CMMC Simplified: Understanding Levels 1-3

CMMC Simplified: Understanding Levels 1-3

CMMC Simplified: Understanding Levels 1-3​


The Cybersecurity Maturity Model Certification (CMMC) is a critical framework in the realm of cybersecurity, especially for businesses working with the United States Department of Defense (DoD). Understanding CMMC is essential for ensuring compliance and securing sensitive government contracts. This article delves into the details of Levels 1-3 of CMMC, providing a simplified guide to help organizations navigate these standards effectively. In this article any references to CMMC is to CMMC 2.o, which is the current version.

What is CMMC?


The CMMC 2.0 framework is an evolution of its predecessor, CMMC 1.0, designed to protect sensitive federal information and ensure a robust cybersecurity posture among defense contractors. It presents a tiered model of cybersecurity practices and processes that organizations must implement to qualify for DoD contracts.

Key Changes from CMMC 1.0 to 2.0

CMMC 2.0 brought significant changes, including reducing the number of levels from five to three, streamlining the certification process, and offering more clarity on requirements. These changes aim to make compliance more accessible and manageable for small and medium-sized businesses.

Understanding CMMC 2.0 Levels

Level 1: Foundational Cybersecurity

  • Objective: To safeguard Federal Contract Information (FCI).
  • Requirements: Organizations must implement 17 basic cybersecurity practices, primarily focusing on safeguarding FCI from unauthorized access and disclosure.
  • Assessment: Self-assessment is permitted, making it more approachable for smaller contractors.

Level 2: Advanced Cybersecurity

  • Objective: To protect Controlled Unclassified Information (CUI).
  • Requirements: This level aligns with the NIST SP 800-171 standards and requires the implementation of 110 cybersecurity practices. These practices are more rigorous and are designed to protect CUI.
  • Assessment: Requires a third-party assessment, ensuring a more thorough and standardized evaluation.

Level 3: Expert Cybersecurity

  • Objective: To safeguard CUI and reduce the risk of Advanced Persistent Threats (APTs).
  • Requirements: Involves a subset of practices from NIST SP 800-172 along with additional requirements from the DoD. It’s tailored for organizations handling highly sensitive information and facing sophisticated cyber threats.
  • Assessment: Requires a government-led assessment, reflecting the high stakes involved in protecting critical defense information.


Q: Who needs to comply with CMMC?

A: Any organization seeking to work on contracts with the DoD that involve handling FCI or CUI needs to comply with CMMC 2.0.

Q: How often is CMMC certification required?

A: The certification is valid for three years, but organizations are encouraged to maintain continuous compliance.

Q: Can a business self-certify for Level 2?

A: No, Level 2 requires a third-party assessment.

Q: Will companies be required to comply with CMMC 1.0 now that CMMC 2.0 is published?

A: No, the interim DFARS rule established a five-year phase-in period for CMMC compliance, only required in select pilot contracts. Once CMMC 2.0 is codified through rulemaking, companies will need to adhere to the revised CMMC framework​​.

Q: How will an organization know the required CMMC level for a contract?

A: The DoD will specify the required CMMC level in contract solicitations once CMMC is implemented​​.

Q: What is the relationship between NIST SP 800-171 and CMMC?

A: CMMC requirements lead to a contractor self-assessment or a third-party assessment to determine compliance with the applicable NIST standard. For CMMC Level 2 assessments align with NIST SP 800-171, and Level 3 will be based on a subset of NIST SP 800-172 requirements​​.

Q: Will prime contractors and subcontractors need to maintain the same CMMC level?

A: If they are handling the same type of FCI and CUI, then the same CMMC level will apply. A lower level may apply to subcontractors if the prime contractor only flows down select information​​.


CMMC 2.0 is an essential framework for organizations aiming to work with the DoD. Understanding and implementing the requirements of Levels 1-3 is crucial for compliance and securing government contracts. As cybersecurity threats evolve, staying aligned with CMMC 2.0 standards not only fulfills contractual obligations but also strengthens an organization’s overall cybersecurity posture.

Learn about CMMC and more with Shadowbear

To learn more about how Shadowbear can help you get CMMC compliant, contact us for a consultation today.