CMMC 2.0 Levels Explained

DFARS 252.204-7012 has required NIST SP 800-171 since 2017, but compliance was entirely self-attested. DCMA assessments repeatedly found contractors claiming perfect SPRS scores of 110 while implementing only a fraction of the required controls. CMMC adds an independent verification layer so the DoD can trust that 300,000+ companies in its supply chain are actually doing what they say they do.

Applies to: Contractors that only handle Federal Contract Information (FCI) — pricing data, delivery schedules, basic project status. No CUI.

Requirements: 17 basic safeguarding practices from FAR 52.204-21 — authorized access, identity verification, media sanitization, physical access controls, and malware protection. The absolute floor of cyber hygiene.

Assessment: Annual self-assessment posted to SPRS, plus an annual affirmation from a senior company official.

Applies to: The vast majority of contractors that handle Controlled Unclassified Information (CUI) — technical drawings, engineering specs, export-controlled data, federal PII.

Requirements: All 110 security requirements in NIST SP 800-171 Rev. 2, organized across 14 families. Implementation must be documented in a System Security Plan (SSP) with a Plan of Action and Milestones (POA&M) for any gaps.

Assessment — two tracks:

• Self-Assessment: For less critical CUI. Annual self-assessment in SPRS plus senior-official affirmation.
• C3PAO Certification: For most Level 2 contracts. A triennial independent assessment by a CMMC Third-Party Assessment Organization (C3PAO), accredited by the Cyber AB. Certification is valid three years; annual affirmation still required.

Applies to: A small subset of contractors supporting the DoD's most critical programs, where CUI is at high risk from Advanced Persistent Threats.

Requirements: All 110 NIST 800-171 controls plus 24 enhanced requirements selected from NIST SP 800-172 — penetration testing, advanced monitoring, and APT-grade incident response.

Assessment: Triennial government assessment conducted by the DCMA Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Level 2 C3PAO certification is a prerequisite.

• Level 1 — You only receive basic contract information (pricing, schedules). No technical data, no CUI markings.
• Level 2 — DFARS 252.204-7012 is already in your contracts, or you receive technical drawings, engineering specs, ITAR/EAR data, or anything marked CUI from the DoD or a prime.
• Level 3 — You work on the DoD's most sensitive programs (advanced weapons, nuclear-adjacent, critical national security). You will be told explicitly.

Do not assume your level based on company size. A three-person engineering firm on a classified program may need Level 3. Confirm with your Contracting Officer.

Scope defines what gets assessed. Too broad and you waste money applying rigorous controls to systems that don't need them. Too narrow and CUI shows up on unprotected assets and you fail the assessment.

For Level 2, assets fall into four categories:

• CUI Assets — Process, store, or transmit CUI. Must meet all 110 requirements.
• Security Protection Assets (SPA) — Provide security to the CUI environment (firewalls, EDR, MFA, AD). In scope, assessed against relevant controls.
• Contractor Risk Managed Assets (CRMA) — Capable of touching CUI but not intended to. In scope, assessed against a subset of controls.
• Specialized Assets — IoT, OT, GFE, restricted systems. In scope but documented in the SSP with risk-management justification.

Most contractors should not put their entire company in scope. The enclave model creates a segmented, hardened environment — dedicated laptops, a separate Microsoft 365 GCC/GCC High tenant, an isolated network — for the small subset of users who actually touch CUI. A 500-person manufacturer with 30 cleared engineers can assess 30 users instead of 500, cutting cost and complexity dramatically.

1. Pre-assessment review of your SSP and supporting documentation.
2. Kickoff meeting to align on scope, schedule, and logistics.
3. On-site or virtual assessment — interviews, configuration review, control tests.
4. Scoring against the 110 requirements. The minimum passing score is 88 of 110, with no critical controls failed.
5. Conditional certification (180 days to close POA&M items) or Final certification if all 110 are met.
6. Results submitted to CMMC eMASS; status reflected in SPRS.

• Phase 1 (Nov 2025 – Nov 2026): Level 1 and Level 2 self-assessment requirements begin appearing in solicitations.
• Phase 2 (Nov 2026): Level 2 C3PAO certification requirements come online.
• Phase 3 (Nov 2027): Level 3 certification kicks in; C3PAO requirements broaden.
• Phase 4 (Nov 2028): Full implementation across all applicable contracts.

C3PAO capacity is limited. Contractors who start now will have a meaningful edge once wait times spike.