Cybersecurity Maturity Model Certification (CMMC) 2.0 condensed the available certification levels from five to three. This new streamlined framework ensures that each level applies to a specific category of contractors and subcontractors, depending on their role in the Department of Defense (DoD) supply chain and the criticality of the information they handle.

‍

Still, many organizations are navigating uncertainties around the CMMC level they should pursue and the corresponding requirements. This article answers all the related questions by covering:

‍

• The three CMMC 2.0 levels on a granular level
• Requirements and applicability criteria of each level
• Tips for determining the level you need
• Actionable advice for achieving compliance with the applicable level

‍

CMMC compliance levels at a glance

All CMMC 2.0 levels are built around 14 control domains:

‍

1. Access Control (AC)
2. Awareness and Training (AT)
3. Audit and Accountability (AU)
4. Configuration Management (CM)
5. Identification and Authentication (IA)
6. Incident Response (IR)
7. Maintenance (MA)
8. Media Protection (MP)
9. Personnel Security (PS)
10. Physical Protection (PE)
11. Risk Assessment (RA)
12. Security Assessment (CA)
13. System and Communications Protection (SC)
14. System and Information Integrity (SI)

‍

The requirements within each domain are aligned with NIST SP 800-171 R2 and NIST SP 800-172 to ensure the implementation of effective security practices aimed at protecting government data.

‍

Not every CMMC level includes the same requirements, though—they vary according to the DoD’s expectations for different contractors and subcontractors. This means that each level requires different security and compliance workflows aligned with the data your organization collects, stores, and shares.

‍

To ensure adherence to DoD contract requirements, you must determine the CMMC level applicable to your organization before starting any compliance activities.

‍

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

‍

A breakdown of the 3 CMMC levels 

As mentioned earlier, CMMC 2.0 has three levels:

‍

1. Level 1: Foundational
2. Level 2: Advanced
3. Level 3: Expert

‍

Below, we’ll outline each level alongside its key features.

‍

‍

CMMC Level 1: Foundational

CMMC Level 1 is the entry-level certification tier aimed at organizations that handle Federal Contract Information (FCI). Some examples of FCI include:

‍

• Technical project specifications
• Contract performance reports
• Process documentation

‍

As this information is sensitive but not critical, Level 1 only encompasses six out of 14 CMMC control domains. The following table lists those domains alongside example practices:

‍

‍

To obtain a Level 1 certificate, you need to perform a self-assessment against the in-scope CMMC requirements and implement all practices. Since no gaps are allowed, your organization must fulfill all scoped practices to achieve compliance.

‍

After completing the self-assessment and remediating any gaps, you need to enter the results into the Supplier Performance Risk System (SPRS). Your certificate will be valid for one year, and you must maintain certification through annual reassessments and compliance affirmations.

‍

{{cta_withimage22="/cta-blocks"}}  | The audit ready checklist

‍

CMMC Level 2: Advanced

CMMC Level 2 is a more comprehensive certification tier targeting DoD contractors and subcontractors with access to FCI and Controlled Unclassified Information (CUI), such as:

‍

• Sensitive personally identifiable information (SPII)
• Confidential business information (CBI)
• Unclassified controlled technical information (UCTI)

‍

CUI requires strict protection, so CMMC Level 2 encompasses 110 practices across all 14 control domains based on NIST SP 800-171 R2. The following table offers some examples of control domains and specific requirements:

‍

‍

In some cases, you may be able to choose between a Level 2 self-assessment and a CMMC Third-Party Assessor Organization (C3PAO) assessment, though the latter will be mandatory in most cases.

‍

The main reason for this is the additional security assurance both your organization and the DoD get as a result of a third-party audit. 

‍

“

The Cyber AB (the entity that accredits and certifies the authorized CMMC assessors) has stated that the DoD is unlikely to grant many self-assessments for CMMC Level 2 (less than 5 percent). Organizations should prepare for a full CMMC assessment at Level 2 by a Cyber AB-authorized CMMC Third Party Assessment Organization (C3PAO).”

Crystal Jackson

GRC Product SME, Vanta

|

LinkedIn

‍

Because of the many controls and the need for a third-party assessment, Level 2 is often the most challenging for organizations. It’s obligatory for all DoD contractors and subcontractors that handle CUI, so they must understand and implement all the requirements related to its protection.

