Understanding CMMC Levels 1, 2, and 3

Comprehensive guide to CMMC certification levels and requirements

Get CMMC Help

About CMMC Levels

The Cybersecurity Maturity Model Certification (CMMC) framework consists of five levels, each building upon the previous level to provide increasing cybersecurity maturity. This guide focuses on the three most common levels that most defense contractors will need to achieve.

Key Points:

  • CMMC levels are cumulative - each level includes all previous levels
  • Level 1 is required for FCI (Federal Contract Information)
  • Level 2 is required for CUI (Controlled Unclassified Information)
  • Level 3 is required for high-value CUI and critical systems

CMMC Level 1: Basic Cyber Hygiene

Level 1 focuses on basic cyber hygiene practices and is required for organizations that handle Federal Contract Information (FCI). This level includes 17 practices that must be implemented.

Key Requirements:

  • 17 practices across 4 domains
  • Self-assessment allowed
  • Basic security controls
  • No formal documentation required

Common Practices:

  • Access control and authentication
  • Basic incident response
  • Security awareness training
  • Basic system maintenance

Implementation Tips:

  • Start with basic security policies
  • Implement user access controls
  • Conduct security awareness training
  • Establish incident response procedures

Timeline:

  • 3-6 months typical implementation
  • Self-assessment can be completed immediately
  • No third-party assessment required

CMMC Level 2: Intermediate Cyber Hygiene

Level 2 builds upon Level 1 and is required for organizations that handle Controlled Unclassified Information (CUI). This level includes 110 practices and requires more formal documentation.

Key Requirements:

  • 110 practices across 14 domains
  • Third-party assessment required
  • Formal documentation required
  • Based on NIST SP 800-171

Additional Practices:

  • Advanced access controls
  • Data encryption requirements
  • Network security controls
  • Incident response procedures

Implementation Tips:

  • Develop comprehensive security policies
  • Implement technical security controls
  • Conduct regular security assessments
  • Establish monitoring and logging

Timeline:

  • 6-12 months typical implementation
  • Third-party assessment required
  • Certification valid for 3 years

CMMC Level 3: Good Cyber Hygiene

Level 3 builds upon Level 2 and is required for organizations that handle high-value CUI and critical systems. This level includes additional practices and requires more advanced security controls.

Key Requirements:

  • Additional practices beyond Level 2
  • Third-party assessment required
  • Advanced security controls
  • Continuous monitoring required

Additional Practices:

  • Advanced threat protection
  • Security monitoring and alerting
  • Incident response capabilities
  • Security assessment and authorization

Implementation Tips:

  • Implement advanced security controls
  • Establish continuous monitoring
  • Develop incident response capabilities
  • Conduct regular security assessments

Timeline:

  • 12-18 months typical implementation
  • Third-party assessment required
  • Certification valid for 3 years

CMMC Level Comparison

Feature Level 1 Level 2 Level 3
Number of Practices 17 110 110+
Assessment Type Self-Assessment Third-Party Third-Party
Documentation Basic Formal Comprehensive
Information Type FCI CUI High-Value CUI
Implementation Time 3-6 months 6-12 months 12-18 months
Certification Validity 3 years 3 years 3 years

Choosing the Right CMMC Level

Level 1 - FCI

  • • Basic defense contracts
  • • No CUI handling
  • • Simple IT environments
  • • Limited security requirements

Level 2 - CUI

  • • CUI handling required
  • • Most defense contracts
  • • Moderate security requirements
  • • Third-party assessment

Level 3 - High-Value CUI

  • • High-value CUI handling
  • • Critical systems
  • • Advanced security requirements
  • • Continuous monitoring

CMMC Implementation Roadmap

1

Assess Current State

Conduct a comprehensive assessment of your current cybersecurity posture and identify gaps.

2

Determine Required Level

Based on your contract requirements and information handling, determine which CMMC level you need.

3

Develop Implementation Plan

Create a detailed plan for implementing the required practices and controls.

4

Implement Controls

Execute your implementation plan and implement all required security controls.

5

Prepare for Assessment

Document all implementations and prepare for your CMMC assessment.

6

Maintain Compliance

Establish ongoing monitoring and maintenance to ensure continued compliance.

Need Help Determining Your CMMC Level?

Get expert guidance on determining which CMMC level you need and how to achieve it.

Schedule Free Consultation