What CMMC Level Do I Need? (A 5-Step Guide to CMMC Maturity)

Disclaimer: This article was originally published on March 9, 2023 and has since been updated for comprehensiveness and accuracy.

Defense contractors must meet specific CMMC levels to protect sensitive government data. The right level depends on the type of information your business handles. 

The Cybersecurity Maturity Model Certification (CMMC) framework helps the Department of Defense (DoD) protect information shared with contractors. It sets standards for safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). These standards help keep critical defense data safe from cyber threats. 

Intelligent Technical Solutions (ITS) is a Managed Security Service Provider (MSSP) with over 20 years of experience. We help defense contractors understand and meet CMMC requirements. Our team includes certified CMMC professionals who guide businesses through every step of certification. 

In this guide, you will find answers to questions like: 

• What are the CMMC Levels? 
• How Do You Determine Your CMMC Level? 

By the end of your reading, you will understand the three CMMC levels and identify which level suits your business needs. 

What are the CMMC Levels? 

The CMMC program has three levels. Each level has different security requirements. Your contracts determine which level you need. 

 Level 1: Basic Safeguarding of FCI     

Level 1 applies to businesses that handle Federal Contract Information. FCI includes basic contract details that the government shares with you. This level requires 17 security controls that come from FAR 52.204-21. 

Basic practices include: 

• using antivirus software 
• creating strong passwords 
• updating software regularly 
• controlling who accesses your systems 

You can self-assess for Level 1. A senior official in your company verifies compliance. Note that this level requires you to complete this assessment every year. 

Read More: Can You Perform a CMMC Self-Assessment? 

 Level 2: Broad Protection of CUI   

Level 2 protects Controlled Unclassified Information. CUI is sensitive data that needs special handling. This includes technical specifications, personnel information, and export-controlled data. 

Level 2 requires 110 security controls that come from NIST SP 800-171, plus the 17 Level 1 controls. You must document your security practices and ensure your processes are repeatable and consistent. 

Most Level 2 contractors need a third-party assessment. A certified CMMC Third-Party Assessment Organization (C3PAO) evaluates your security. Some contractors with less sensitive CUI can self-assess. The DoD decides which option applies to your contract. 

Sean Harris, Chief Security Risk Officer at ITS, explains the scope of CMMC: "Any organization that wants to do work with the Department of Defense or any vendor that's doing work for the Department of Defense is going to be subject to CMMC." 

 Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats     

Level 3 provides the highest security. It protects against Advanced Persistent Threats (APTs). Only contracts with the most critical programs require this level. 

Level 3 includes all Level 2 requirements plus additional controls that come from NIST SP 800-172. The DoD conducts all Level 3 assessments. You cannot self-assess at this level. 

Before seeking Level 3, you must first achieve Level 2 certification. The assessment process is thorough and can take 18 to 24 months.

How Do You Determine Your CMMC Level? 

The following steps help you identify your required level. 

Step 1: Identify Your Information Type 

Start by understanding what data you handle. Ask yourself these questions: 

• Do I work with basic contract information?
• Do I handle sensitive government data? 
• Does my contract specify security requirements? 
  

Level 1 involves basic contract-related information from the DoD (AKA FCI 0 Federal Contract Information). It helps you bid on or perform contracts. Meanwhile, CUI requires special protection under federal regulations: 

• Level 2 CUI: This is the standard CUI on your company’s systems. It needs protection using 110 security requirements from NIST SP 800-171 (Revision 2). Level 2 is the baseline when you handle CUI, though some contracts may require Level 3.  

• Level 3 CUI:This is for select, high-priority DoD programs with especially sensitive CUI. It needs stronger protection using 24 selected requirements from NIST SP 800-172 to defend against advanced persistent threats (APTs).  

The DoD decides which level you need in the contract solicitation.

It is not based on CUI categories; instead, it depends on how critical the program is to national security. 

Step 2: Review Your Contract Requirements 

Your DoD contract states your required CMMC level. 

Look for security clauses in your solicitation. The contract officer or program office sets these requirements.  