‍

Regardless of the assessment type, you must meet at least 80 percent of the requirements to ensure compliance. If there are gaps, you can obtain a Conditional Certificate by submitting a Plan of Action and Milestones (POA&M), outlining how you’ll remediate the gaps. You’ll have 180 days to ensure full compliance and get a Final Certificate.

‍

You’ll enter your Level 2 results into the SPRS if you perform a self-assessment, while the results of a C3PAO assessment are entered into the CMMC Enterprise Mission Assurance Support Service (eMASS) by the assessor.

‍

Both Level 2 assessment types provide a certificate valid for three years, but you must still submit annual affirmations. 

‍

CMMC Level 3: Expert

CMMC Level 3 is the most stringent certification program aimed at organizations that process, store, or share FCI and critical CUI. The DoD hasn’t specified what qualifies as “critical” as of this writing, so this will most likely be determined on a case-by-case basis.

‍

Level 3 builds on Level 2, so you must first obtain a Level 2 certificate by passing a C3PAO assessment if you want to pursue it. Once you do, you’ll need to meet an additional 24 requirements derived from NIST SP 800-172 and assessed by the government. You can see some of the requirements in this table:

‍

‍

Level 3 assessments are government-led and conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This means you can not select and use your own C3PAO assessment auditor.

‍

Besides the auditing body, there aren’t many differences between Level 2 and Level 3 certification—results are entered into the CMMC eMASS, and you can get a Conditional Certificate under the same conditions as for Level 2.

‍

Your Level 3 certificate will also be valid for three years, and you must submit annual compliance affirmations for both Level 2 and Level 3.

‍

How to know which CMMC level you need

To understand which CMMC certificate you need, pay attention to the DoD's Request for Proposals (RFP) because it will outline the expected CMMC Level. If no RFP is available, start by completing Level 1 certification and build your CMMC maturity from there. Before doing so, conduct a gap analysis to identify the potential resources you might need to achieve Level 2.

‍

If you’re still unsure of the applicable level, you can do the following:

‍

• Review the specific data you process to check for FCI and CUI
• Reach out to your DoD contracting officer (or prime contractor if you’re a subcontractor) for information
• Consider your long-term goals and potential future DoD engagements

‍

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

‍

How to ensure compliance with your chosen CMMC level

After determining the CMMC level you need, take the following steps to achieve compliance:

‍

1. Perform a gap analysis: Review your IT infrastructure against the in-scope CMMC practices to outline the requirements and create a roadmap
2. Implement the missing practices: Develop and execute a gap remediation plan that gradually introduces the missing practices to help you meet all the requirements (or at least 80 percent if you plan on submitting a POA&M)
3. Undergo the appropriate certification assessment: Perform a self-assessment or undergo a C3PAO/DIBCAC according to your selected level
4. Maintain your certificate: Once you obtain a certificate, perform annual or triennial recertifications and submit annual compliance affirmations to stay compliant

‍

Completing these steps effectively can be challenging without proper guidance, especially for SMBs with limited resources and/or in-house expertise and over-reliance on manual workflows. This applies to initial certification and CMMC maintenance, which require continuous monitoring and efficient documentation procedures.

‍

To set up all the necessary processes and streamline CMMC certification, you can benefit from leveraging a dedicated compliance solution like Vanta.

‍

Achieve CMMC compliance confidently with Vanta

Vanta is a comprehensive trust management platform that offers step-by-step guidance for obtaining CMMC certification. It levels the playing field for budget- or time-constrained organizations working with the DoD, helping them ensure CMMC compliance more efficiently.

‍

With Vanta’s dedicated CMMC solution, you can automate up to 50 percent of the certification process through various features, including:

‍

• Out-of-the-box support and prescriptive guidance for all certification levels
• Automated evidence collection supported by 375+ integrations
• Centralized dashboard with real-time updates and automated gap assessments
• Continuous monitoring of CMMC controls using automated hourly tests
• Pre-mapped security controls aligned to NIST SP 800-171 and NIST SP 800-172

‍

If you need a reputable C3PAO to complete Level 2 assessments, you can find them through Vanta’s extensive partner network. Finding the right organization helps you obtain a Level 2 certificate while minimizing friction, which you can use as a stepping stone for Level 3.

‍

For a more hands-on look at Vanta’s CMMC solution, schedule a custom demo.

‍

{{cta_simple33="/cta-blocks"}} | CMMC product page

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney. 

‍