CMMC levels explained: Complete guide to levels 1, 2 and 3 (CMMC 2.0)

The Department of Defense (DoD) officially began phasing CMMC requirements into solicitations and contracts on November 10, 2025. For defense contractors and subcontractors, understanding which certification level applies to your organization directly impacts your ability to win and maintain DoD contracts.

CMMC 2.0 establishes three distinct CMMC maturity levels, each designed to protect different types of sensitive information. The streamlined framework replaces the original five-level structure with a more practical approach. This guide explains what are CMMC levels, what each level requires, who needs it and how to achieve certification.

Editor's note: As of April 2026, ISACA is the new CMMC Assessor & Instructor Certification Organization (CAICO). Learn how this affects your compliance journey in our webinar with ISACA.

CMMC levels: Then vs. now

Understanding how many CMMC levels exist today requires looking at the evolution from CMMC 1.0 to CMMC 2.0. The original framework had five levels, but CMMC 2.0 simplified this into three levels aligned with existing NIST standards. The change reduced complexity while maintaining security protections.

CMMC 1.0 had five levels (1-5) with 17 to 171 practices. The multiple tiers created confusion and imposed significant costs on small businesses.

CMMC 2.0 consolidated to three levels:

• Level 1: 15 security requirements from FAR 52.204-21, annual self-assessment
• Level 2: 110 security requirements from NIST SP 800-171 Rev 2, triennial assessment (self or C3PAO, depending on requirements)
• Level 3: 110 + 24 enhanced requirements from NIST SP 800-172, triennial government assessment

The mapping is straightforward: CMMC 1.0 Level 1 became Level 1 (with refined requirements). Levels 2-3 consolidated into Level 2. Levels 4-5 became Level 3. Organizations handling Federal Contract Information (FCI) need Level 1. Those with Controlled Unclassified Information (CUI) need Level 2. Critical national security programs require Level 3.

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

VIEW PRICING [ ]

Level 1: Foundational

Level 1 establishes basic cybersecurity hygiene for organizations that handle Federal Contract Information. Understanding CMMC Level 1 requirements is essential for the majority of defense contractors, as DoD estimates approximately 63% of the defense industrial base falls into this category.

Who needs Level 1

Level 1 applies to contractors who handle only Federal Contract Information, not Controlled Unclassified Information. This typically includes commercial off-the-shelf product suppliers, lower-tier subcontractors performing basic services and administrative service providers.

FCI includes information like proposal content, purchase orders, delivery schedules and contractor performance data that shouldn't be publicly released without authorization but doesn't require CUI-level protection.

CMMC Level 1 requirements

Level 1 consists of 15 security requirements across six families derived from FAR 52.204-21.

Note: These 15 requirements map to 17 practices in NIST SP 800-171 because NIST split one FAR requirement into three separate practices. Both numbers are correct depending on which framework you're referencing.

The six practice families cover:

• Access Control (4 requirements): Limiting system access to authorized users
• Identification and Authentication (2 requirements): Verifying user identities
• Media Protection (1 requirement): Sanitizing or destroying media containing FCI
• Physical Protection (2 requirements): Controlling physical access to systems
• System and Communications Protection (2 requirements): Monitoring and protecting data in transit
• System and Information Integrity (4 requirements): Malware protection and system security

Complete practice details are available in the DoD CMMC Level 1 Assessment Guide.

Assessment and implementation

Level 1 uses annual self-assessments. Organizations evaluate their implementation of the 15 requirements, and an affirming official completes and maintains the annual affirmation of continuous compliance in the Supplier Performance Risk System (SPRS). No third-party assessor is required, significantly reducing costs. Level 1 doesn't allow Plans of Action and Milestones — all requirements must be fully implemented.

Most organizations achieve Level 1 compliance within 3 to 12 months, depending on size and current security posture. Small businesses with basic IT infrastructure typically complete implementation in 3 to 6 months. Many can handle implementation with existing IT staff, possibly supplemented by consulting support from RPO services.

