Your guide to the CMMC 2.0 levels

Your guide to the CMMC 2.0 levels

Avatar photo
Hwei Oh
8 min read
Share this article:

To safeguard national security information, the Department of Defense (DoD) established CMMC, a comprehensive framework that ensures all DoD contractors have the appropriate security controls in place to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from the millions of cyberattacks that are coming in daily. In December, the DoD published proposed rules for the next iteration of the security model, CMMC 2.0.

Starting in 2026, all DoD contractors and their subcontractors who want to bid on DoD contracts will need to meet these requirements, a process that could require a significant lift depending on which level they fall into. Though the final iteration of the rules has not yet been officially published, the basic framework is expected to remain the same. Given how comprehensive the process is, it’s wise to get started sooner rather than later to ensure you meet the requirements by the 2026 deadline.

The first step in meeting CMMC 2.0 requirements is to determine which level your business falls under. This will help you understand which requirements apply to you; and, equally important, it will provide insights into how much time and effort will be needed to meet these requirements. Below, we’ve assembled a guide to the CMMC 2.0 levels and how businesses can become compliant. 

What are the CMMC 2.0 levels?

In CMMC 1.0, the DoD established five maturity levels that correspond to the types of data a contractor handles. CMMC 2.0 was created to simplify some of the complexities of CMMC 1.0; and, to that end, condenses the five levels down to three. The levels also now align with widely accepted NIST cybersecurity standards. The requirements laid out in each level are unique and vary quite drastically, so it’s vital that businesses know where they fall before getting started.

CMMC Level 1

As in CMMC 1.0, Level 1 is the lowest maturity level and only requires businesses to implement basic cybersecurity practices. It applies to DoD contractors that handle FCI but not CUI, which the DoD estimates is roughly 60% of its contractor base. The foundational level hasn’t changed drastically from CMMC 1.0. Level 1 states that companies must implement the 17 basic cybersecurity practices laid out in FAR 17. These practices broadly fall into six domains:

  • access control
  • identification and authentication
  • media protection
  • physical protection
  • system and communications protection
  • system and information integrity

These securities can be performed ad-hoc without documentation.

Because documentation isn’t required and Level 1 contractors aren’t handling sensitive government information, they can conduct annual self-assessments to prove they are compliant with CMMC. Companies will need to use the Supplier Performance Risk System to conduct self-assessments and submit their scores to the DoD. Additionally, they will need to provide affirmation from a senior official stating that the company meets the FAR 17 requirements.

Though Level 1 contractors only need to apply 17 controls, implementing even the most basic cybersecurity practices could be a heavy lift for businesses that don’t already have them in place. So it’s wise to begin the work early and enlist the help of security experts if your business lacks the expertise in-house.

CMMC Level 2

Though a majority of contractors will fall into Level 1, a significant portion of contractors will fall into the Level 2 pool. Level 2 applies to all contractors that handle CUI, whether the information is critical or non-critical to national security. Many manufacturers that make parts or provide services for weapons will fall into Level 2.

Level 2 requirements are significantly more advanced — and robust — than Level 1 requirements. Level 2 contractors will need to meet 110 cybersecurity controls. Fortunately, these controls are the same as those laid out in NIST 800-171, which simplifies things for contractors following the NIST framework.  Level 2 controls fall within 14 buckets, which are as follows:

  1. Access control: This domain contains 22 controls that relate to isolating key systems, controlling authorized privileges, and securing remote connections.
  2. Audit and accountability: With 9 controls, this domain tasks contractors with tracking users and activity within their digital ecosystems to ensure they understand what’s happening in their digital tools and can accurately report on that.
  3. Awareness and training: There are only 3 controls within this domain that relate to educating staff about cybersecurity best practices and understanding the risks associated with their roles and positions.
  4. Configuration management: The 9 configuration management controls call for contractors to establish and maintain systems; including hardware, software, firmware, and documentation to ensure they remain secure. It also asks contractors to set up processes to track system changes to ensure they follow security best practices.
  5. Identification and authentication: These 11 controls relate to password management to ensure all users and systems utilize authentication best practices.
  6. Incident response: The 3 controls within the incident response domain relate to creating an incident response strategy that allows businesses to quickly and effectively detect, analyze, report, and respond to suspected security breaches.
  7. Maintenance: These 6 controls ensure that system maintenance is performed regularly and in a way that protects sensitive data.
  8. Media protection: The 9 controls in this domain ensure that paper and digital media are properly protected and disposed of to safeguard CUI.
  9. Personnel security: With just 2 controls, this domain deals with protecting CUI when employees are terminated or transferred. 
  10. Physical protection: Much like it sounds, the 6 controls within this domain are designed to ensure that the facilities that house company hardware, devices, servers, and audit logs are monitored and protected from physical damage and bad actors.
  11. Risk assessment: These 3 controls ask businesses to conduct regular risk assessments, regularly scan systems for vulnerabilities, and remedy any vulnerabilities in a timely manner. 
  12. Security assessment: According to the 4 controls within this domain, contractors need to define a clear security strategy, regularly evaluate their security capabilities, and create a plan of action for spotting and fixing vulnerabilities.
  13. System and communications protection: With 16 controls, this makes up the second largest domain. It involves controlling and protecting communication and information transfers across your network devices.
  14. System and information integrity: Finally, the 7 controls in this domain are meant to prevent data theft and spying through real-time monitoring of your networks and a plan for promptly responding to security alerts.

