CMMC Level 1 vs. Level 2 vs. Level 3: Which Certification Does Your Business Need?
Introduction: Why Understanding CMMC Levels Matters for Your Business
If you're a government contractor or supplier working with the U.S. Department of Defence (DoD), achieving the right CMMC certification level is critical for both contract eligibility and long-term success. But which level does your business need—CMMC Level 1, Level 2, or Level 3?
Choosing incorrectly can either disqualify you from bids or waste time and money on unnecessary requirements. In this blog, we'll help you understand each level and how to determine the right one for your organisation.
What is CMMC? A Brief Overview of the Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) is a security framework developed by the DoD to ensure that all contractors and subcontractors handling sensitive government data have appropriate cybersecurity practices in place.
It's broken down into three maturity levels, each designed to protect different types of information:
- Level 1: Basic Federal Contract Information (FCI)
- Level 2: Controlled Unclassified Information (CUI)
- Level 3: High-priority CUI and high-risk environments
CMMC Level 1: Basic Cyber Hygiene Requirements and Applicability
CMMC Level 1 is considered the entry
point. It focuses on 17 foundational cybersecurity practices, such as:
Password protection
- Access control
- Device and software updates
- Password protection
Who needs it?
Businesses that handle only Federal Contract Information (FCI)—data not intended for public release, but not classified either. These companies generally don't process CUI or sensitive defence data.
Goal: Demonstrate basic cyber hygiene with annual self-assessments.
CMMC Level 2: Intermediate Cybersecurity Practices for Handling CUI
CMMC Level 2 is the sweet spot for most mid-sized defence contractors. It requires compliance with NIST SP 800-171, including 110 security controls.
Key practices include:
- Multi-factor authentication
- Incident response planning
- Controlled use of administrative privilege
Who needs it?
Organisations that create, store, or transmit Controlled Unclassified Information (CUI). Level 2 is divided into two subsets:
- Prioritised acquisitions: Require third-party assessment by a C3PAO
- Non-prioritised acquisitions: Require annual self-assessment
Goal: Protect CUI in non-federal systems and networks.
CMMC Level 3: Advanced Security Requirements for High-Risk Defence Contractors
CMMC Level 3 is designed for companies working with high-value assets or national security-critical information.
It includes:
- All Level 2 practices
- Additional controls based on NIST SP 800-172
- Continuous monitoring and proactive threat response
Who needs it?
Organisations that support critical DoD programs or manage highly sensitive CUI in high-risk environments.
Goal: Maintain the highest standards of cyber resilience with government-led assessments.
Key Differences between CMMC Level 1, Level 2, and Level 3
Feature Level 1 Level 2 Level 3
Info Type FCI CUI High-Value CUI
Controls Required 17 110 (NIST 800-171) 110+ (NIST 800-171 + 172)
Assessment Type Self-assessment Self/Third-party (C3PAO) Government-led
Use Case Entry-level contractors Mid-sized defence suppliers High-security DoD contracts
How to Determine Which CMMC Level is Right for Your Organisation
Ask yourself:
- Do we handle CUI or FCI?
- Are we a prime contractor or subcontractor?
- What are the DFARS compliance clauses in our contracts?
- Has the DoD specified a CMMC requirement in our RFPs or RFIs?
If you handle CUI but not high-value assets, CMMC Level 2 is likely your best fit. For basic engagements, Level 1 may suffice. For critical DoD work, you'll need to aim for Level 3.
The Importance of Aligning Your Certification Level with DoD Contract Requirements
Compliance isn't optional—it's a contractual requirement. Misalignment between your certification level and contract needs can result in:
- Lost bidding opportunities
- Delayed on boarding
- Audit failures
- Reputational damage in the defence space
- Ensure you're aligned with your DoD customer's expectations before beginning the assessment process.
Common Mistakes Businesses Make When Choosing a CMMC Level
- Underestimating data sensitivity: Mistaking CUI for FCI
- Over-investing in Level 3 when Level 2 is sufficient
- Ignoring third-party vendor risks
- Failing to consult a CMMC advisor or compliance expert
Conclusion: Preparing for the Right CMMC Level to Ensure Compliance and Contract Eligibility
Choosing the wrong level not only drains resources but can also hinder growth in the defence contract ecosystem.
Understanding the differences between CMMC Level 1, Level 2, and Level 3 is key to staying competitive, compliant, and secure in the defence industry. Start with a gap analysis, align with your contract requirements, and work with a trusted advisor to guide your certification journey.