CMMC has three maturity levels. Each level requires more controls, costs more, and requires deeper expertise. This guide breaks down each level in detail: what's required, who needs it, what it costs, and how long it takes.
Quick Overview: The Three CMMC Levels
Think of CMMC levels as security maturity checkpoints:
- Level 1 (Foundational): Basic security hygiene. 17 practices. Self-assessed.
- Level 2 (Intermediate): Documented processes and controls. 110 practices. Third-party assessed by C3PAO.
- Level 3 (Advanced): Automated security controls and continuous monitoring. 171 practices. Third-party assessed by C3PAO.
Each level builds on the previous one. You don't "jump" levels—you start at the foundation and move up as requirements increase.
CMMC Level 1: Foundational Cybersecurity Hygiene
What Is Level 1?
Level 1 is basic cybersecurity blocking and tackling. It covers password management, antivirus, backups, and access controls. Think of it as "security 101 for small organizations with minimal CUI."
The 17 Level 1 Practices
Level 1 practices are grouped into these categories:
- Access Control (3 practices): User account management, login credentials, access restrictions
- Asset Management (2 practices): Inventory of hardware and software
- Awareness & Training (1 practice): Basic security training for all employees
- Data Protection (2 practices): Safeguard CUI, manage removable media
- Defense (2 practices): Antivirus, firewall, malware detection
- Incident Response (2 practices): Respond to and report security incidents
- Recovery (1 practice): Backups and recovery procedures
- Risks (2 practices): Identify and manage security risks
Example Level 1 practices:
- Enforce strong passwords (minimum 12 characters, complexity requirements)
- Enable multi-factor authentication (MFA) for critical accounts
- Keep systems patched with the latest security updates
- Install and maintain antivirus software on all computers
- Conduct annual security awareness training
- Maintain regular backups of critical data
- Document and respond to security incidents
How Level 1 Is Assessed
Self-assessment. No third-party auditor. You document your controls and submit them to the DoD CISO. This keeps costs low.
Who Needs Level 1
- Contractors handling minimal or no CUI
- Contractors with specific contracts requiring only Level 1
- First step before moving to Level 2 (rare; most go straight to Level 2)
Reality: Most defense contractors skip Level 1 and go straight to Level 2 if they handle meaningful CUI. Level 1 is too minimal for serious defense work.
Level 1 Costs & Timeline
| Metric | Cost / Timeline |
|---|---|
| Implementation | 4–8 weeks |
| Total Cost | $4,000–$6,000 (mostly internal labor) |
| Assessment Cost | $0 (self-assessed) |
| Ongoing Annual Cost | $2,000–$5,000 (tools + labor) |
Level 1 Pros & Cons
Pros:
- Low cost to implement
- Self-assessed (no C3PAO required)
- Good baseline for minimal CUI environments
Cons:
- Insufficient for most defense contractors
- No documented processes or risk management
- Doesn't meet prime contractor requirements
- Limited security controls
CMMC Level 2: Intermediate (Most Common)
What Is Level 2?
Level 2 is the "workhorse" level. It requires documented security processes, risk assessments, incident response procedures, and third-party assessment by a C3PAO. This is the level most defense contractors (80%+) need.
The 110 Level 2 Practices
Level 2 includes all 17 Level 1 practices plus 93 additional practices across these 17 domains:
- Access Control: Fine-grained access controls, privileged access management
- Asset Management: Detailed inventory of hardware, software, and configurations
- Awareness & Training: Role-specific security training programs
- Configuration Management: System baselines and change management
- Data Protection: Encryption, data classification, DLP
- Defense: EDR, SIEM, vulnerability scanning, network monitoring
- Identification & Authentication: Strong MFA, account management
- Incident Response: Detailed IR procedures, testing, forensics
- Recovery: Backup/restore testing, disaster recovery planning
- Risk Management: Risk assessments, POA&M, vendor risk management
- Security Planning & Policy: System Security Plan, policies, procedures
- System Development & Maintenance: Software development security, code review
- System/Information Integrity: Patch management, malware detection
- And more...
