The first question every defense contractor asks about CMMC is: which level applies to me?
The answer is not based on your company size, your revenue, or how long you have been in the defense industry. It comes down to one thing: the type of data in your Department of Defense (redesignated the Department of War by executive order, September 2025) (DoD) contracts. Get this determination right and you know exactly what you are building toward. Get it wrong and you either waste money over-engineering for requirements you do not have, or you underprepare and fail an assessment.
This article breaks down all three CMMC levels, what each one requires, how compliance is verified, and how to determine which applies to your organization.
Level 1 applies to organizations that handle Federal Contract Information (FCI) but do not handle Controlled Unclassified Information (CUI).
FCI is information provided by or generated for the government under a contract to develop or deliver a product or service. If your company manufactures a component under a DoD contract, provides administrative support services, or delivers professional services where you receive contract-specific government-generated data that has not been approved for public release, that is FCI.
If your work involves only FCI and no CUI, Level 1 is your target.
Level 1 has 15 security practices, all drawn directly from FAR Clause 52.204-21. These practices are distributed across six security domains:
Access Control (4 practices)
Identification and Authentication (2 practices)
Media Protection (1 practice)
Physical Protection (2 practices)
System and Communications Protection (2 practices)
System and Information Integrity (4 practices)
Level 1 compliance is verified through an annual self-assessment. Your organization scores itself against each of the 15 practices (Met = 1 point, Not Met = 0 points), submits the score to SPRS, and a senior official affirms the accuracy of the submission. This affirmation must be renewed annually.
There is no third-party assessment requirement for Level 1. The organization conducts its own assessment, but the senior official affirmation creates False Claims Act liability for misrepresentation. This is why organizations hire third parties like NR Labs to help with Level 1 prep and submission, the penalties are costly at Level 1 as well.
For most organizations, Level 1 represents a baseline of operational IT hygiene. If you have active directory with managed user accounts, antivirus software, a firewall, and documented procedures for removing access when employees leave, you are likely close to Level 1 compliance. The gaps are frequently in documentation, media disposal procedures, and formal visitor logging rather than major technical deficiencies.
Level 2 applies to organizations that handle Controlled Unclassified Information (CUI). CUI is a broad category established by Executive Order 13556 covering government-created or possessed information that requires safeguarding under law, regulation, or government-wide policy but does not rise to the level of classified information.
If your contract contains DFARS 252.204-7012, your work involves CUI. Common examples include technical specifications for defense systems, export-controlled data (ITAR/EAR), acquisition-sensitive information, proprietary drawings or designs provided by the government, and certain personnel information.
Level 2 is the level that applies to the majority of defense contractors currently subject to DFARS 252.204-7012, which is most of the defense industrial base.
Level 2 requires full implementation of NIST SP 800-171 Revision 2, which contains 110 security requirements across 14 security families. This is a substantially more demanding standard than Level 1.
Where Level 1 covers basic access control and hygiene, Level 2 adds requirements for:
The full scope of NIST 800-171 Rev 2 represents a professional-grade enterprise security program, not just IT hygiene.
Level 2 verification depends on the sensitivity of the specific program:
Self-assessment: Some Level 2 contracts allow the organization to self-assess against all 110 requirements, calculate a weighted score out of 110 points, submit to SPRS, and have a senior official affirm. During Phase 1 of CMMC implementation (November 2025 through November 2026), self-assessment is the primary mode for most Level 2 contracts.
C3PAO third-party assessment: For contracts where the contracting officer requires third-party assessment, a Cyber AB-accredited C3PAO conducts an independent assessment. The C3PAO documents findings in eMASS, and the result is either a Final Level 2 certification (all requirements Met) or a Conditional Level 2 certification (some items open on a POA&M, with 180 days to close). C3PAO certifications are valid for three years.
The weighted scoring system for Level 2 is defined in 32 CFR § 170.24:
Maximum possible score is 110 points. Organizations need a minimum score of 88 points (80%) to be eligible for Conditional certification. A score below 88, or any of the six prohibited controls on the POA&M, results in "No Status" and prevents certification.
Level 2 is a multi-year program for most organizations. A company with a mature IT environment and an existing NIST 800-171 implementation might need 12 months to achieve C3PAO readiness. A company starting from scratch typically needs 18 to 24 months.
The most common gaps found in Level 2 gap assessments are: incomplete or absent System Security Plan (SSP), missing audit logging with review procedures, lack of FIPS-validated encryption, absent or informal incident response procedures, and inadequate configuration management baselines.
Level 3 applies to organizations working on the most sensitive DoD programs, where CUI has been specifically designated as high-value target data requiring the highest level of protection. These programs are typically identified at the program office level. The contracting officer and program manager will specify Level 3 if it applies.
If you are not certain whether Level 3 applies to your contract, it almost certainly does not. Level 3 is a relatively small portion of the total contract base.
Level 3 requires all 110 Level 2 requirements plus 24 additional requirements selected from NIST SP 800-172, for a total of 134. The additional requirements represent enhanced protections specifically designed to defend against Advanced Persistent Threat (APT) actors.
The 24 additional requirements span areas including enhanced access control (such as just-in-time privileged access), advanced configuration management, penetration testing, threat hunting, supply chain risk management for security-critical components, and enhanced audit analysis capabilities.
Level 3 assessments are conducted exclusively by DIBCAC, the Defense Industrial Base Cybersecurity Assessment Center, a government assessment team. No C3PAO can conduct a Level 3 assessment.
Before pursuing Level 3, an organization must have a current, valid Level 2 C3PAO certification on file. DIBCAC conducts its own assessment of the 24 additional Level 3 requirements. Level 3 certifications are valid for three years.
The determination is contract-driven. Follow this logic:
Step 1: Review your contract clauses.
Step 2: Trace the data. Look at what government information your organization actually receives, processes, stores, or transmits. Talk to your program managers and contracts team. If CUI flows to your systems, Level 2 applies regardless of whether the contract clause is present.
Step 3: When in doubt, default to Level 2. If you are genuinely uncertain whether your data is FCI or CUI, operate as if it is CUI. The cost of under-preparing for Level 2 is far higher than the cost of over-preparing.
A company can have contracts at multiple levels simultaneously. A prime contractor might hold one contract requiring Level 1 (FCI, no CUI) and another requiring Level 2 (CUI involved). In that case, the organization needs Level 2 certification, which also satisfies Level 1. Level 2 is a superset of Level 1.
The CMMC Assessment Boundary for each contract is defined separately. Ideally, your entire IT environment is brought to Level 2 rather than trying to create separate environments for Level 1 and Level 2 contracts. Maintaining a segmented environment to reduce assessment scope can be cost-effective for large organizations, but for small and mid-sized contractors, a single Level 2-compliant environment is simpler to manage.
For a complete overview of the CMMC program, see the CMMC 101: The Complete Guide to CMMC Compliance for Defense Contractors.
Related articles in this series:
Not sure which level applies to your contracts? NR Labs can review your contract clauses, trace your data flows, and give you a definitive answer along with a gap assessment scoped to your actual requirements. Contact us to get started.
