See how top teams stay future-ready for audits. 🚀
Go back to blogs

CMMC levels: Definition, requirements, and assessment types

Last updated on
December 16, 2025
5
min. read

The Cybersecurity Maturity Model Certification (CMMC) has fundamentally reshaped how the Department of Defense (DoD) evaluates the cyber readiness of its industrial base. It’s no longer enough to claim compliance; organizations must now demonstrate verifiable security maturity commensurate with the sensitivity of the information they handle.

This guide provides a detailed breakdown of the CMMC 2.0 framework, focusing on the three essential maturity levels, their distinct requirements, and the assessment paths needed to secure a DoD contract.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard established by the DoD to safeguard sensitive national security information shared with defense contractors and their supply chain partners.

Origin and intended use: CMMC was created to address the pervasive intellectual property theft and unauthorized disclosure of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) across the Defense Industrial Base (DIB). It standardizes cybersecurity requirements across the entire DIB sector.

Who needs it and which contracts: Any organization within the DIB, including prime contractors, vendors, and subcontractors, that seeks to bid on or work on a DoD contract must meet the CMMC requirement explicitly stated in the solicitation. The required level dictates eligibility.

Main changes from CMMC 1.0 to 2.0:

Feature CMMC 1.0 (Legacy) CMMC 2.0 (Current)
Number of levels 5 (Levels 1–5) 3 (Levels 1, 2, 3)
Alignment NIST standards + unique CMMC-specific practices Directly aligns with NIST (Level 2: 800-171; Level 3: 800-172)
POA&Ms Not permitted for certification Permitted (under limited, defined conditions for Levels 2 and 3)
Level 2 assessment Third-party required Split: Self-assessment or third-party (C3PAO)

What are the 3 Levels of CMMC?

The CMMC 2.0 framework is streamlined into three tiers, each designed to protect specific types of information.

Level 1 (Foundational)

  • Data Scope: Federal Contract Information (FCI) only.
  • Requirements: 17 practices (basic cyber hygiene) aligned with the FAR Clause 52.204-21 ([Source: Acquisition.gov]).
  • Purpose: To protect the basic integrity of information systems where non-critical contract data resides.
  • Assessment Type: Annual Self-Assessment performed by the company, with an annual affirmation of compliance by a senior company official submitted to the DoD's Supplier Performance Risk System (SPRS).

Level 2 (Advanced)

  • Data Scope: Controlled Unclassified Information (CUI).
  • Requirements: 110 practices (intermediate cyber hygiene) aligned directly with NIST SP 800-171 ([Source: NIST CSRC]).
  • Purpose: To protect sensitive CUI from common cyber threats. This is the level most DIB companies handling CUI will be required to meet.
  • Assessment Type (Split Path):
    • Prioritized/Critical CUI: Triennial (every 3 years) Third-Party Assessment by a C3PAO (or C3PAO-equivalent).
    • Non-Prioritized CUI: Triennial (every 3 years) Self-Assessment, with annual affirmations submitted in SPRS. Organizations may also have conditional statuses (e.g., 180-day POA&M closeout windows) as defined by the DoD.

Level 3 (Expert)

  • Data Scope: CUI for high-priority programs and protection against Advanced Persistent Threats (APTs).
  • Requirements: 110 NIST SP 800-171 practices plus a subset of 24 advanced controls drawn from NIST SP 800-172 ([Source: NIST CSRC]), totaling 134 controls.
  • Purpose: To establish a mature, robust cybersecurity program capable of defending against the most sophisticated nation-state actors.
  • Assessment Type: Triennial (every 3 years) Government-Led Assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Do you need to complete all 3 levels for CMMC compliance?

No, you are only required to meet the specific CMMC Level listed in the contract solicitation. The framework is tiered, meaning Level 2 builds on Level 1, and Level 3 builds on Level 2. Therefore:

  • If your contract requires Level 1, you only need to complete Level 1.
  • If your contract requires Level 2, you must demonstrate compliance with all Level 2 practices (which encompass the foundational requirements of Level 1).
  • If your contract requires Level 3, you must satisfy all Level 3 requirements (which include the 110 practices of Level 2).

