CMMC Dashboard Logo
Back to BlogCMMC Basics

CMMC Certification Levels & Requirements

JCJim Carlson (Co-Founder & CEO)
8 min read
CMMC 2.0 RequirementsCMMC Maturity LevelsC3PAO
Analyst reviewing CMMC compliance checklist on laptop with digital lock and cybersecurity graphics illustrating data protection and compliance process

Key Takeaways

  • The CMMC framework is now streamlined into three levels, each with tailored cybersecurity requirements and assessment types.

  • Contractors handling Controlled Unclassified Information (CUI) must comply with NIST SP 800-171 Rev. 2, undergoing either self-assessments or third-party/government evaluations depending on the level.

  • Maintaining compliance demands annual affirmations via the SPRS system, strict 180-day completion of remediation efforts, and up-to-date documentation throughout the contract lifecycle.

Introduction

The Cybersecurity Maturity Model Certification (CMMC) program is a critical safeguard for protecting sensitive information within the Defense Industrial Base (DIB). With the Department of Defense (DoD) finalizing its rule (32 CFR / 48 CFR/DFARS) that mandates CMMC compliance as a criterion for contract awards starting November 10, 2025, understanding what lies ahead is essential for contractors and subcontractors.

In this article, we'll unpack the new three-tiered CMMC structure, clarify the assessment methods, and outline the important steps to maintain compliance as these requirements phase in over the next three years. If you need an introductory overview of CMMC before diving deeper, feel free to check out our CMMC overview.

Understanding the Three CMMC Levels and Their Requirements

The latest CMMC framework consolidates previous iterations into three distinct levels, each designed to address varying degrees of cybersecurity risk related to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Level 1: Foundational - Basic Protection Through Self-Assessment

Level 1 focuses on safeguarding FCI using fundamental cybersecurity practices. Contractors must implement 15 security practices aligned with the Federal Acquisition Regulation (FAR 52.204-21).

  • Assessments are performed internally via annual self-assessments.

  • Results must be recorded in the Supplier Performance Risk System (SPRS).

  • Plan of Action and Milestones (POA&M) are not allowed at this level.

  • Annual affirmations in SPRS confirm ongoing compliance.

Level 2: Advanced - Protecting CUI with Flexible Assessment Options

At Level 2, contractors handle Controlled Unclassified Information and must meet the full set of 110 security requirements outlined in NIST SP 800-171 Rev. 2. This level has two assessment pathways depending on the solicitation:

  • Self-Assessment: Conducted every three years with yearly affirmations, results entered in SPRS.

  • Third-Party Assessment: Performed by an accredited CMMC Third-Party Assessment Organization (C3PAO), also every three years with annual affirmations. Results flow from the CMMC instance of eMASS into SPRS.

POA&M allowance: Contractors can submit remediation plans but must close all gaps within 180 days. Some controls are non-negotiable and cannot be deferred. Contractors scoring at least 80% can receive a Conditional CMMC Status, pending full remediation.

You may find our guide on avoiding Level 2 assessment pitfalls useful for understanding documentation best practices and common errors at this level.

Level 3: Expert - Defending High-Priority Programs Against APTs

Level 3 is reserved for contractors protecting critical DoD assets vulnerable to advanced persistent threats. It includes all Level 2 controls plus 24 supplemental requirements from NIST SP 800-172.

  • Assessments are carried out by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years.

  • POA&M processes are similar with the 180-day closeout window.

  • Annual affirmations remain mandatory.

  • Contractors must maintain Level 2 status through a C3PAO assessment to remain compliant at Level 3.

Visit our article about CMMC impacts on defense contracts and the supply chain to understand how compliance flow-down affects subcontractors at various levels.

"CMMC compliance is no longer optional; it is a prerequisite for accessing DoD business. Prepare now to avoid delays and secure contract eligibility."

Assessment Types Explained

How you get assessed depends on your contractual obligations and the level required:

  • Self-Assessments: Internal review suitable for Level 1 and Level 2 self-assessment options. Delivered annually at Level 1, and every three years with annual affirmations at Level 2. Entry of results happens directly in SPRS.

  • Third-Party Assessments: Accredited C3PAOs evaluate Level 2 contractors handling CUI when required by the solicitation. Results flow through eMASS then into SPRS.

  • Government Assessments: DIBCAC administers rigorous evaluations for Level 3 contractors, including enhanced NIST SP 800-172 controls.

For more details on government-led assessment impacts, visit our blog on government assessments.