Total implementation costs typically range from $10,000 to $50,000, with no assessment fees since it's self-assessed. Main costs include technology investments ($2,000–$15,000), professional services if engaging an RPO ($5,000–$25,000) and internal labor ($3,000–$10,000).

For organizations considering CMMC training to build internal expertise, Infosec Institute offers CCP training to help teams understand requirements and implementation approaches.

Level 2: Advanced

Level 2 represents the most significant certification requirement for the Defense Industrial Base. Understanding CMMC Level 2 requirements is critical, as DoD estimates that 37% of contractors will need Level 2, representing approximately 30,000 to 40,000 organizations.

Who needs Level 2

Level 2 applies to any contractor or subcontractor who handles Controlled Unclassified Information in performance of a DoD contract. This includes most prime contractors, critical subcontractors who receive technical data, engineering and design firms, IT service providers and supply chain partners who access procurement-sensitive information.

If your contracts include DFARS 252.204-7012 ("Safeguarding Covered Defense Information and Cyber Incident Reporting"), you almost certainly need Level 2. That clause requires implementing NIST SP 800-171 controls, which form the basis of Level 2.

CMMC Level 2 requirements

Level 2 implements all 110 security requirements from NIST SP 800-171 Revision 2, organized across 14 families:

Access Control (22 practices), Awareness and Training (3), Audit and Accountability (9), Configuration Management (9), Identification and Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System and Communications Protection (16) and System and Information Integrity (7).

Each family addresses specific security aspects. Access Control limits who can access systems and what they can do. Identification and Authentication include multifactor authentication requirements. Incident Response covers detecting and reporting security incidents to DoD. The complete requirements are available in NIST SP 800-171 Revision 2 and the CMMC Level 2 Assessment Guide.

Assessment process

Level 2 requires triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO). However, select programs allow a Level 2 self-assessment. As of April 2026, ISACA has been authorized as the CMMC Assessor & Instructor Certification Organization (CAICO), which administers professional certifications, including the CMMC Certified Assessor (CCA). The Cyber AB remains the accreditation body for C3PAOs themselves.

The assessment typically spans 4 to 8 weeks and includes a pre-assessment document review, on-site assessment with interviews and technical testing (3–10 days, depending on size), evidence review and scoring. Each requirement receives points based on whether it's Met, Not Met or Not Applicable, with a perfect score being 110.

Organizations scoring at least 88 points (80%) and meeting all essential requirements receive conditional certification, requiring a Plan of Action and Milestones (POA&M) to remediate gaps within 180 days. Between assessments, annual affirmations of continuous compliance are required.

For guidance on how to find service providers, refer to our comprehensive resources. To understand more about C3PAO qualifications and selection, see our C3PAO guide.

Implementation and costs

Level 2 implementation typically takes 12 to 24 months. Companies with mature security programs move faster, while those starting with minimal controls need more time. Most organizations benefit significantly from working with an RPO for gap assessment, planning and implementation support.

Total costs typically range from $100,000 to $1 million or more over the three-year certification period. Implementation costs ($50,000–$500,000) include technology investments such as encryption software, multifactor authentication, SIEM tools and hardware upgrades, as well as RPO or consulting fees. C3PAO assessment fees range from $15,000 to $80,000, depending on size and scope complexity. Ongoing compliance costs ($10,000–$50,000 per year) cover security tool licenses, training and control maintenance.

Level 2 requires capabilities beyond basic cyber hygiene: security monitoring and logging systems, incident response capabilities, formal risk management processes, configuration management and security assessment capabilities. While you don't need a large security team, you need personnel skilled in operating security tools and taking appropriate action.

Organizations building CMMC expertise can pursue CCA training to understand assessment methodology and improve preparation effectiveness. For those considering CMMC as a career path, explore our guide on CMMC career paths.

Level 3: Expert

Level 3 represents the highest tier of CMMC certification for contractors supporting the most critical DoD programs facing advanced persistent threats (APTs) from nation-state adversaries. Understanding CMMC Level 3 requirements is essential for contractors on critical programs, though Level 3 is uncommon — DoD estimates fewer than 1% of defense contractors will need this certification.

