Level 2 certification is required for DoD contractors and subcontractors that handle CUI, which includes sensitive but unclassified data such as technical specifications and procurement details. This certification applies to all companies within the DIB working on or bidding on contracts that specify CUI protection requirements.

When CMMC Level 2 Appears in Contracts

As of November 2026, CMMC Level 2 third-party certification (by a C3PAO) will be required for most contracts involving CUI. Certification must be completed prior to the award. Prime contractors may begin to flow down Level 2 CMMC requirements to their subcontractors before the formal rollout date, requiring proof of certification in advance of mandatory inclusion in DoD contracts.

CMMC Level 2 Requirements and Practices

CMMC Level 2 is closely aligned with the NIST SP 800-171. It requires contractors to implement and maintain 110 security controls and 320 objectives across 14 domains.

The 14 domains are:

1. Access Control (AC): Limit access to systems, resources, and data to authorized users only.
2. Awareness and Training (AT): Train employees to recognize and respond to cybersecurity threats.
3. Audit and Accountability (AU): Maintain records of cybersecurity incidents and system activities.
4. Configuration Management (CM): Standardize and monitor configurations for security settings.
5. Identification and Authentication (IA): Verify the identity of users and devices accessing systems.
6. Incident Response (IR): Plan for detecting, responding to, and recovering from cybersecurity events.
7. Maintenance (MA): Protect maintenance activities and personnel access to systems.
8. Media Protection (MP): Secure sensitive data on removable and electronic media.
9. Personnel Security (PS): Screen and secure personnel with access to sensitive systems.
10. Physical Protection (PE): Limit physical access to IT infrastructure.
11. Risk Assessment (RA): Regularly assess and manage risks to systems and data.
12. Security Assessment (CA): Periodically evaluate the effectiveness of security measures.
13. System and Communications Protection (SC): Secure data in transit and within systems.
14. System and Information Integrity (SI): Detect and protect against malware and unauthorized changes.

For a fuller account of all 14 domains of NIST 800-171’s security controls included in CMMC Level 2, see this post.

The Level 2 Assessment Process

To achieve Level 2 certification, most companies will have to undergo an audit by a Cyber AB-certified CMMC Third Party Assessor Organization (C3PAO). At least two CMMC Certified Assessors (CCAs) review your security processes along with all relevant documentation, interview key personnel at your company about implementation and procedures, and then test your cybersecurity tech and protocols themselves to determine whether they meet the standards set by NIST 800-171.

Key Steps in Preparing for Level 2 Assessment

• Establish a System Security Plan (SSP): An SSP outlines an information system’s security requirements, and lays out a plan for meeting those requirements. To stay on track for CMMC compliance, develop your business SSP to formally document your organization’s cybersecurity practices, policies, and procedures. It should detail how your organization implements the required CMMC practices and controls so you have a detailed account and comprehensive overview of your cybersecurity framework.

• Conduct a NIST 800-171A Self-Assessment to Identify Gaps: Perform a self-assessment based on NIST SP 800-171A, which outlines methods and procedures for evaluating the implementation of security requirements.

• Build a Plan of Action and Milestones (POA&M): Create a POA&M to address any gaps identified during your self-assessment. A POA&M outlines the steps needed to achieve full compliance in your organization. If your organization struggles to meet certain security controls, a POA&M can help identify these gaps and outline the necessary technologies or procedures to address them.

• Implement Improvements Based on POA&M and Set a Timeline for Full CMMC Compliance: Assess your organization’s progress toward CMMC compliance and establish a realistic timeline for achieving full certification. Consider factors such as the complexity of the required controls, resource availability, and contractual deadlines. You might also consider partnering with a Registered Provider Organization (RPO), which can help with a variety of performance metrics and assist you through the compliance process.

• Conduct a CMMC Self-Assessment: Perform a CMMC self-assessment to verify that your organization meets the required practices and processes for Level 2 maturity. This assessment should mirror the official certification process and help identify any remaining areas for improvement. Thoroughly evaluate your current practices and identify specific vulnerabilities (if there are any) before undergoing the official assessment. This approach ensures that your company will be well-prepared for future assessments and increases your likelihood of achieving the desired certification level.

• Choose a CMMC Third Party Assessor Organization (C3PAO): For organizations falling into CMMC level 2, you will select a C3PAO for your official CMMC assessment. The C3PAO will evaluate your organization’s compliance with Level 2 requirements and issue a certification based on your demonstrated cybersecurity practices. Choosing a reputable and experienced C3PAO is crucial for a successful assessment.

See this post for more in-depth information about the Level 2 audit process.

CMMC Level 3 (Expert)

Level 3 represents the most advanced tier of CMMC. It’s designed for DoD contractors and subcontractors handling highly sensitive CUI that could impact national security if compromised. Level 3 requires advanced, comprehensive cybersecurity measures to protect against Advanced Persistent Threats (APTs).

Key Features:

• Encompasses 130 practices, including all 110 controls from NIST SP 800-171 and an additional 24 practices drawn from NIST SP 800-172.
• Focuses on advanced threat detection, response, and recovery mechanisms.
• A DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) assessment is required every three years for Level 3 certification, along with an annual affirmation.
  
