Which CMMC Level Is Right For You?

By Scott Dawson
August 31, 2021

CMMC Certification Levels Updated 2023

With the requirements of Cybersecurity Maturity Model Certification (CMMC) soon to be finalized, all Department of Defense contractors will require some level of cybersecurity. Even though cybersecurity has nominally existed in these contracts for years, many companies are only now considering cybersecurity practices.

CMMC is a maturity model. This means that CMMC isn’t a “one size fits all” certification like ISO 27001. Instead, different companies will require different levels of CMMC.

CMMC FCI documents

CMMC includes a progression of gradually building requirements across three levels. Level 2 contains the requirements of Level 1, Level 3 contains the requirements of Level 2, and so forth.

But how do you know which CMMC level is right for you?

The Basics

Let’s simplify things: even though CMMC contains three levels, you likely only need to worry about Level 1 and Level 2.

The previous version of CMMC (v1.0) included “transition levels,” but the latest version (CMMC v2.0) has removed these entirely. Level 3 now contains expert-level requirements for handling highly sensitive information, and few contractors will need this level of security.

The vast majority of contractors will require either Level 1 or Level 2.

But what makes these levels different, and how do you know which one will apply to your organization?

CMMC Level 1 and Level 2 – What’s the Difference?

CMMC addresses two types of government information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Although this information isn’t technically classified, it should still be protected; In the wrong hands, it could lead to tactical disadvantages or larger security breaches. We cover the difference between FCI and CUI more extensively in a previous article.

CMMC Level 1 exists to protect FCI.

This is the simplest level of CMMC. It contains the 17 cybersecurity practices that make up Foundational cybersecurity.

These practices come from the Federal Acquisition Regulation, or FAR, which applies to all government contracts. Technically, all government contracts already require this basic level of cybersecurity. Under CMMC 2.0, Level 1 companies will now require an annual self-assessment submitted to the Supplier Performance Risk System (SPRS) and affirmed by company leadership.

CMMC Level 2 exists to protect CUI.

This level contains the 110 cybersecurity practices that make up Advanced cybersecurity.

As you can tell from the number of practices, Level 2 is much more complex than Level 1. But if you handle CUI, you will need at least this level. In the future, CUI will be clearly labeled in federal contracts, but CMMC assessments will likely begin before this takes place.

When don’t you need CMMC?

There’s only one circumstance in which a DoD supplier doesn’t need CMMC, and that’s in the case of Commercial Off-The-Shelf (COTS) products. If you are only supplying the same standard, commercially-available products you produce for other customers, you likely don’t need CMMC. But the moment you start making defense-specific modifications based on a contract, you’ll require at least CMMC Level 1.

The Right CMMC Level For You

So what CMMC level will your organization require?

It all depends on the information that flows down to your organization. If you’re receiving CUI, whether from another contractor or directly from the DoD, you will require Level 2. If not, you only handle FCI, and you will require Level 1.


CUI Flowdown


At the top level, the DoD provides information to a Prime Contractor. This information likely contains CUI and requires CMMC Level 2 or higher. These prime contractors work with sub-contractors, such as manufacturers, to whom they hand down the necessary government information. Those suppliers hand down information to their suppliers, and so forth.

In this way, CUI flows down through contractors to sub-contractors. If you are a subcontractor, and the prime contractor above you handles CUI, you might also handle CUI. In this case, you would require Level 2.

But it’s also possible that, even though the prime contractor handles CUI, they will only pass FCI down to your organization. In this case, you would only require Level 1.

It all depends on the actual information flowing down to your organization.

In the future, DoD contracts and sub-contracts will clearly state the required CMMC level. But it’s important to anticipate the requirements now to start preparing for future self-assessment or certification.

A Good Rule of Thumb

Want to know if you will actually require Level 2 certification? Look in your current contract for references to DFARS 252.204-7012. This DFARS regulation only applies to contracts that handle CUI. So if you see this in your contract, you can trust that you will require CMMC Level 2 in the near future.

CMMC protected documents

It’s possible that one of your contracts will require CMMC Level 2, while another only requires CMMC Level 1. In such a case, you would still need to achieve the higher level.

But even if you don’t think your current contracts will require Level 2, plan strategically. Do you want to do more government contracting in the future? What contracts do you hope to win? CMMC will soon apply to all DoD contracts, and other government agencies are already considering CMMC as a contract requirement.

You might not need Level 2 now, but if you want to win more government contracts in the future, this level could tip the scale in your favor.

And remember that all DoD contracts will require at least Level 1, and the requirements for Level 1 are contained in every subsequent level. If you’re a DoD contractor—or if you hope to win future DoD contracts—you should start working toward CMMC Level 1 today.

How Core Can Help

CMMC Certification Consultant

At Core Business Solutions, we specialize in helping American small businesses achieve cybersecurity. As a Registered Provider Organization with the CMMC Accreditation Board (CMMC-AB), we’re trained to help businesses like yours achieve CMMC. We have several CMMC-AB Registered Practitioners on staff, ready to help you apply these requirements to your business. We also provide training, gap assessments, and technical security solutions to take the “guesswork” out of CMMC prep.

Here’s a look at how Core Business Solutions can help your business:

    • Our Registered Practitioner consultants help you learn the requirements of CMMC and apply them to your specific context.
    • We provide online training for your leadership, staff, and IT professionals.
    • We deliver the technical security solutions required for certification, such as vulnerability scanning and management. We’re in the process of rolling out even more solutions, including email security and penetration testing.
    • We assist your company in self-assessment and preparation for third-party certification audits.

You can learn even more at our CMMC page. We also host regular CMMC webinars to explain the practices and answer your questions.

Ready to start your CMMC journey? Want help figuring out which CMMC level applies to you?

Related Articles:

Cybersecurity Checklist

Cybersecurity Checklist

Small Business Cybersecurity Today’s cyber threats can impact any company, regardless of size or industry. But did you know that 43% of cyber-attacks are aimed at small businesses, according to...

Cyber Hygiene Practices for Every User

Cyber Hygiene Practices for Every User

What is Cyber Hygiene? Cyber hygiene refers to the practices and measures individuals and organizations take to maintain good digital health and security. Just like personal hygiene routines keep us...

CMMC 2.0 Certification Costs

CMMC 2.0 Certification Costs

Do I Need CMMC? Cybersecurity Security Model Certification (CMMC) will soon be required for all Department of Defense contractors. Whether you are a major corporation or a small manufacturer, you’ll...