Who needs Level 3

Level 3 applies to contractors supporting "critical programs and high-value assets" where CUI faces APTs. This typically includes nuclear weapons systems, strategic missile defense, advanced fighter aircraft development, breakthrough technologies that provide significant military advantage, critical infrastructure systems and space-based assets.

Most contractors will not need Level 3. If you're unsure whether it applies to your program, consult your DoD program manager or contracting officer. Don't pursue Level 3 proactively unless your contracts explicitly require it.

Take your hacking to the next level

Learn how to pentest and be an ethical hacker with expert-guided training, or learn more about the world of ethical hacking.

Learn More [ ]

CMMC Level 3 requirements

Level 3 builds on Level 2's foundation by adding 24 enhanced security requirements from NIST SP 800-172. These requirements focus on penetration-resistant architecture, damage-limiting operations and cyber resiliency. Seven requirements are prohibited from POA&Ms and must be fully implemented: Security Operations Center (24/7 capability), Cyber Incident Response Team (deploy within 24 hours), Threat-Informed Risk Assessment, Supply Chain Risk Response, Supply Chain Risk Plan, Security Solution Rationale and Specialized Asset Security.

Level 3 assessments are conducted exclusively by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). You must first achieve CMMC Level 2 Final certification with a perfect score of 110 points before pursuing Level 3. Contact DIBCAC through the DCMA to request an assessment.

Scoring gives equal weight to each requirement (1 point each). You need at least 20 out of 24 requirements met (80%) to achieve certification. You maintain both Level 2 and Level 3 certifications independently, each requiring triennial assessment and annual affirmations.

Implementation and costs

Level 3 implementation typically requires 18 to 36 months or more after achieving Level 2 certification. Key challenges include establishing a 24/7 Security Operations Center capability (often through managed security service providers), implementing advanced monitoring and detection for APT activities, integrating threat intelligence, enhancing supply chain security and building specialized security infrastructure.

Total costs can range from $500,000 to $3 million or more, with ongoing annual costs of $100,000 to $500,000. Implementation costs ($300,000–$2 million) include substantial technology investments, with a 24/7 SOC alone costing $200,000–$500,000 annually. Assessment costs range from $20,000 to $50,000. Personnel costs increase significantly, as Level 3 often requires hiring specialists in threat hunting, incident response and APT defense.

Organizations pursuing Level 3 typically need specialized consultants and RPOs with experience with NIST SP 800-172. Few organizations can meet these requirements using only internal resources.

CMMC level determination: Understanding CMMC level differences

The required CMMC level for any contract will be specified in the solicitation or contract. DoD contracting officers must include DFARS 252.204-7021, which specifies the required level. Understanding CMMC level differences helps contractors prepare appropriately for their specific requirements.

Look for the notice provision (DFARS 252.204-7025) in solicitations or paragraph (d)(1) in the contract clause. Prime contractors must flow down appropriate CMMC requirements to subcontractors based on the information being shared.

The level determination is straightforward:

• FCI only → Level 1
• CUI → Level 2
• Critical program CUI facing APTs → Level 3

When comparing CMMC Level 1 vs. 2 vs. 3, the key differentiator is information sensitivity and threat level. Level 1 protects basic contract information, Level 2 protects sensitive unclassified data and Level 3 defends against nation-state threats targeting critical systems.

If unsure, consult your contracting officer. Review DFARS 252.204-7012. If this clause is in your contract, you're handling CUI and need Level 2 minimum. When uncertain, err on the side of caution and plan for Level 2 rather than discovering later you need a higher level.

Flow-down requirements: If the prime has Level 2 (C3PAO) or Level 3 certification and flows CUI to you, contractors generally need at least Level 2 (C3PAO) as well, unless higher-level guidance is given. If the prime only shares FCI (not CUI) with you, you may only need Level 1 even if the prime requires Level 2.