  

Who Needs Level 3 Certification?

Of the over 80,000 contractors in the DIB, only around 1% are expected to require Level 3 certification. This group encompasses companies working with unclassified data critical to classified operations; companies that produce weapons systems, aerospace technologies, or intelligence-related projects; and companies working on research and development, advanced manufacturing, or supply chain management for mission-critical technologies. 

When CMMC Level 3 Appears in Contracts

Starting November 2027, high-priority/advanced assessments via the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will become a condition for mission-critical Level 3 contracts.

CMMC Level 3 Requirements and Practices

Level 3 includes the 110 security controls from NIST SP 800-171 but adds another 24 enhanced practices from NIST 800-172 for advanced security measures. Below are some key domains with selected advanced practices:

• Access Control (AC): Enforce fine-grained access controls based on roles, sensitivity, and user behavior. User permissions are to be adjusted dynamically in response to security events.
• Awareness and Training (AT): Level 3 implements role-specific training programs for advanced cybersecurity tasks and mandates threat awareness programs to mitigate risks from trusted individuals.
• Audit and Accountability (AU): Enable automated log correlation and analysis for real-time threat detection. Use tamper-proof audit mechanisms to protect and verify the integrity of logs.
• Incident Response (IR): Establish advanced incident response playbooks tailored to APT scenarios. Conduct red team/blue team exercises to simulate attacks and test response capabilities.
• Risk Management (RM): Perform continuous risk assessments using automated tools to identify evolving threats. Integrate supply chain risk management practices to evaluate and secure third-party vendors.
• System and Communications Protection (SC): Use advanced encryption standards to protect sensitive data in transit and at rest. Deploy network segmentation to isolate critical systems and limit the spread of attacks.
• System and Information Integrity (SI): Implement behavior-based anomaly detection to identify malicious activities. Use automated patch management systems to address vulnerabilities in real-time.
  
  

The Level 3 Assessment Process

The Level 3 assessment process is significantly more rigorous and complex than Level 2, reflecting the DIBCAC’s enhanced requirements for advanced threat protection and continuous compliance. After receiving Level 2 certification through a C3PAO, contractors seeking to attain Level 3 must demonstrate not just the presence of controls but their effectiveness in real-world, high-risk scenarios. Additional documentation—such as supply chain risk management plans, continuous monitoring reports, and a more comprehensive SSP—are required, and the evaluation examines the OSA’s ability to respond dynamically to real-world attack scenarios and conduct continuous monitoring and real-time incident response through automated systems. Furthermore, assessment is performed by DIBCAC, rather than by a C3PAO of the organization’s choosing.

FAQs

When Will CMMC 2.0 Appear in Contracts?

CMMC 2.0 requirements are already appearing in contracts. Level 1 self-assessment requirements went into effect on November 10, 2025, and CMMC Level 2 third-party certification will be required by November 2026 for most contracts involving CUI.

How Do I Find a C3PAO for a Level 2 CMMC Assessment?

CMMC 3rd-Party Assessment Organizations (C3PAOs) are essential to the Level 2 certification process. Here’s a list of some of the C3PAO assessors we recommend.

Plan early. Assessment lead times are currently 9–12 months out and growing, and as 48 CFR requirements flow into more contracts, scheduling windows are tightening quickly.

How Does ISI Compare to Other MSPs for CMMC Readiness Services?

We’re known for:

• End-to-end support: ISI combines managed IT, cybersecurity, and NIST 800-171 compliance to close gaps, maintain SSPs/POA&Ms, and support the audit process.
• Purpose-built DIB service model: ISI was designed for multi-hatted small contractors that need responsive, relationship-driven support—not a one-size-fits-all technical deployment.
• Security Control platform: ISI offers a dedicated compliance management system for mapping controls, tracking evidence, and scoring readiness.
• Partner-style engagement: ISI emphasizes proactive communication, responsiveness, and personalized guidance.

Can ISI Help Us Build and Maintain Our System Security Plan (SSP) and POA&Ms?

Yes. ISI not only builds your SSP and POA&Ms, we also keep them accurate and audit-ready year-round. Unlike general MSPs that provide templates or one-time checklists, ISI uses a purpose-built DIB compliance platform to map every NIST 800-171 control, assign owners, track evidence, and automate updates as your environment changes. Our compliance experts maintain the documentation, our engineers close technical gaps, and our platform ensures your SSP and POA&Ms always reflect your true security posture, making CMMC Level 2 certification far easier and more dependable.

Which Services Help with Ongoing Compliance Maintenance Post-Certification?

ISI provides continuous compliance services that keep defense contractors aligned with NIST 800-171 and CMMC Level 2 long after certification. Our managed IT, cybersecurity, and compliance teams work together to maintain controls through 24/7 monitoring, patching, vulnerability remediation, access reviews, log management, and secure configuration updates.

Through our Security Control platform, we also track SSP/POA&M changes, update evidence, automate reminders, and re-score controls so compliance never falls behind. Unlike general MSPs, ISI delivers a fully integrated, DIB-specific program built to sustain compliance every day, not just at audit time.