Understanding CMMC 2.0 Levels

February 1, 2023

Understanding the Cybersecurity Maturity Model Certifications 2.0 Levels (CMMC 2.0)

For those that have not heard of CMMC 2.0, This is the Department of Defense’s (DoD) methodology for holding its supply chain accountable to the implementation of the FAR 52.204-21 and DFARS 252.204-7012. The goal of the CMMC 2.0 Model is to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors.

CMMC 2.0 consists of 3 different levels that a DoD Contractor will fall within.

CMMC Level 1: Foundational

The CMMC Level 1 requires the implementation of basic cybersecurity hygiene practices such as performing backups regularly and remediating vulnerabilities on your organization’s information system. This level was intended for Organizations that process Federal-Contract Information (FCI) but not Controlled Unclassified Information (CUI). Organizations are expected to implement “Basic Safeguarding of Covered Contractors Infromation Systems” from Federal Acquisition Regulations. According to FAR 52.204-21, All Federal Contractors are required to implement these basic safeguards, which focus specific controls (e.g., Physical Protections, Access control). While this is the lowest level of CMMC 2.0, Implementing these controls is not a process that should be expected to be done overnight. For this reason, contractors should be mindful of giving themselves an ample amount of time to implement these controls.

CMMC Level 2: Advanced

The CMMC Level 2 encompasses CMMC Level 1 and requires additional security measures to be implemented within the organizations that derive from NIST SP 800-171 Cybersecurity Framework. An organization that is in the manufacturing sector, and/or provides parts or services for weapons defense. It is likely that the organizations will fall under CMMC Level 2 certification. Contractors under this level must comply with the 110 Practices that contain 320 Objectives associated with the NIST SP 800-171.

CMMC Level 3: Expert

The CMMC Level 3 is the highest level obtainable within the CMMC.  Organizations that will fall within CMMC Level 3 are large prime contractors and organizations that work on super-critical national security programs that are significant targets of nation-state adversaries and Advanced Persistent Threat (APT).  Level 3 Requirements are based on the 110 controls from NIST SP 800-171 in addition to the additional advanced controls associated with the NIST SP 800-172. The DoD has provided with this information thus far as CMMC Level 3 has not been officially released to the public and will be subject to change.

It is important to understand what level your organization falls within the CMMC 2.0. The CMMC is daunting for organizations that are not familiar with Cybersecurity measures as before CMMC was introduced organizations were self-assessing. With the introduction of  CMMC, a Certified Third-Party Organizations (C3PAO) has to now assess the DoD contractor to ensure they are in compliance  with DoD or risk not being able to bid on future contracts which can be vital for on going operations of the organizations.


Written By: Chris Gonzalez, RP

By Thomas Nohs