Navigating the defense supply chain begins with answering one critical question: “Which level of CMMC applies to our business?” The stakes are high, and guessing wrong can mean losing contract eligibility.
Here is a quick breakdown.
CMMC 2.0 streamlines requirements into three distinct levels. The required level isn't based on your company's size, but rather on the specific data your organization handles.
Who it’s for: Federal and Department of War (DoW) contractors that handle Federal Contract Information (FCI).
The Requirements: Implementing 15 basic cybersecurity practices outlined in FAR 52.204-21.
Verification: Requires an annual self-assessment (no third-party audit needed).
Bottom Line: If your business only manages basic contract details and no sensitive defense data, this is likely your tier.
Who it’s for: Companies that handle Controlled Unclassified Information (CUI).
The Requirements: Full compliance with the 110 security controls of NIST SP 800-171.
Verification: This depends on the sensitivity of your contract:
Self-Assessment: Permitted for select, non-critical contracts.
C3PAO Assessment: Required for most contractors handling CUI, conducted by an accredited third-party organization.
The "Flow-Down" Rule: Even if you aren't working directly with the DoW, a Prime contractor will pass Level 2 requirements through their chain. Achieving a C3PAO-certified Level 2 status is often a smart business move that unlocks significantly more revenue opportunities.
Who it’s for: Organizations supporting the military's most sensitive, high-priority national security programs.
The Requirements: Builds upon Level 2 by adding advanced security controls from NIST SP 800-172.
Verification: Strictly audited by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Bottom Line: This level currently applies to a very small percentage of the defense industrial base.
As we stated above, your required CMMC level is dictated entirely by the data you handle. To find your baseline, ask these three questions:
Do we only handle FCI? → You likely need Level 1 (Self-Assessment).
Do we handle CUI? → You likely need Level 2 (Self-Assessment or C3PAO).
Are we tied to critical national security priorities? → You may need Level 3 (DIBCAC Audit).
Ultimately, your specific contract language and your Prime contractor will dictate your exact requirements.
Still have questions? Reach out to our experts today to get clarity on which level of CMMC your business needs.