CMMC Levels Explained: Requirements for Levels 1, 2, and 3

CMMC Levels Explained: Requirements for Levels 1, 2, and 3

Every solicitation that carries a Cybersecurity Maturity Model Certification (CMMC) requirement names a level: 1, 2, or 3.

That single digit is easy to skim past, but it quietly decides your next year: how many controls you implement, who assesses your work, what it costs, and how long before you're eligible for the award.

The three CMMC levels look like a simple ladder from the outside. In practice, the gaps between the rungs are enormous.

Level 1 is a structured self-check. Level 2 is a full security program with an outside assessor. Level 3 is reserved for work where nation-state hackers are the assumed adversary.

This guide walks through each level in detail: the requirements, the assessment mechanics, the statuses you can earn, and how to tell which level your contracts will demand.

TL;DR

  • CMMC 2.0 has three levels matched to data sensitivity. Level 1 covers FCI with 15 basic safeguarding requirements, Level 2 covers CUI with all 110 NIST 800-171 controls, and Level 3 adds 24 more from NIST 800-172 for the most sensitive programs.
  • Verification escalates with the level. You self-assess annually at Level 1, face a C3PAO assessment every three years at Level 2, and undergo a government-led DIBCAC assessment at Level 3.
  • Assessments produce a status, not a pass or fail. A Final CMMC status means every requirement was MET, while a Conditional status starts a 180-day clock to close POA&M items and pass a closeout assessment.
  • Your data decides your level. FCI alone indicates Level 1, any CUI indicates Level 2, and each solicitation specifies the required status as a condition of contract award.
  • MotherBear gives contractors and consultants one place to build and store everything each level demands, from control status and evidence to the SSP and annual affirmations.

What Is Cybersecurity Maturity Model Certification?

CMMC is the Department of Defense’s (DoD) program for verifying that contractors protect sensitive information across the defense supply chain. That contractor network is known as the Defense Industrial Base (DIB).

It covers two data types: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Both involve sensitive information the government creates or contractors handle on its behalf, and neither is meant for public release. CUI carries additional safeguarding and dissemination controls under federal policy.

The verification part is the point. Contractors were already obligated to meet cybersecurity requirements under existing regulations, but compliance was self-reported and unevenly real.

The CMMC program adds the checking, giving the DoD a formal way to verify DIB implementation of its cybersecurity standards.

Depending on the level, organizations either formally self-assess or undergo an outside evaluation to demonstrate compliance before they can qualify for contracts involving FCI or CUI.

Enforcement began in November 2025, with new DoD contracts incorporating security requirements in phases through 2028, reaching every organization in the supply chain that handles FCI or CUI.

How the CMMC 2.0 Levels Work

The current framework, CMMC 2.0, organizes its requirements into three progressively advanced levels, consolidated from the five levels of the original 2020 model after industry feedback about cost and complexity.

Which of the three certification levels applies has nothing to do with company size or contract value. It tracks the sensitivity of the information involved.

All three levels draw from the same underlying structure of security domains, familiar territory like:

  • Access control
  • Incident response
  • Configuration management
  • Personnel security
  • Physical protection
  • Media protection
  • Communications protection

What changes as the levels climb is how many requirements apply, how they're verified, and who verifies them. The levels are also cumulative, so each one contains everything below it.

Your required level arrives in the solicitation: DoD requests for proposals include a clause naming the CMMC status a contractor and its subcontractors must hold as a condition of contract award. Here's what earning each one involves.

CMMC Level 1: Basic Safeguarding of FCI

Level 1 applies to contractors whose work involves FCI but never touches CUI. The requirements come from the Federal Acquisition Regulation (FAR) clause 52.204-21, and there are 15 of them.

These are basic cyber hygiene fundamentals meant to protect FCI, such as limiting system access to authorized users, controlling physical access to equipment, sanitizing media before disposal, and keeping malicious code protection current.

