CMMC Levels 1, 2, and 3 — Which One Applies to You
CMMC has three levels. Picking the right one is a contract-reading exercise, not a maturity aspiration. You implement the level your work requires — no more.
Level 1 — Foundational
For contractors handling only FCI. It covers 15 basic safeguarding practices and allows annual self-assessment. If you never touch CUI, this is your ceiling.
Level 2 — Advanced
For contractors handling CUI. It is the full 110 requirements of NIST 800-171. Most Level 2 contracts will require a third-party assessment by a C3PAO every three years; a limited subset may permit self-assessment.
Level 3 — Expert
For the highest-priority programs and the most sensitive CUI. It includes Level 2 plus a subset of NIST 800-172 enhanced requirements, assessed by the government (DIBCAC).
How to choose
- No CUI anywhere → Level 1.
- CUI present → Level 2 (assume third-party assessment).
- Named on a critical program with 800-172 requirements → Level 3.
- When in doubt, read the solicitation and ask the contracting officer — do not guess upward.
The Verdict Forum publishes educational guidance, not legal or compliance advice. Confirm requirements against the authoritative sources and your assessor before acting.
Read next
CMMC 101: What the Program Is and Why It Exists
The Cybersecurity Maturity Model Certification in plain language — what it protects, who it applies to, and how it reached your contract.
Do You Need CMMC? Reading the DFARS Clauses in Your Contract
How to spot 252.204-7012, -7019, -7020, and -7021, and what each one actually obligates you to do.
FCI vs. CUI: Knowing What You’re Actually Protecting
The difference between Federal Contract Information and Controlled Unclassified Information — and why it sets your CMMC level.