How do I know which CMMC level my company requires?

The required CMMC Level is determined entirely by the type and sensitivity of the information you will process, store, or transmit for a given DoD contract:

  1. FCI Only: If the contract involves only Federal Contract Information (FCI), you will likely be required to meet CMMC Level 1.
  2. CUI Included: If the contract involves Controlled Unclassified Information (CUI), you will be required to meet at least CMMC Level 2.
  3. CUI with APT Risk: If the contract involves CUI for the DoD's most critical and highest-priority programs, you will be required to meet CMMC Level 3.

Pro Tip: Look for the specific DFARS clauses in the solicitation. The contract itself is the final authority on the required CMMC level. For more on this, refer to our guide on Who Needs CMMC Certification.

How many domains are covered by CMMC 2.0 Compliance?

The CMMC 2.0 framework is structured around 14 cybersecurity domains, which are directly adopted from the control families defined in NIST SP 800-171. These domains categorize the practices required across Level 2 and Level 3.

Domain Description
Access control Restricting access to authorized users and processes.
Audit and accountability Creating, protecting, and reviewing system logs to trace user actions.
Awareness and training Educating personnel on cyber risks, security policies, and incident reporting.
Configuration management Establishing and maintaining secure configurations for hardware and software.
Identification and authentication Verifying user identity and requiring strong authentication (e.g., MFA).
Incident response Developing, testing, and implementing plans to detect, respond to, and recover from cyber incidents.
Maintenance Controlling and tracking system maintenance activities and tools.
Media protection Protecting, sanitizing, and properly disposing of system media containing CUI.
Personnel security Implementing security practices related to personnel (e.g., screening, transfers, termination).
Physical protection Limiting physical access to information systems and CUI storage locations.
Risk assessment Identifying, assessing, and mitigating risks to organizational operations and assets.
Security assessment Periodically assessing security controls and developing Plans of Action and Milestones (POA&Ms).
System and communications protection Monitoring and controlling communications at the system boundary and protecting CUI in transit.
System and information integrity Identifying, reporting, and correcting system flaws and protecting against malicious code.

What does a CMMC compliance timeline look like?

The time it takes to achieve CMMC compliance depends on your current cybersecurity maturity and the certification level you’re targeting. For most organizations, the full process, from gap assessment to certification, takes 6 to 12 months. Businesses that are already aligned with NIST SP 800-171 requirements may complete readiness in as little as 3 to 6 months, while those starting from minimal compliance maturity may require up to 18 months. The timeline typically includes a readiness assessment, remediation and control implementation, documentation and evidence collection, and a formal third-party assessment (for Level 2 and above).

What are typical costs for CMMC compliance?

The cost of achieving and maintaining CMMC certification varies widely based on organization size, network complexity, and existing cybersecurity maturity.

  • Level 1 (Foundational): Organizations can expect total costs between $10,000 and $30,000, which covers internal labor, policy development, and basic security tooling for self-assessment.
  • Level 2 (Advanced): Certification costs typically range from $50,000 to $150,000+, including third-party assessment fees, remediation activities, consulting or MSSP support, and cybersecurity software investments
  • Level 3 (Expert): Estimated costs are higher and will depend on DoD-led assessment requirements once finalized.

Automation and continuous monitoring tools can help lower recurring compliance costs and simplify annual affirmations in SPRS (Supplier Performance Risk System).

The Scrut Automation advantage: Achieve audit readiness, faster

Scrut Automation offers a comprehensive platform specifically engineered to conquer the complexities of CMMC 2.0. We understand the hardest part isn't reading the standards, it's proving you meet them.