New contracts will specify CMMC levels clearly, while existing contracts may need updates as the program rolls out. 

Step 3: Assess Your Current Security Posture 

Evaluate where you stand today. Review your existing security practices and compare them to CMMC requirements. 

Harris warns about the dangers of skipping proper assessment: "It's unrealistic to expect your internal IT team to be experts in every aspect of compliance and security. Preparing for a CMMC audit requires a deep understanding of the framework and having a third party evaluate your systems beforehand can make all the difference." 

Many businesses overestimate their readiness. With a professional gap analysis, however, experts can reveal your true compliance level. It also saves you time and money before the official assessment. 

Step 4: Calculate Your Timeline 

Different levels need different timeframes. Consider your deadline for the contract award. 

• Level 1 can take 30 days to several months. The timeline depends on your current security practices. 

• Level 2 typically requires 6 to 12 months. You need time to implement controls and document processes. 

• Level 3 takes 18 to 24 months or longer. The government-led assessment is thorough. You must already have Level 2 certification. 

Read More: CMMC Certification: How Long Does It Take to Get Certified? 

Step 5: Work with a CMMC Consultant 

A consultant helps you navigate the certification process. They assess your gaps and create a roadmap. They also guide you through implementation and preparation. 

Harris emphasizes the value of expert guidance: "Without this external review, you risk walking into an audit unprepared, which not only jeopardizes your certification but can also result in wasted money and resources." 

On that note, consultants help you: 

• identify missing security controls 
• develop policies and procedures 
• train your team 
• prepare for assessment 

They save you time by preventing costly mistakes and ensuring you meet requirements the first time. 

What Are Common Mistakes to Avoid? 

Many contractors make these errors when choosing their CMMC level.

1. Assuming You Need Level 3

Most contractors need Level 1 or Level 2. Level 3 applies only to critical programs. Check your contract before assuming you need the highest level.

2. Delaying Your Start

CMMC certification takes time. Starting early prevents rushed implementation. It gives you time to fix gaps properly. 

The program is rolling out in phases. Early preparation positions you for future contracts.

3. Relying Only on Internal Assessment

Internal teams often miss compliance issues. They lack objectivity and specialized knowledge. External experts provide a fresh perspective and deep expertise. 

Third-party assessment catches problems before the official audit. This protects your certification investment. 

Making the Right CMMC Choice 

Selecting your CMMC level is critical for defense contracting. The right level protects government data and maintains contract eligibility. Conversely, wrong choices lead to failed assessments and lost opportunities. 

Most contractors need Level 1 or Level 2 certification. Your contract type and information sensitivity determine your requirements. 

Working with experienced professionals simplifies the certification process. They provide objective assessment and help you implement controls efficiently. This preparation increases your success rate. 

ITS specializes in helping defense contractors achieve CMMC certification. Our certified professionals understand the framework deeply. We provide gap analysis, implementation support, and audit preparation to help you plan improvements. 

Ready to determine your CMMC level? Schedule a meeting with ITS compliance experts today. Get a free cybersecurity assessment today to understand your current position. 

Discover free resources in our Learning Center: 

• CMMC Assessment vs. CMMC Audit: What's the Difference? 
• How Much Does CMMC Compliance Cost? 

Frequently Asked Questions 

Q: What is the difference between FCI and CUI? 

A: FCI is basic contract information from the DoD used for bidding or performing work. CUI is sensitive information requiring special protection under federal regulations. 

Q: Can I self-assess for all CMMC levels? 

A: You can self-assess for Level 1 and some Level 2 contracts. Most Level 2 contracts require a third-party assessment. Level 3 always requires a DoD assessment. 

Q: How often do I need CMMC recertification? 

A: Level 1 requires annual self-assessment. Level 2 and Level 3 certifications last three years before reassessment is required. 

Q: What happens if I fail a CMMC assessment? 

A: Failing means you cannot bid on contracts requiring that level. You must fix identified gaps and undergo reassessment, which costs additional time and money.