CMMC Certification Levels: Understanding Level 1, Level 2, and Level 3

What Are CMMC Certification Levels?

CMMC (Cybersecurity Maturity Model Certification) establishes cybersecurity requirements for contractors and subcontractors within the Defense Industrial Base (DIB).

Under CMMC 2.0, there are three levels:

• Level 1 – Foundational

• Level 2 – Advanced

• Level 3 – Expert

Each level builds upon the previous one and corresponds to the sensitivity of federal information your organization handles.

Your required level is determined by contract language and data classification.

CMMC Level 1 – Foundational

CMMC Level 1 applies to organizations that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI).

Level 1 Core Characteristics

• Based on 17 basic cybersecurity practices

• Aligned with FAR 52.204-21

• Focused on fundamental cyber hygiene

• Typically requires annual self-assessment

Level 1 Security Expectations

Organizations must implement safeguards such as:

• Limiting system access to authorized users

• Basic identification and authentication controls

• Protecting information in transit

• Physical security protections

Level 1 is designed for contractors with limited exposure to sensitive data but still performing work for the DoD.

CMMC Level 2 – Advanced

CMMC Level 2 is the most common certification level and applies to organizations that process, store, or transmit Controlled Unclassified Information (CUI).

Level 2 Core Characteristics

• Based on NIST SP 800-171 (110 security requirements)

• Focused on protection of CUI

• Requires either self-assessment or third-party assessment depending on contract sensitivity

Level 2 Control Domains

Level 2 requirements span multiple cybersecurity domains, including:

• Access control

• Incident response

• Configuration management

• Risk assessment

• Media protection

• System and communications protection

• Audit and accountability

Level 2 requires a formal cybersecurity program supported by documented policies, procedures, and objective evidence.

CMMC Level 3 – Expert

CMMC Level 3 applies to organizations supporting high-priority national security programs facing advanced persistent threats.

Level 3 Core Characteristics

• Builds upon all Level 2 requirements

• Adds additional controls from NIST SP 800-172

• Requires government-led assessment

• Emphasizes advanced threat detection and response

Level 3 Advanced Expectations

Organizations pursuing Level 3 must demonstrate:

• Proactive threat detection capabilities

• Enhanced incident response maturity

• Advanced monitoring and analytics

• Strong governance and security architecture

Level 3 represents the highest maturity tier under CMMC 2.0.

How to Determine Which CMMC Certification Level You Need

Your required certification level depends on:

• Contract requirements

• Whether you handle FCI or CUI

• Flowdown requirements from prime contractors

• Program criticality

General Rule of Thumb

• FCI only → Likely Level 1

• CUI → Likely Level 2

• High-priority national security programs → Potential Level 3

Prime contractors frequently flow CMMC level requirements down to subcontractors.

Assessment Pathways by CMMC Certification Level

Understanding the assessment structure is critical when evaluating CMMC certification levels.

Level 1 Assessment

• Annual self-assessment

• Senior official affirmation

• Documentation and evidence required

Level 2 Assessment

Two possible pathways:

1. Annual self-assessment (for select programs)

2. Third-party assessment by an authorized C3PAO

Certification is valid for three years.

Level 3 Assessment

• Government-led assessment

• Evaluation of advanced security controls

• Certification validity defined by DoD policy

Preparation and structured evidence management are essential at every level.

CMMC Certification Levels vs ISO 27001

Many organizations compare CMMC to ISO 27001.

Key Differences

• CMMC is mandatory for applicable DoD contracts

• ISO 27001 is voluntary and internationally recognized

• CMMC Level 2 aligns closely with NIST SP 800-171

• ISO 27001 uses a risk-based Annex A control structure

ISO-certified organizations may have a strong foundation, but CMMC requires specific alignment with DoD-defined controls.

Common Mistakes When Navigating CMMC Certification Levels

Organizations often:

• Underestimate documentation and evidence requirements

• Assume ISO certification automatically satisfies CMMC

• Ignore subcontractor flowdown obligations

• Delay remediation until assessment time

• Skip formal gap assessments

CMMC readiness requires disciplined implementation and structured compliance management.

Implementing CMMC Requirements Effectively

A structured implementation approach includes:

1. Confirm required certification level

2. Conduct a formal gap assessment

3. Develop a remediation roadmap

4. Implement policies and technical safeguards

5. Collect and organize objective evidence

6. Perform internal mock assessments

7. Schedule formal certification assessment (if required)

Early planning significantly reduces certification risk and cost.

Why CMMC Certification Levels Matter

Understanding CMMC certification levels is critical because:

• Certification is required for many DoD contract awards

• It demonstrates cybersecurity maturity

• It strengthens supply chain security

• It reduces breach exposure

• It improves competitive positioning within the Defense Industrial Base

Failure to meet required certification levels can directly impact eligibility for federal contracts.

Related Resources

CMMC & Defense

• CMMC 2.0 Compliance Consulting

• CMMC Level 1 Certification

• CMMC Certification Assessment

• CMMC Compliance Services

• CMMC Compliance Checklist

Information Security

• ISO 27001 Consultant

• ISO 27001 Certification Consulting

• ISO 27001 Certification Company

• ISO 27001 Certification Costs

Integrated ISO & Compliance

• Integrated ISO Management Consultant

• ISO Compliance Consulting

• ISO Gap Assessment

• ISO Implementation Services

• ISO Internal Audit Services

If your organization needs clarity on which CMMC certification level applies and how to prepare efficiently, a structured gap assessment and implementation roadmap can significantly reduce audit disruption and compliance risk.