Level comparison table

Common misconceptions about levels

• "Level 1 is easy": Level 1 requires discipline and documentation. Self-assessment doesn't mean no documentation or skipping requirements. Organizations sometimes assume it's a formality, then fail when they discover implementation gaps.
• "Everyone needs Level 2": Only contractors handling CUI need Level 2. Many lower-tier subcontractors work exclusively with FCI and need only Level 1.
• "POA&M means we don't have to fix gaps": POA&Ms are temporary, allowing conditional certification while you remediate gaps within 180 days. They only cover limited requirements, with some critical requirements prohibited.
• "We can implement Level 2 in a few months": Most organizations need 12-24 months. Rushing implementation typically results in unsuccessful C3PAO assessments.
• "Level 3 is like a security clearance": CMMC Level 3 focuses on technical cybersecurity controls. Security clearances verify individual trustworthiness for classified information. They're different requirements.

Training and workforce development

Building internal CMMC knowledge accelerates compliance and reduces ongoing costs. Organizations pursuing Level 2 or 3 should consider training key personnel to achieve CMMC Certified Professional (CCP) certification, now administered by ISACA as of April 2026.

CCP-trained staff implement controls more effectively because they understand what assessors look for. Internal expertise reduces dependence on consultants and enables faster issue resolution. For organizations preparing for assessment, CMMC Certified Assessor (CCA) training provides deeper insight into the assessment process, even if you're not becoming an assessor.

Infosec Institute, an Approved Training Provider, offers both CCP Boot Camp and CCA Boot Camp programs to help build internal capabilities. For comprehensive information on DoD cybersecurity programs and training solutions, explore our government solutions.

Next steps

Understanding CMMC levels is the beginning. Taking action determines whether you'll be ready when contracts require certification.

Review your current contracts and upcoming solicitations to determine which level you need. Conduct a gap assessment that compares your security posture against requirements. For Level 2 or 3, engage professionals for this assessment. Download relevant guides from DoD and NIST — the Assessment Guides, NIST SP 800-171 and NIST SP 800-172 contain definitive requirements.

Based on your gap assessment, develop an implementation plan with realistic milestones, resource requirements and budget. For Level 2 or 3, professional support significantly improves success chances. The sooner you begin, the more flexibility you'll have to address challenges.

Organizations that take action now position themselves for success in the defense market. Those who delay risk losing contract opportunities to competitors who've already achieved certification.

For comprehensive guidance on how to get certified, see our organization certification process guide.

Ready to build your team's CMMC expertise? Watch our webinar with ISACA, the new CMMC Assessor & Instructor Certification Organization (CAICO), or explore our CMMC training programs designed by experienced practitioners to help organizations build CMMC knowledge and prepare more efficiently.

Take your hacking to the next level

Learn how to pentest and be an ethical hacker with expert-guided training, or learn more about the world of ethical hacking.

Learn More [ ]

Frequently asked questions (FAQ)

Which CMMC level do I need?

Your required level depends on the information type: FCI only needs Level 1, CUI needs Level 2 and critical programs facing APTs need Level 3. The contract or DFARS 252.204-7021 clause specifies your requirement.

Can I choose my level?

No. DoD determines your required level based on information sensitivity. Choosing a higher level voluntarily is permitted but not required.

How long does certification last?

Level 1 requires annual self-assessment. Level 2 and 3 certifications are valid for three years, with annual affirmations required between assessments.

What if I fail my Level 2 assessment?

You must remediate gaps and schedule a new assessment. Failures are costly due to assessment fees and delayed contract terms. Working with RPOs and conducting mock assessments significantly reduce the risk of failure.

Can I use POA&M for all gaps?

No. Level 1 allows no POA&Ms. Level 2 requires a minimum 88-point score with certain requirements prohibited. Level 3 needs a minimum of 20 of 24 points with seven prohibited requirements. All POA&M items must be remediated within 180 days.

Are there any Level 4 or 5 anymore?

No. CMMC 2.0 has only three levels. References to Levels 4 or 5 refer to the outdated CMMC 1.0 framework.