Example Level 2 practices beyond Level 1:
- Implement multi-factor authentication (MFA) for all users accessing CUI
- Conduct monthly vulnerability scanning and remediation
- Encrypt CUI both at rest (on disk) and in transit (over networks)
- Implement network segmentation to isolate CUI systems
- Deploy EDR (endpoint detection & response) on all computers
- Implement SIEM for centralized logging and threat detection
- Conduct annual risk assessments and create remediation plans
- Document all security policies and procedures
- Conduct incident response drills and testing
- Implement privileged access management (PAM) for sensitive accounts
How Level 2 Is Assessed
Third-party C3PAO assessment. A Certified CMMC Professional Organization audits your controls, reviews documentation, interviews staff, and tests systems. The assessment takes 3–5 days on-site for a mid-size company. If you pass, you get a 3-year certificate.
Who Needs Level 2
- Most defense contractors handling CUI
- Subcontractors working for prime contractors
- Companies with DoD contracts requiring CMMC
Most of you need Level 2. Ask your prime contractor: "What CMMC level does our contract require?" In 85% of cases, the answer is Level 2.
Level 2 Costs & Timeline
| Metric | Cost / Timeline |
|---|---|
| Gap Analysis | 2–4 weeks, $10K–$30K |
| Technical Implementation | 3–6 months, $30K–$150K |
| Documentation & SSP | 2–4 weeks, $3K–$15K |
| C3PAO Assessment | 3–5 months wait + 3–5 days on-site, $105K–$118K |
| Total Year 1 Cost | $150K–$300K (depending on company size) |
| Total Timeline | 6–12 months from start to certification |
| Ongoing Annual Cost | $10K–$50K/year |
Level 2 Pros & Cons
Pros:
- Meets requirements for most defense contracts
- Documented processes reduce security risk
- Third-party validation (C3PAO) adds credibility
- Comprehensive but achievable for mid-size contractors
Cons:
- Significant cost ($150K–$300K first year)
- 6–12 month implementation timeline
- Requires skilled IT and compliance staff
- Ongoing compliance obligations
CMMC Level 3: Advanced
What Is Level 3?
Level 3 is for organizations handling highly sensitive defense information or working on critical infrastructure programs. It requires automated monitoring, advanced threat detection, and continuous security controls. Only large primes and specialized contractors typically need Level 3.
The 171 Level 3 Practices
Level 3 includes all 110 Level 2 practices plus 61 additional advanced practices:
- Continuous monitoring: Real-time automated threat detection
- Advanced incident response: Forensics, threat hunting, APT response
- Threat modeling: Identify and mitigate advanced threats
- Supply chain risk: Vendor security assessment and management
- Advanced access control: Zero-trust network access, behavioral analytics
- Security architecture: Advanced system design and isolation
Example Level 3 practices beyond Level 2:
- Implement continuous automated monitoring with behavioral analytics
- Conduct threat modeling for high-value systems
- Implement advanced incident response capabilities including forensics
- Perform supply chain risk assessments of all critical vendors
- Implement zero-trust network access model
- Conduct security architecture reviews for all new systems
How Level 3 Is Assessed
Third-party C3PAO assessment (same as Level 2, but with more depth). The assessor evaluates more complex systems and advanced controls.
Who Needs Level 3
- Large prime contractors (>500 employees, significant DoD work)
- Defense contractors handling classified or near-classified information
- Contractors on critical infrastructure projects (power grid, water systems, etc.)
- Companies with advanced persistent threat (APT) risk profile
Reality: Less than 5% of defense contractors need Level 3. If you're unsure, you probably don't need it. Ask your prime contractor or the DoD contracting officer directly.