Practical Guidance for Contractors and Subcontractors

Compliance Timeline: Four Phases Over Three Years

Phase:
Phase 1
Start Date:
November 10, 2025
Focus Area:
Incorporates Level 1 and Level 2 (Self) requirements in solicitations
Phase:
Phase 2
Start Date:
November 2026
Focus Area:
Introduction of Level 2 (C3PAO) assessments in solicitations
Phase:
Phase 3
Start Date:
November 2027
Focus Area:
Expanded adoption of Level 2 (C3PAO) and debut of Level 3
Phase:
Phase 4
Start Date:
November 2028
Focus Area:
Full enforcement of the entire CMMC program across the Defense Industrial Base

The previously circulated “complete by 2025” mandate is no longer accurate; the phased rollout reflects the current policy.

Understanding Flow-Down Requirements

Flow-down obligations ensure that subcontractors meet at least the minimum CMMC level for the information they process:

Prime Contractor Level:
Level 1 (Self)
Required Subcontractor Level:
Level 1 (Self)
Prime Contractor Level:
Level 2 (Self)
Required Subcontractor Level:
Level 1 (Self) for FCI; Level 2 (Self) for CUI
Prime Contractor Level:
Level 2 (C3PAO)
Required Subcontractor Level:
Level 1 (Self) for FCI; Level 2 (C3PAO) for CUI
Prime Contractor Level:
Level 3 (DIBCAC)
Required Subcontractor Level:
Level 1 (Self) for FCI; Level 2 (C3PAO) for CUI

Note:

  • Flow-down applies only if subcontractors handle FCI or CUI.
  • Contracts dealing solely with Commercial Off-The-Shelf (COTS) products are exempt from CMMC requirements.

Learn how to handle CUI properly for subcontractors and maintain compliance in our guide on anonymizing CUI for subcontractors.

Maintaining Compliance: What It Entails

  • Maintain active CMMC status throughout the contract period aligned with your required level.

  • Submit annual affirmations in SPRS and provide updates after achieving Conditional or Final Status or closing POA&M items.

  • Failure to uphold status may result in exclusion from contract awards.

Preparing for Your Assessment

  • Develop a comprehensive System Security Plan (SSP) aligned with NIST SP 800-171 Rev. 2 standards.

  • Conduct gap analyses to identify deficiencies; create POA&Ms for temporary weaknesses.

  • Use NIST SP 800-171A (June 2018) as an objective framework for assessments at Level 2.

  • For cloud environments, ensure services hosting CUI are FedRAMP Moderate authorized or equivalent per DFARS 252.204-7012.

  • Coordinate with a C3PAO when third-party certification is required.

Important: The DoD has not yet adopted NIST SP 800-171 Rev. 3; continue to use Rev. 2 until further notice.

Looking for an easier way to manage these controls? Sign up for updates on our upcoming compliance platform here to simplify your CMMC compliance management and meet requirements efficiently.

Conclusion

As the Defense Industrial Base prepares for CMMC rules kicking in from November 2025 through 2028, contractors must grasp the new three-level model, navigate assessment options wisely, and ensure subcontractor obligations are clear. Early alignment with NIST SP 800-171 Rev. 2 controls, rigorous documentation, and timely remediation efforts are the foundation for securing and maintaining eligibility for DoD contracts.

Don’t wait—start preparing your systems and policies today to confidently meet the evolving cybersecurity mandates. Ready to simplify your compliance journey? Explore the CMMC dashboard and get started now.

Frequently Asked Questions

When will CMMC compliance officially be required?

Requirements begin appearing in DoD solicitations November 10, 2025, with a phased rollout concluding in 2028.

What distinguishes Conditional from Final CMMC Status?

Conditional Status is granted when a contractor scores 80% or higher but has open POA&M items; these must be closed in 180 days to achieve Final Status.

Is a C3PAO assessment necessary for every contract involving CUI?

Not always. The solicitation specifies whether a self-assessment or C3PAO assessment applies. Most CUI contracts will eventually require C3PAO verification.

What CMMC level applies to subcontractors handling only FCI?

Generally Level 1 self-assessment suffices unless the subcontract involves CUI, which requires higher levels.

Are COTS-only contracts subject to CMMC requirements?

No, COTS contracts are exempt from CMMC compliance.

Has DoD adopted NIST SP 800-171 Revision 3?

No. Assessments continue to follow Revision 2 until new rulemaking is published.

Stay informed and ready by leveraging resources like the SPRS system and certified assessors. Cybersecurity maturity is no longer optional—it’s your gateway to DoD opportunities.

← All Blog Posts