Understanding the CMMC 2.0 Levels
A breakdown of the three CMMC 2.0 levels (Foundational, Advanced, Expert) and what they mean for your organization.
Published: October 20th, 2023By: Compliance TeamLast updated: June 24th, 2025
CMMC LevelsCybersecurity MaturityCompliance
Understanding the CMMC 2.0 Levels
CMMC 2.0 simplified the original model into three levels, each with specific requirements and assessment needs. For further details, visit the CMMC Program page.
Level 1: Foundational
Corresponds to basic cyber hygiene practices (FAR 52.204-21).
- Practices: 17 practices.
- Assessment: Annual self-assessment.
Level 2: Advanced
Aligned with NIST SP 800-171. This level is for organizations handling CUI.
- Practices: 110 practices.
- Assessment: Triennial third-party assessments for critical national security information; annual self-assessment for others.
Level 3: Expert
Based on NIST SP 800-172. For organizations handling CUI associated with the highest priority programs.
- Practices: 110+ practices (subset of NIST SP 800-172).
- Assessment: Triennial government-led assessments.
Understanding which level applies to your contracts is the first step in your CMMC journey.