Level 3 Costs & Timeline
| Metric | Cost / Timeline |
|---|---|
| Gap Analysis | 4–6 weeks, $30K–$50K |
| Technical Implementation | 6–12 months, $150K–$400K+ |
| Documentation & SSP | 4–8 weeks, $10K–$30K |
| C3PAO Assessment | 3–5 months wait + 5–7 days on-site, $105K–$118K |
| Total Year 1 Cost | $300K–$600K+ (can exceed $1M for very large orgs) |
| Total Timeline | 12–18 months from start to certification |
| Ongoing Annual Cost | $50K–$150K/year |
Level 3 Pros & Cons
Pros:
- Meets requirements for critical defense work
- Continuous monitoring and automation reduce incident response time
- Advanced controls reduce risk from sophisticated threats
- Demonstrates leadership in security maturity
Cons:
- Very high cost ($300K–$600K+ first year)
- 12–18 month implementation timeline
- Requires specialized security expertise
- Complex tool integration and management
- Continuous compliance burden and costs
Level 1 vs. Level 2 vs. Level 3: Side-by-Side Comparison
| Attribute | Level 1 | Level 2 | Level 3 |
|---|---|---|---|
| Practices Required | 17 | 110 | 171 |
| Assessment Type | Self-assessed | C3PAO audit | C3PAO audit (deeper) |
| Who Needs It | Minimal CUI, rare | Most contractors | Large primes only |
| Year 1 Cost | $4K–$6K | $150K–$300K | $300K–$600K+ |
| Timeline | 4–8 weeks | 6–12 months | 12–18 months |
| Annual Ongoing | $2K–$5K | $10K–$50K | $50K–$150K |
| Certificate Duration | 1 year (self-assessed) | 3 years | 3 years |
| Key Processes | None documented | SSP, policies, risk mgmt | All L2 + advanced monitoring |
| Tools Required | Basic (antivirus) | EDR, SIEM, scanning, MFA | All L2 + advanced SIEM, threat modeling |
Which Level Do I Need? Decision Framework
Ask these questions in order:
- Do I have any DoD contracts that mention CMMC?
- No: You don't need CMMC (yet). Stop here.
- Yes: Go to question 2.
- Does my contract explicitly state a CMMC level requirement?
- Yes, Level 1: You need Level 1 (rare). Stop here.
- Yes, Level 2: You need Level 2. Stop here.
- Yes, Level 3: You need Level 3. Stop here.
- No, or unclear: Go to question 3.
- How much CUI do I handle?
- Minimal (a few documents): Level 1 is technically sufficient, but Level 2 is safer.
- Regular (CUI is part of normal operations): You definitely need Level 2.
- Strategic (CUI is central to your business): Go to question 4.
- Am I a prime contractor or handling critical/classified information?
- No: You need Level 2.
- Yes: You probably need Level 3. Consult the DoD contracting officer.
TL;DR: If you're unsure, assume Level 2. Most of you need Level 2. Less than 5% need Level 3. Almost nobody needs Level 1.
How CMMC Relates to NIST 800-171 and DFARS
NIST SP 800-171 is the Department of Commerce security standard. CMMC is based on NIST 800-171 but adds maturity levels and assessment rigor.
DFARS (Defense Federal Acquisition Regulation Supplement) is the contracting requirement that mandates CMMC compliance for certain contracts.
The relationship: DFARS says "you must be CMMC compliant" → CMMC says "implement NIST 800-171 controls at your level" → You implement NIST 800-171 practices grouped by CMMC maturity level.
FAQ: CMMC Levels
Can I downgrade from Level 2 to Level 1?
Technically yes, but it's a bad idea. If you've already achieved Level 2, the DoD and your prime contractor expect you to maintain it. Downgrading signals weakness in your security posture.
If I achieve Level 2, do I ever need to upgrade to Level 3?
Only if your contracts change or the DoD increases requirements. If your business stays the same (handling CUI but not critical information), Level 2 is sufficient long-term.
How often do I need to recertify?
Level 1: Annually (self-assessed)
Level 2 & 3: Every 3 years with a C3PAO
Can I combine Level 2 and Level 3 requirements?
No. You pursue one level. You can't "partially" do Level 3. If your contract requires Level 3, you must meet all 171 practices. If it requires Level 2, you must meet 110 practices (and can't be audited on Level 3 practices).
What if my contract changes mid-implementation?
If you're 6 months into a Level 2 implementation and your contract suddenly requires Level 3, you'll need to extend your implementation and assessment timelines. This is rare but possible. Stay in close communication with your prime contractor.