By now, most businesses in the defense industrial base (DIB) are aware that the Cybersecurity Maturity Model Certification (CMMC) is a reality and is being implemented rapidly. What many still don’t know is which CMMC level they’ll be required to meet… or how big the gap is between where they are now and where they need to be.
If you’re supporting DoD contracts in any capacity, as a prime or a sub, this post is for you. Understanding the CMMC 2.0 levels is essential to ensuring your business meets the evolving cybersecurity standards set by the Department of Defense.
Let’s break down the CMMC 2.0 levels, what each level requires, and how to know which one applies to your business.
The CMMC 2.0 Model: A Simplified, Tiered System
The CMMC 2.0 cybersecurity framework was designed to ensure contractors maintain strong cybersecurity hygiene aligned with the sensitivity of data they handle.
Originally released with five levels in 2020, the DoD streamlined the framework in 2021 into what is now known as CMMC 2.0, consisting of three certification levels:
- Level 1: Foundational
- Level 2: Advanced
- Level 3: Expert
Each level aligns with a combination of information sensitivity and security rigor. The higher the level, the more critical the data you handle, and the more security controls you’ll need to implement.
“CMMC 2.0 isn’t just about checking a compliance box. It’s about matching your cybersecurity maturity to the sensitivity of the data you’re trusted with.”
— Grant Eckstrom, vCISO – Succurri
CMMC 2.0 Levels Explained
Level 1: Foundational
What It Covers
Level 1 applies to companies that only handle FCI (Federal Contract Information) — information provided by the government that’s not intended for public release but isn’t considered sensitive enough to be classified as CUI.
Key Requirements
- Implement 15 basic cybersecurity practices
- Follow FAR 52.204-21 (Basic Safeguarding of FCI)
- Annual self-assessment
- Annual affirmation by a senior official
- No third-party audit required
Examples of Level 1 Contractors
- Janitorial companies working on base
- Office supply vendors for military branches
- IT support companies with no access to sensitive project data
Why It Still Matters
Even though it’s “basic,” CMMC 2.0 Level 1 includes essential practices like password protection, access control, and antivirus. These are the frontline defenses that protect you from phishing, malware, and accidental data leaks.
Level 2: Advanced – Key CMMC 2.0 Requirements
What It Covers
CMMC 2.0 Level 2 is the most common requirement and applies to companies that handle CUI (Controlled Unclassified Information) — which includes technical data, designs, schematics, and other sensitive-but-unclassified DoD information.
Key Requirements
- Implement all 110 controls from NIST SP 800-171
- Submit a System Security Plan (SSP)
- Perform a third-party audit by a C3PAO (for most contracts)
- Upload score to SPRS database
- Recertification every 3 years
- Annual self-affirmation is also required
Examples of Level 2 Contractors
- A software company developing applications for military systems
A manufacturer creating aircraft parts using controlled technical information - An MSP managing systems that store DoD data
If you manage CUI and fall into this category, you’ll most likely fall under the scope of CMMC 2.0 Level 2.
The Big Shift
Level 2 is where CMMC 2.0 compliance becomes more rigorous, requiring companies to demonstrate they can securely manage CUI through third-party audits and controls. This level builds on what many contractors should already be doing under DFARS 252.204-7012 — but adds teeth with enforcement and audits. No more self-reporting with no consequences.
Level 3: Expert
What It Covers
CMMC 2.0 Level 3 is for companies that support high-priority national security programs and face Advanced Persistent Threats (APTs) from nation-state actors.
Key Requirements
- Implement the full NIST SP 800-171 (110 controls)
- Add 24 additional practices from NIST SP 800-172
- Undergo a government-led audit (by DIBCAC)
- Recertification every 3 years
- Must demonstrate a highly mature, risk-based cybersecurity program
Examples of Level 3 Contractors
- Prime contractors developing weapons systems
- Research firms working on classified or emerging tech
- Aerospace or satellite defense companies
Important Note
Most companies will not need Level 3 unless you’re explicitly told by DoD based on contract sensitivity. If you don’t know, assume you need Level 2 unless confirmed otherwise.
How to Determine Your Required Level
Ask yourself these questions
| Question | If Yes… |
|---|---|
| Do we store, transmit, or process Controlled Unclassified Information (CUI)? | You need Level 2 |
| Are we a prime contractor supporting critical national defense programs? | You might need Level 3 |
| Do we only handle basic government contract info like delivery schedules or pricing? | You likely only need Level 1 |
| Does our contract mention DFARS 252.204-7012 or NIST SP 800-171? | You’re already on the hook for Level 2 compliance |
| Are we a subcontractor receiving CUI from a prime? | You need to match the prime’s required level |
When in doubt, check the contract language, talk to your DoD contracting officer, or consult with your prime contractor.
Why You Should Prepare Now
Obtaining your CMMC 2.0 certification can take months (6 to 12 months), so preparation and early planning are critical to avoiding delays. While the full CMMC 2.0 timeline is still unfolding, most businesses should expect enforcement to begin in late 2025.
And with the flood of contractors all trying to get certified at once, demand for auditors and consultants is skyrocketing. Don’t wait until it’s too late.
Here’s what proactive companies are doing now:
- Determining their required level
- Conducting readiness gap assessments
- Building a remediation plan
- Updating their documentation and controls
- Training staff on cyber hygiene and CUI handling
“Whether you’re aiming for Level 1 or Level 3, understanding your CMMC requirements now gives you a strategic advantage. Don’t wait for the mandate — lead with security.”
— Andrew Eckstrom, vCIO – Succurri
Visit our IT Security services page to find out more about how we can help you with CMMC 2.0 compliance.
Take Action Toward CMMC 2.0 Compliance
Whether you’re aiming for foundational security or preparing for advanced audits, understanding the CMMC 2.0 levels and how they apply to your organization is essential. The CMMC 2.0 certification process isn’t just another compliance requirement; it’s a business necessity that protects your contracts, data, and reputation.
As the CMMC 2.0 timeline moves forward and enforcement becomes a reality, now is the time to act. Conduct a gap assessment, align with the appropriate CMMC 2.0 level, and prepare your team to meet every CMMC 2.0 requirement. Whether you’re pursuing Level 1 self-assessment or a Level 2 audit, building a mature, risk-aware cybersecurity program will set your business apart.
Need help navigating the CMMC 2.0 cybersecurity framework? Succurri’s experts are here to guide you through every step, from initial assessments to full CMMC 2.0 compliance readiness. Let’s secure your path forward.
Schedule your CMMC Readiness Review with Succurri today.
More Helpful Readings:
- NCSA Awareness About Data Privacy Day