The bar is deliberately low in scope but not in rigor. Verification happens through an annual self-assessment against all 15 requirements, with the results posted to the Supplier Performance Risk System (SPRS) and a senior company official submitting an annual affirmation of compliance.

That affirmation carries legal weight, since a false one is the kind of misrepresentation that has already produced False Claims Act settlements.

One rule surprises many Level 1 contractors: there's no partial credit. Every requirement must score as MET, and Plans of Action and Milestones (POA&Ms) aren't permitted at this level. If a control isn't fully implemented, the honest move is fixing it before self-assessing, not affirming around it.

CMMC Level 2: Broad Protection of CUI

Level 2 is where most of the DIB handling CUI lands, and where the workload multiplies. The requirements are the 110 security requirements of NIST 800-171, spanning all of the security domains, from access control and incident response through risk assessment and system integrity.

When an organization implements them, real infrastructure follows: multi-factor authentication, encryption, audit logging, an incident response plan, and a System Security Plan (SSP) documenting how each requirement is met.

The security assessment happens every three years, with annual affirmations in between, and it follows one of these two paths:

  • Level 2 self-assessment. Permitted only when the contract's CUI falls outside the defense-related categories, with results entered into SPRS by the organization itself. Expect this path to be rare: the Cyber AB, the program's accreditation body, has indicated fewer than 5% of Level 2 organizations will qualify.
  • Level 2 certification assessment. The default for CUI in defense work: a third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO), whose assessors examine documentation, test controls, and interview staff before a status is issued. This is the certification path most contractors mean when they talk about “getting CMMC certified.”

Unlike Level 1, Level 2 permits POA&Ms for select requirements, provided the assessment reaches a minimum score. That mechanism creates the Conditional and Final status distinction, and it's the safety valve that lets organizations certify while closing their last gaps on a deadline.

CMMC Level 3: Defending Against Advanced Persistent Threats

Level 3 exists for the small slice of contractors supporting the DoD's most sensitive national security programs, where the assumed adversary is an Advanced Persistent Threat (APT) with nation-state resources, the kind that targets third party vendors to reach the primes above them.

The requirements build directly on Level 2: organizations must first hold a Final Level 2 certification covering the same CMMC assessment scope, then implement 24 additional requirements selected from NIST 800-172, bringing the total to 134.

The assessment changes hands, too. Rather than a C3PAO, Level 3 evaluations are conducted by the government itself, through the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), on the same three-year cycle with annual affirmations.

For most readers, Level 3 is context rather than a to-do list. The DoD applies it to a narrow set of programs, and contractors who need it will find it named explicitly in their solicitations, with their contracting officers well aware of what it entails.

CMMC Levels Compared

Here's the full picture side by side, comparing the key features and CMMC assessment requirements of each level:

Level 1

Level 2

Level 3

Data protected

FCI

CUI

CUI on the most sensitive programs

Requirements

15

110

134 (110 + 24)

Source standard

FAR 52.204-21

NIST 800-171

NIST 800-171 + NIST 800-172

Assessment type

Self-assessment

C3PAO certification for most; self-assessment for a small minority

Government-led (DIBCAC)

Frequency

Annually

Every three years

Every three years

Annual affirmation

Yes

Yes

Yes

POA&Ms allowed

No

Yes, for select requirements with a qualifying score

Yes, for select requirements with a qualifying score

The pattern in the table is worth naming: as data sensitivity rises, verification moves further from your own hands. You check yourself at Level 1, an accredited third party checks you at Level 2, and the government itself checks you at Level 3.

Conditional vs Final CMMC Status: How the Scoring Works

Passing a CMMC assessment doesn't produce a simple pass or fail. It produces a CMMC status, and the status comes in two forms that behave very differently.