Our solution helps you accurately scope your CUI environment and provides automated mapping for the stringent controls of NIST SP 800-171. By integrating directly with your infrastructure, Scrut continuously collects evidence across all 14 domains, eliminating manual log-pulling and document chasing. This capability drastically reduces remediation time and ensures you maintain an audit-ready status for your C3PAO assessment, making your path to securing DoD contracts faster and more reliable.

FAQs

What are the current CMMC levels?

The current CMMC 2.0 framework has three levels: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).

What determines which CMMC level I need?

The required level is determined by the specific DoD contract solicitation and the type of information involved: FCI requires Level 1, and CUI requires Level 2 or Level 3.

What happens if I fail an assessment?

If you fail a C3PAO assessment (Level 2 or 3), you will be issued a conditional certification status and may be allowed a Plan of Action and Milestones (POA&M) period (typically 180 days) to address the deficiencies, provided the failures are not related to critical security requirements defined by the DoD.

Are CMMC requirements different for subcontractors?

Yes and No. The level of CMMC compliance required (e.g., Level 2) is the same for the prime and all subcontractors who handle the CUI defined in the contract scope. However, the scope of the assessment for a small subcontractor will be much narrower than for the large prime contractor.

Can a Level 1 certified company handle CUI?

No, Level 1 certification is designed only for the protection of Federal Contract Information (FCI). Any organization handling Controlled Unclassified Information (CUI) must achieve at least CMMC Level 2 compliance.

How does CMMC 2.0 differ from older versions?

CMMC 2.0 streamlines the model from five to three levels, eliminates CMMC-unique practices, allows limited use of POA&Ms, and aligns directly with NIST standards (NIST SP 800-171 and 800-172).

What is the difference between CMMC Level 1 and Level 2?

The main difference is the data type and control complexity. Level 1 protects FCI with 17 basic safeguarding requirements derived from FAR 52.204-21, verified through an annual self-assessment. Level 2 protects CUI with 110 advanced controls from NIST SP 800-171, usually requiring a third-party assessment.

Liked the post? Share on:
Susmita Joseph

Susmita Joseph is a cybersecurity and compliance enthusiast with a passion for simplifying complex topics for businesses of all sizes. With a keen interest in AI, she enjoys writing about its impact on GRC and cybersecurity, focusing on how it is reshaping the industry.

Authored by
Table of contents
Example H2
h3
Example H3
h4
Example H4
h5
Example H5
h6
Example H6
Subscribe to our newsletter
Get monthly updates and curated industry insights
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Join our community and be the first to know about updates!

Subscribe
I agree to receive marketing insights and other communications from Scrut Automation.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

Compliance Security
The AT&T breach: Lessons for the mid-market
Risk Management
Vulnerability Management
Access Reviews
Compliance Essentials
Trust Management
Security Incident: Meaning, Types, Examples & Response Strategy
Risk Management
Compliance Essentials
Building Business Resilience: The Role of Integrated Risk Management (IRM)

Ready to see what security-first GRC really looks like?

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Book a Demo
Book a Demo
Platform
Why ScrutExplore the PlatformSimplify ComplianceStreamline AuditsEmpower Your EmployeesMonitor Cyber RiskAssess Third-Party RiskValidate User PrivilegesManage Asset InventoryDemonstrate TrustAI-Powered GRCIntegrate Your Tech Stack
Frameworks
SOC 2ISO 27001GDPRPCI DSSHIPAANIST AI RMFCustom FrameworksAll Frameworks
Company Stages
StartupGrowthEnterprise
Industry
Enterprise SoftwareFinancial ServicesHealthcareTravel and TourismEducation
Resources
BlogEbooksPodcastSuccess StoriesWebinarsEventsGlossaryFAQs
Hubs
SOC 2 HubISO 27001 HubHIPAA HubExplore All Hubs
Partners
Become a PartnerFind a Partner
Company
CustomersAboutCareersNewsroomSecurity
TrustTerms of UsePrivacy PolicyCookies Policy
© 2024 Scrut Automation. All Rights Reserved.