If your business works anywhere within the Defense supply chain, you’re likely aware of CMMC (Cybersecurity Maturity Model Certification). However, there's still confusion around what the actual CMMC requirements are and which level applies to a given organization.

The good news: we've got a quick guide to help you understand.

Even better, you can reach out to our team anytime if you want to talk it through.

CMMC 2.0 Guide - Levels and Requirements

There has been an assumption that the CMMC level is determined by company size or revenue. Ultimately, it comes down to the type of data involved in your contract, and in a growing number of cases, the flowdown requirements of the Prime.

CMMC 2.0 consists of three levels, and the level you must meet mostly depends on the type of information your organization handles in support of a Defense contract.

Level 1 - Foundational

Level 1 is the foundational tier, and it applies to all federal and Defense contractors to implement 15 basic cyber hygiene practices derived from FAR 52.204-21 to protect Federal Contract Information (FCI).

Contractors must also complete an annual self-assessment and affirm their ongoing compliance. For businesses managing only basic contract data, Level 1 establishes the minimum cybersecurity baseline.

Level 2 - Advanced

Level 2 is required for organizations that handle Controlled Unclassified Information (CUI). This level aligns with the 110 security requirements found in NIST SP 800-171. Depending on the sensitivity of the contract, companies at Level 2 may be permitted to perform a self-assessment or may be required to undergo a third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). In most cases where CUI is involved, a C3PAO assessment should be expected.

Flowdown Caveat

A prime contractor is responsible for flowing down CMMC requirements to its subcontractors, which means - even if you do not hold a direct contract with the DoW, you will still be required to meet Level 2 requirements. We've noticed a trend in which major primes are requiring Level 2 compliance throughout their entire supplier network.

Level 3 - Expert

Level 3 applies to a smaller subset of contractors supporting high-priority or sensitive programs. This level builds upon Level 2 and incorporates additional requirements from NIST SP 800-172. Assessments at this level are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Next Steps

Understanding your obligations early is critical, as misidentifying your required level can delay contract awards and introduce compliance risk.

If you know you will need a C3PAO assessment in your future, get on the calendar asasp, as spaces are filling up.

If you’re unsure which CMMC level applies to your organization, reach out to one of our experts today.