  1. Final CMMC status: Means full implementation. every in-scope requirement scored as MET. This is the clean outcome, with the status holding for its full term and only annual affirmations needed to ensure compliance stays on record.
  2. Conditional CMMC status: The assessment revealed gaps, but small enough ones to certify around, temporarily. At Level 2, an organization qualifies if it reaches a minimum score of 88 out of 110, with the shortfalls limited to requirements eligible for a POA&M.

From the conditional CMMC status date, a 180-day countdown starts: the organization must close every POA&M item and pass a closeout assessment verifying the fixes.

Clear the closeout, reach full compliance, and the status converts to Final. Miss the window and the status, along with the contract eligibility that depends on it, is at risk.

Two practical notes complete the picture. First, not every requirement can be deferred to a POA&M; the highest-weighted ones must be MET on assessment day, so a Conditional status can't be engineered by postponing the hard parts.

Second, for organizations seeking assessment at Level 2, the same logic applies on both paths: a self-assessing organization enters its initial self-assessment results and affirmation into SPRS, closing any POA&M items through a closeout self-assessment, while C3PAO results flow into the DoD's systems through the assessor.

Either way, the 88-point threshold and 180-day window govern, and the resulting SPRS CMMC status is what contracting officers check at award time.

Treat a Conditional status as temporary eligibility, not a finished certification. It restores eligibility, but the six-month clock it starts is the least forgiving one in the program.

Which CMMC Level Do You Need?

The short version: among the CMMC levels, your data decides, and your contracts confirm.

Work that involves only FCI points to Level 1. The moment CUI enters your systems, Level 2 applies, and for the overwhelming majority of CUI-handling DoD contractors, that means the C3PAO certification path. Level 3 only enters the picture when the DoD names it, which it reserves for its most sensitive programs.

You don't have to guess, though. Each solicitation states its required level, and each prime contractor passes the requirement down to subcontractors along with the data.

The harder question is usually anticipating the level before the solicitation arrives, since a Level 2 certification takes months of preparation, and waiting for the contract to confirm what your data already told you is how bids get missed.

Manage CMMC Compliance at Every Level With MotherBear

Whatever level your contracts demand, the daily work looks the same: requirements to implement, evidence to collect, continuous monitoring to keep documentation current, and affirmations to file on time.

The difference between levels is volume, and volume is exactly what breaks scattered tracking.

MotherBear is CMMC compliance software that gives defense contractors and consultants a central place to build and store everything: control status, evidence, the SSP, and annual affirmations, organized by the level and scope each contract requires.

Book a demo and see how MotherBear keeps every requirement, at every level, tied to the evidence you need to prove it.

FAQs About CMMC Levels

What are the tiers of CMMC?

CMMC 2.0 has three tiers. Level 1 covers contractors handling only FCI, with 15 requirements verified by annual self-assessment. Level 2 covers CUI, with all 110 NIST 800-171 requirements and, for most organizations, a C3PAO assessment every three years. Level 3 adds 24 requirements from NIST 800-172 for the most sensitive programs, assessed by the government.

Is there a CMMC level 3?

Yes. Level 3 is the framework's highest tier, designed to defend against advanced persistent threats. It requires a Final Level 2 certification first, adds 24 requirements from NIST 800-172, and is assessed by the DoD's DIBCAC rather than a commercial assessor. Only a small fraction of the DIB needs it.

Is there a CMMC level 4?

Not anymore. The original CMMC 1.0 model from 2020 had five levels, but CMMC 2.0 consolidated the framework to three in response to industry feedback about cost and complexity. Anything you read about Levels 4 or 5 describes the retired model.

What happens to CMMC Level 2 in November 2026?

Level 2 requirements are already appearing in contracts, some since November 2025. What changes on November 10, 2026 is Phase 2 of the rollout, when C3PAO certification requirements expand to applicable Level 2 solicitations rather than self-assessment alone. Our CMMC implementation timeline guide covers each phase and what it changes.

Need CMMC Level 1, 2 or 3?

Schedule a demo of MotherBear to see how we streamline compliance