Because the Level 2 controls require documentation and the creation of repeatable security processes, the assessment rules are different from those established in Level 1. Within Level 2, there are two subcategories of contractors — those that handle non-critical national security information and those that handle critical national security information. Level 2 contractors that handle non-critical information (roughly half of all Level 2 contractors) are still able to conduct annual self-assessments. Contractors handling critical national security information, however, need to hire a third-party assessment organization (C3PAO) to review their implementation of the security controls. The C3PAO assessments need to be repeated every three years for a business to remain compliant.

CMMC Level 3

The most advanced security requirements will apply to large prime contractors, contractors that handle top-secret information, or those working on critical national security programs that could be targeted by nation-states or other Advanced Persistent Threats. The DoD estimates that fewer than 1,000 contractors will fall into Level 3.

Much like Level 2 contractors, Level 3 contractors need to meet the 110 controls established in NIST 800-171. However, Level 3 contractors must also meet the 35 advanced controls detailed in NIST 800-172. Unlike Levels 1 and 2, the advanced controls in Level 3 call for contractors to have a more active role in the management of the controls and measure their effectiveness over time.

The control families of NIST 800-172 match those in NIST 800-171 exactly. All families listed in Level 2 have additional Level 3 advanced controls except for audit and accountability, maintenance, media protection, and physical protection. These advanced controls are meant to protect sensitive information from Advanced Persistent Threats. To do that, businesses need to develop a cybersecurity strategy that contains the following three elements:

  • Penetration-resistant architecture
  • Damage-limiting operations
  • Cyber resiliency survivability

Due to the sensitive nature of the information Level 3 contractors handle, their assessments cannot be conducted in-house or by a C3PAO. Every three years, a government team will be tasked with reviewing the implementation of Level 3 controls.

It should be noted that regardless of which level a business falls into, the business must meet the requirements in both practice and process to achieve the certification. If a contractor fails to meet the requirements in one of those two areas, they will be bumped down to the level where they meet both criteria. For instance, if a contractor achieves Level 3 practices but only Level 2 processes, that contractor will be certified at CMMC Level 2. That will, of course, impact the work it is capable of doing as part of its partnership with the DoD.

How to prepare for CMMC certification

Becoming CMMC compliant is a lengthy process that requires significant time, effort, and knowledge of security best practices. Depending on your designated level, you will need to implement multi-factor authentication, host cybersecurity training for employees, develop an incident response plan, invest in a cybersecurity tech stack, regularly patch software, maintain audit logs, and put cybersecurity tools and processes in place to ensure you are consistently meeting the CMMC requirements.

Not only is it important to have the right processes and controls in place, but there should also be an established infrastructure that allows you to document and effectively demonstrate those efforts in order to become CMMC certified. This process is extremely comprehensive and hinges on specific elements being in place — even a minor misstep can delay the process or entirely prevent you from getting certified.

Without a dedicated security team or a team that can commit its full resources to the certification efforts, businesses may struggle to hit the 2026 deadline and maintain their certification in the years following. But a managed security services provider can help.

With a managed security services provider, you can fully outsource your security efforts. They can help you determine which CMMC level you fall under as well as assist you to acquire the tools and establish the processes needed to ensure your company is compliant with CMMC 2.0. With an in-house team, the process of becoming compliant could take years.

SolCyber is here to make achieving CMMC 2.0 compliance a breeze. SolCyber’s Foundational Coverage GOV Edition services come with the tools and infrastructure you need right now and in the future.

Ready to become CMMC 2.0 compliant? Reach out to the experts at SolCyber today.

Update: In May 2024, NIST released a new update to its NIST SP 800-171 and NIST SP 800-171A frameworks, which are tied to CMMC certification requirements. This new revision, titled Revision 3 (or r3 for short), makes some tangible changes to previous versions. However, at the time of this writing, CMMC certification is still reliant on NIST SP 800-171r2, so the below article is still applicable. If that changes, we’ll have a new post detailing how the new revision affects CMMC.

Avatar photo
Hwei Oh
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

The world doesn’t need another traditional MSSP or MDR or XDR.
What it requires is practicality and reason.

And security that won’t let you down. It's time to put an end to the cyber insanity once and for all.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more juggling multiple technologies and contracts.

Follow us!


Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

SolCyber. All rights reserved
Made with
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo