Hero Background
June 24, 2025

Understanding the Levels of CMMC Certification: A Comprehensive Guide

Kevin Hancock
Topics: Aerospace & DefenseCMMC Compliance

These days, cybersecurity is more important than ever and that is a trend that will not change anytime soon, if ever. This is why the Department of Defense (DoD) has created the Cybersecurity Maturity Model Certification (CMMC) framework. The initial framework came into existence some years back, but now any business in the Defense Industrial Base (DIB) will need to be compliant with CMMC 2.0 in order to garner contracts that may be vital for their business.

It’s important to know, however, that the final CMMC 2.0 rule was published in late 2024, with enforcement to begin in 2025 through a phased rollout. Contractors should act now to prepare for future compliance requirements.

The original CMMC framework had five levels, but CMMC 2.0 simplifies things by reducing it to three. While it may seem complex at first, the goal is to make compliance easier and more affordable. Let’s break down the three levels and help you figure out which one your organization needs.

What is CMMC?

If you’re in the DIB world, you probably already know that CMMC was created to increase the security around Controlled Unclassified Information (CUI) and ensure that it stays safe from bad actors. Controlled Unclassified Information (CUI) refers to sensitive information that the government creates or possesses—or that a contractor handles or creates on the government’s behalf—that must be protected according to laws, regulations, or government-wide policies. While it’s not classified, CUI still requires specific safeguarding and limited sharing. For a full list of CUI categories and subcategories, visit the DoD CUI Registry.

The CMMC 2.0 framework is designed to ensure your business has the security and policies in place to protect Federal Contract Information (FCI) and CUI.

The CMMC 2.0 framework is an enhancement to previous requirement and includes requirements to adhere to NIST SP 800-171 rules to safeguard CUI. The most important difference is a shift from self-assessments to third-party assessments. Anyone doing DoD business, from contractors to subcontractors, have to be secure and have these requirements in place.

Overview of CMMC 2.0 Framework

The 3 levels of CMMC are:

  • Level 1 – 15 requirements aligned with FAR 52.204-21
  • Level 2 – 110 requirements aligned with NIST 800-171 r2
  • Level 3 – 134 requirements (110 from NIST 800-171 r2 and 24 from NIST SP 800-172).

Now, most DIB businesses in Level 2 and Level 3 will need to use a third party to assess their compliance and gain CMMC certifications. These are valid for three years, but annual affirmations are required to maintain compliance. CMMC is coming soon so don’t hesitate to start getting ready.

CMMC 2.0 Levels: What They Mean and How to Choose

Under CMMC 2.0, organizations seeking certification—referred to as Organizations Seeking Assessment (OSAs)—can pursue one of four CMMC Statuses, depending on the type of information they handle and the contract requirements

When the CMMC program is fully implemented, DoD solicitations will specify the minimum CMMC level required to be eligible for contract award. Here’s a breakdown of each level:

Level 1 (Self-Assessment) – For handling FCI

  • Applies to contractors that process, store, or transmit Federal Contract Information (FCI).
  • Requires compliance with 15 practices from FAR 52.204-21.
  • Self-assessment is required annually, and all 15 controls must be met with no exceptions.

Level 2 (Self-Assessment) – For non-prioritized CUI contracts

  • For contracts involving Controlled Unclassified Information (CUI) but not deemed high-priority by the DoD.
  • Requires compliance with all 110 controls from NIST SP 800-171 Rev. 2.
  • OSAs are required to self-assess annually.

Level 2 (C3PAO Assessment) – For prioritized CUI contracts

  • Also requires full implementation of the 110 NIST SP 800-171 controls.
  • Instead of self-assessing, the organization must undergo a third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO).
  • C3PAOs can be selected from the CMMC-AB Marketplace.

Level 3 (DIBCAC Assessment) – For high-value CUI and critical national security systems

  • Requires organizations to first achieve Level 2 (C3PAO) certification.
  • Adds 24 additional controls from NIST SP 800-172 (Feb 2021) focused on advanced cyber threats.
  • Certification is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under DCMA.

By understanding these levels, organizations can better align their cybersecurity efforts with government requirements and ensure compliance for future contract opportunities.

How to Determine the Right Level for Your Organization

Determining the appropriate CMMC level is one of the most important first steps in your compliance journey. Start by assessing the type of information your organization handles. If you’re only working with Federal Contract Information (FCI), Level 1 may be sufficient. However, if you process Controlled Unclassified Information (CUI), you’ll likely need Level 2 or Level 3 certification.

The required CMMC level will be specified in your DoD contract. These details often include the sensitivity of the information you’ll manage and the associated security expectations. Taking the time to understand your data environment and contract requirements early on will set the foundation for a smoother path to CMMC 2.0 compliance.

Benefits of Achieving CMMC Certification

At a glance, the biggest benefit of CMMC 2.0 certification is clear: eligibility to bid on and maintain DoD contracts. If your business already works with the DoD—or hopes to—CMMC compliance is essential for keeping existing contracts and pursuing new ones.

But the value goes beyond compliance.

Achieving CMMC certification strengthens your organization’s internal cybersecurity posture. By implementing the required standards, you’re not just checking a box—you’re actively protecting your data, securing your supply chain, and reducing the risk of cyberattacks.

CMMC certification also sets your company apart. You can publicly demonstrate your commitment to security and regulatory excellence, which builds trust with customers, partners, and stakeholders. For defense contractors, this credibility is especially powerful proving you’re not only capable but dependable when it comes to safeguarding sensitive information.

It’s Time to Get Started on CMMC 2.0

If you haven’t already begun your CMMC 2.0 journey, now is the time to act. And if you’ve already started but run into roadblocks, you’re not alone—and there’s help available.

Trusted partners like Exostar offer purpose-built software and expert guidance to help streamline your path to compliance, reduce complexity, and improve efficiency across the board.

Want to learn how Exostar’s CMMC Ready Suite can support your organization? Visit us to book a personalized demo with one of our specialists. We’ll walk you through the platform, answer your questions, and explore how our solution can help your business achieve and maintain compliance with confidence.