Welcome to ITS! Learn more about our strategic partnership with Digital Seattle!

Kharmela Mindanao

By: Kharmela Mindanao on March 9th, 2023

Print/Save as PDF

What CMMC 2.0 Level Do I Need? (+ A Step-by-step Guide for Choosing)


If you are a business owner working with the Department of Defense (DoD), you may have heard about the Cybersecurity Maturity Model Certification (CMMC) framework.  

CMMC is a set of guidelines created by the DoD to protect the confidentiality, integrity, and availability of information exchanged between the DoD and its contractors. CMMC version 2.0 was recently released, which has raised some questions for business owners.  

Intelligent Technical Solutions (ITS), an MSSP (Managed Security Service Provider), has multiple clients who need specialized advice regarding CMMC. So in this article, we will explore: 

  •  the step-by-step process of identifying the CMMC 2.0 level you need, 
  • what CMMC 2.0 is,  
  • and how you can get CMMC 2.0 for your business.  

By the end of this article, you’ll have a clear idea of the CMMC 2.0 level your company needs to have.  

What is CMMC 2.0? 

CMMC 2.0 is an updated version of the CMMC framework that aims to improve cybersecurity measures for companies working with the DoD. The CMMC 2.0 framework tackles security practices dealing with access control, incident response, and risk management.  

The framework also introduces new concepts, such as micro-enterprise and basic cyber hygiene practices. 

Under the CMMC 2.0 framework, companies must be certified at a certain level to bid on DoD contracts. The certification process is carried out by third-party assessors who evaluate a company's cybersecurity posture based on the requirements of the CMMC framework. 

How to Choose Your CMMC 2.0 Level 

Choosing the appropriate level of certification for your business can seem daunting. However, by following these steps, you can determine the appropriate level of certification for your business with confidence. 

Step 1: Determine the Type of Information Your Business Handles 

type of informationThe first step in choosing the appropriate level of certification for your business is to determine the type of information your business handles. There are two types of information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). 

FCI is information provided by the Department of Defense (DoD) to a contractor for the purpose of bidding on a contract. On the other hand, CUI is information that requires safeguarding or dissemination controls under laws, regulations, or government-wide policies. 

Step 2: Assess the Risk Your Business Poses to the DoD 

assessment of riskOnce you have determined the type of information your business handles, you need to assess the risk your business poses to the DoD.  

Companies that handle CUI are automatically at a higher risk than those that handle FCI.  

However, other factors such as the size of your business, the sensitivity of the information you handle, and the level of cyber threats in your industry can also impact your risk level. 

To assess your risk level, you should conduct a risk assessment of your business. A risk assessment helps you identify potential risks to your business, assess their likelihood and potential impact, and develop strategies to mitigate them. You can use a cybersecurity risk assessment tool or work with a CMMC consultant to help you conduct a risk assessment. 

Step 3: Review the CMMC Framework 

review the frameworkThe next step is to review the CMMC 2.0 framework. The CMMC framework has three levels of certification, each building upon the previous level. To determine which level is appropriate for your business, you should review the requirements for each level and assess your ability to meet them. 



Step 4: Choose the Appropriate Level of Certification 

level of certificationBased on the type of information your business handles, the risk it poses to the DoD, and your ability to meet the requirements of each level, you can choose the appropriate level of certification. 

The updated CMMC program structure narrows down the number of levels from five to three by doing away with the transition levels 2 & 4. The aim is to simplify the program both for the contractors and the DoD and focus more on the things vital to National Defense. Below are the new levels in CMMC 2.0:  

Level 1 (Foundational)   

This level is the same as the original Level 1 and only applies to companies that focus on FCI protection. It follows the most basic cybersecurity practices based on the 17 controls found in FAR 52.204-21 or the Basic Safeguarding of Covered Contractor Information.  

These controls protect covered contractor information systems and limit access to authorized users.  

Level 2 (Advanced)   

Compliance with Level 2 is applicable to companies working with CUI. It is comparable to the old CMMC Level 3, with requirements that mirror NIST SP 800-171.   

This eliminates all practices and maturity processes unique to CMMC 1.0 and aligns with the 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI.   

Level 3 (Expert)   

The highest level of the CMMC 2.0 Model focuses on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs and can be compared to the old CMMC Level 5.   

While there is still no final list, DoD said that the requirements for this level would be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls.  

Step 5: Work with a CMMC Consultant 

CMMC consultantLastly, get in-touch with a CMMC consultant. They can help you understand the requirements of each level and assess your business's ability to meet them. A consultant can also help you develop a roadmap to certification and guide you through the certification process. 

Aside from guiding you through the CMMC process, they’ll help identify gaps in your cybersecurity practices and develop a plan to address them. They can help you implement the necessary security controls and ensure that your business is compliant with the CMMC framework. 

In the long run, working with a CMMC consultant can save you time and money by ensuring that your business is certified at the appropriate level and that you are fully prepared for the certification process. 

Are you ready to get your CMMC 2.0 certification? 

Choosing the appropriate level of certification for your business under the CMMC 2.0 framework can be a complex process. However, by following the previous steps, you can determine the appropriate level of certification for your business with confidence. 

Remember, it's important to assess the type of information your business handles, the risk it poses to the DoD, and your ability to meet the requirements of each level.  

By choosing the appropriate level of certification, you can demonstrate your commitment to cybersecurity and ensure that your business is ready to participate in DoD contracts. 

Once you have chosen the appropriate level of certification and have developed a roadmap to certification with the help of a CMMC consultant, you can begin the certification process. And the best way to start your certification is with a thorough cybersecurity audit of your network. 

As a cybersecurity specialist, ITS provides free cybersecurity resources for businesses. 

Get a free cybersecurity scan, with our expert opinions, and take home more resources about CMMC with our eBook: “Everything You Need to Know About CMMC 2.0 in 2023 

Free Cybersecurity Scan