April 18, 2025
Many defense contractors struggle to understand exactly what's required at each level and which one they need to achieve.
Today, I'll break down the key differences between CMMC Levels 1, 2, and 3 in plain language that won't make your head spin.
In this article, you'll learn:
The CMMC framework consists of three levels that build upon each other.
Each level increases your organization's ability to protect sensitive information.
Think of it like building a house - Level 1 is your foundation, Level 2 adds walls and a roof, and Level 3 installs advanced security systems.
The key thing to remember is that CMMC levels are hierarchical.
To achieve a higher level, you must implement all requirements from that level AND all requirements from the levels below it.
Level 1 is the entry point for contractors handling Federal Contract Information (FCI).
It consists of just 15 basic cybersecurity requirements derived from FAR 52.204.21.
These requirements focus on fundamental cybersecurity hygiene practices that most organizations should already have in place.
Level 1 breaks down into four categories:
The good news?
Level 1 can be achieved through self-assessment, making it more accessible for smaller organizations.
But here's something important to consider - even if you only need Level 1 certification now, you should plan strategically for Level 2 in the future.
Level 2 is where things get more serious.
It's required for any organization that handles Controlled Unclassified Information (CUI).
Level 2 expands to 110 total cybersecurity requirements, which includes the 15 from Level 1 plus 95 additional requirements.
These requirements align with NIST SP 800-171 Rev 2 standards.
What makes Level 2 different?
It goes beyond basic cybersecurity hygiene to implement more robust protections specifically designed for CUI.
The assessment options also change at Level 2.
You can either complete a self-assessment or undergo a third-party assessment by a C3PAO (CMMC Third Party Assessment Organization).
Level 2 requirements span multiple security families, including:
Level 3 represents the highest tier of CMMC certification.
It's designed for organizations handling CUI that faces additional risks from Advanced Persistent Threats (APTs).
Level 3 increases the requirements to 134 total, adding 24 more advanced controls beyond Level 2.
These additional requirements are derived from NIST SP 800-172: Enhanced Security Requirements for Protecting CUI.
What makes Level 3 unique?
The assessment process is government-led rather than conducted by third parties.
This means government officials will directly evaluate your compliance.
Level 3 also introduces 16 requirements with Organization-Defined Parameters (ODPs) that must be carefully configured.
Who needs Level 3?
Organizations processing CUI associated with the highest priority and most critical defense programs.
How do you know which level your organization needs?
It comes down to the type of information you handle:
The DoD solicitation will specify which CMMC status is required: Level 1 (self), Level 2 (self), Level 2 (C3PAO), or Level 3 (DIBCAC).
Understanding the differences between CMMC Levels 1, 2, and 3 is crucial for any defense contractor.
Each level builds upon the previous one, creating a comprehensive cybersecurity framework that protects increasingly sensitive information.
Remember that the level you need depends on the type of information you handle and the specific requirements of your DoD contracts.
Even if you only need Level 1 today, consider planning for Level 2 or 3 compliance in the future.
The investment in stronger cybersecurity practices not only helps you win contracts but also protects your organization from increasingly sophisticated threats.