CMMC Levels Explained

Overview of CMMC 2.0 levels

CMMC 2.0 replaced the original five-level model with three streamlined levels. Each level builds on the one below it, adding more practices and more rigorous assessment requirements. The level your organization needs is determined by the type of information you handle under your DoD contract.

Level 1 — Foundational

Level 1 applies to organizations that handle Federal Contract Information (FCI) — information provided by or generated for the government under contract that is not intended for public release.

Requirements

• 17 practices drawn from FAR 52.204-21, "Basic Safeguarding of Covered Contractor Information Systems"
• Practices cover fundamental cyber hygiene: access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity

Assessment type

• Annual self-assessment performed by the organization
• Results entered into the Supplier Performance Risk System (SPRS)
• A senior official must affirm compliance annually
• No third-party assessment required

What Level 1 covers

Level 1 practices are baseline security measures that most organizations should already have in place:

• Limit system access to authorized users
• Limit system access to the types of transactions and functions that authorized users are permitted to execute
• Verify and control connections to external systems
• Control information posted on publicly accessible systems
• Identify and authenticate users before granting access
• Sanitize or destroy media before disposal or reuse
• Limit physical access to systems and equipment
• Escort visitors and monitor visitor activity
• Monitor and control communications at system boundaries
• Implement subnetworks for publicly accessible system components
• Identify, report, and correct information system flaws in a timely manner
• Provide protection from malicious code at appropriate locations
• Update malicious code protection mechanisms as new releases are available
• Perform periodic scans and real-time scans of files from external sources

Level 2 — Advanced

Level 2 applies to organizations that handle Controlled Unclassified Information (CUI) — information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy.

Requirements

• 110 security requirements aligned to all 14 control families in NIST SP 800-171 Rev 2
• Covers access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity

Assessment type

Level 2 has two assessment paths depending on the sensitivity of the CUI:

• Self-assessment — for contracts involving less sensitive CUI. The organization conducts its own assessment, scores it using the DoD Assessment Methodology, and submits the score to SPRS. A senior official must affirm compliance annually.
• C3PAO assessment — for contracts involving more sensitive CUI or critical programs. A CMMC Third-Party Assessment Organization (C3PAO) conducts the assessment. Certification is valid for three years, with annual affirmation of continued compliance required.

Scoring methodology

The DoD Assessment Methodology assigns a score out of 110 based on the number of objectives met. Organizations that do not meet all 110 requirements may receive a conditional certification if they:

• Score at least 80% (88 out of 110)
• Document unmet requirements in a Plan of Action and Milestones (POA&M)
• Close all POA&M items within 180 days of the conditional certification

Failure to close POA&M items within 180 days revokes the conditional certification.

Level 3 — Expert

Level 3 applies to organizations working on the most sensitive DoD programs where advanced persistent threats (APTs) are a concern.

Requirements

• All 110 NIST SP 800-171 Rev 2 requirements from Level 2, plus
• 24 additional requirements selected from NIST SP 800-172, "Enhanced Security Requirements for Protecting Controlled Unclassified Information"
• Enhanced requirements focus on penetration-resistant architecture, damage-limiting operations, and designing for cyber resiliency

Assessment type

• Government-led assessment conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
• Requires a valid Level 2 C3PAO certification as a prerequisite
• Certification is valid for three years with annual affirmation

Level 3 enhanced focus areas

The 24 additional requirements from NIST SP 800-172 emphasize:

• Dual authorization for critical actions
• Advanced threat hunting and monitoring
• Automated response to security events
• Network segmentation and micro-segmentation
• Supply chain risk management
• Penetration testing and red team exercises
• System resilience and recovery capabilities

How to determine your required level

Your required CMMC level is specified in the solicitation or contract. As a general guide:

If you are unsure which level applies, review your contract's DFARS clause 252.204-7021 or consult your contracting officer.

How episki helps

episki provides pre-mapped practice sets for all three CMMC levels. During onboarding, select your target level and the platform generates a tailored workspace with the right controls, narratives, and evidence requirements. As you close gaps, your SPRS score updates in real time. If you hold multiple contracts at different levels, episki maintains separate scoping views while reusing shared controls — so Level 1 work automatically counts toward Level 2 readiness. Start a free trial to see your current readiness posture.