The CMMC level you need depends on the type of information you handle under your DoD contract. If your contract involves only Federal Contract Information (FCI), you need Level 1. If it involves Controlled Unclassified Information (CUI), you need Level 2. If your contract supports a high-priority program where CUI faces elevated threat levels, the DoD may require Level 3.
The distinction comes down to what’s in your contract and what data flows through your systems. Here’s how to figure out where you fall and what each level actually requires.
Understanding FCI vs. CUI
Federal Contract Information is the baseline category. It covers information that isn’t intended for public release but is provided by or generated for the government under a contract. Think of routine project communications, delivery schedules, or performance data that the government hasn’t made public. If that’s all you touch, Level 1 is your requirement.
Controlled Unclassified Information is more sensitive. CUI includes technical data, engineering drawings, test results, and other information that the government has specifically marked or identified as requiring safeguarding. It’s not classified, but it carries restrictions on how it can be stored, shared, and transmitted. If your contract includes CUI, or if CUI flows down to you from a prime contractor, you need Level 2 at minimum.
The key contract clause to look for is DFARS 252.204-7012. If this clause appears in your contract or subcontract, you’re handling CUI and should plan for Level 2 compliance. When contract-specific questions come up, your contracting officer representative can clarify exactly what information categories apply.
What Level 1 Requires
Level 1 covers 17 basic cybersecurity practices drawn from FAR 52.204-21. These are fundamental protections: limiting system access to authorized users, using antivirus software, updating systems regularly, and similar baseline controls. Most small businesses working on routine DoD contracts already meet many of these requirements without realizing it.
Level 1 requires only a self-assessment. You evaluate your own compliance, affirm the results, and enter your score into the Supplier Performance Risk System (SPRS). No third-party auditor is involved.
What Level 2 Requires
Level 2 maps to the 110 security controls in NIST SP 800-171. These go well beyond the basics, covering areas like encryption, audit logging, incident response planning, access control policies, and media protection. Meeting all 110 controls typically requires dedicated IT security resources and, for many companies, significant investment in tools and processes.
The assessment method for Level 2 splits into two tracks. Some contracts allow a self-assessment, where you score yourself against the 110 controls and submit the results. Other contracts require a certification assessment conducted by a Certified Third-Party Assessment Organization, known as a C3PAO. Which track applies to you is specified in your contract. The certification assessment provides the DoD with higher assurance that you can protect CUI, and it’s generally required when the information is more sensitive or the adversarial risk is greater.
If you fall short on some controls during an assessment, you may be able to submit a Plan of Action and Milestones (POA&M) documenting the gaps and your timeline for closing them. However, certain controls cannot be deferred this way, and open POA&M items can limit your eligibility for contracts and for advancing to Level 3.
When Level 3 Applies
Level 3 is reserved for contractors supporting the DoD’s most sensitive unclassified programs, where CUI faces advanced persistent threats. This level adds 24 enhanced security controls from NIST SP 800-172 on top of the full Level 2 requirement. It does not cover classified information, which falls under separate security frameworks.
Before you can even begin a Level 3 assessment, you must hold a final Level 2 certification assessment status from a C3PAO, with all POA&M items closed. The Level 3 assessment itself is conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not a private C3PAO.
The Level 3 assessment scope is broad. It covers every asset that processes, stores, or transmits CUI, plus security protection assets like firewalls and intrusion detection systems, and specialized assets such as IoT devices, operational technology, and government-furnished equipment. Specialized assets that can’t be fully secured may qualify for an enduring exception, but only if they’re physically or logically isolated from other networks with no internet connection. Otherwise, they’re assessed against all CMMC requirements.
Most contractors will never need Level 3. If your contracting officer hasn’t specifically told you Level 3 is required, it almost certainly isn’t.
How to Identify Your Required Level
Your required CMMC level will be stated in the solicitation or contract. Starting with Phase 1 of implementation, which began November 10, 2025, the DoD is including CMMC requirements in new contracts. During this first year, the focus is primarily on Level 1 and Level 2 self-assessments. The full rollout follows a four-phase plan spanning three years, with each phase adding requirements incrementally until all program requirements are in effect.
If you’re a subcontractor, look at the flow-down clauses from your prime contractor. Primes are responsible for ensuring their subcontractors and suppliers meet applicable security requirements, per DFARS 252.204-7012. If CUI flows down to you, the Level 2 requirement flows down with it, even if you’re a small supplier several tiers removed from the DoD.
For existing contracts that predate CMMC implementation, check whether your contract already includes DFARS 252.204-7012. If it does, you’ve been expected to comply with NIST 800-171 all along, and the transition to a formal CMMC Level 2 assessment formalizes what was already required.
Choosing the Right Scope
One decision that directly affects your cost and complexity is how you define your CMMC assessment scope. Every system, device, and network segment that touches FCI or CUI falls within scope. The more systems in scope, the more controls you need to implement and maintain across your environment.
Many contractors reduce their compliance burden by creating a dedicated enclave, a separate network segment where all CUI is processed and stored, isolated from the rest of the business. This lets you apply the full set of NIST 800-171 controls to a smaller footprint rather than your entire corporate network. The tradeoff is the upfront cost of segmentation and the operational discipline to keep CUI out of systems that aren’t in scope.
If you’re early in the process, map out exactly where CUI enters your organization, where it’s stored, who accesses it, and how it leaves. That data flow map is the foundation for defining your scope and choosing which systems need to meet CMMC requirements.