CMMC comes in three flavors of increasing maturity. Each one piles on more controls, more cost, and frankly more complexity. I'll break down what you actually need to do, what's going to hit your budget, and how long this will take.
Quick Overview: The Three CMMC Levels
Picture these as security maturity checkpoints — each one builds on the last:
- Level 1 (Foundational): Basic security hygiene. 17 practices. Self-assessed.
- Level 2 (Intermediate): Documented processes and controls. 110 practices. Third-party assessed by C3PAO.
- Level 3 (Advanced): Automated security controls and continuous monitoring. 171 practices. Third-party assessed by C3PAO.
Each level builds on the previous one. You don't "jump" levels—you start at the foundation and move up as requirements increase.
CMMC Level 1: Foundational Cybersecurity Hygiene
What Is Level 1?
Level 1 is the bare minimum—passwords, antivirus, backups, and basic access controls. If you're handling minimal or no CUI, this is where you start. But here's the reality: most defense contractors skip this entirely.
The 17 Level 1 Practices
Level 1 practices are grouped into these categories:
- Access Control (3 practices): User account management, login credentials, access restrictions
- Asset Management (2 practices): Inventory of hardware and software
- Awareness & Training (1 practice): Basic security training for all employees
- Data Protection (2 practices): Safeguard CUI, manage removable media
- Defense (2 practices): Antivirus, firewall, malware detection
- Incident Response (2 practices): Respond to and report security incidents
- Recovery (1 practice): Backups and recovery procedures
- Risks (2 practices): Identify and manage security risks
Example Level 1 practices:
- Enforce strong passwords (minimum 12 characters, complexity requirements)
- Enable multi-factor authentication (MFA) for critical accounts
- Keep systems patched with the latest security updates
- Install and maintain antivirus software on all computers
- Conduct annual security awareness training
- Maintain regular backups of critical data
- Document and respond to security incidents
How Level 1 Is Assessed
You audit yourself — no third party needed. You document your controls and submit them to the DoD. Cheap, but that comes with a catch: the DoD can spot-check your evidence anytime.
Who Needs Level 1
- Contractors handling minimal or no CUI
- Contractors with specific contracts requiring only Level 1
- First step before moving to Level 2 (rare; most go straight to Level 2)
Here's what I usually tell contractors: if you're handling real CUI, skip Level 1 entirely. Go straight to Level 2. Level 1 is fine if you handle basically no CUI—but how many of you can honestly say that?
Level 1 Costs & Timeline
| Metric | Cost / Timeline |
|---|---|
| Implementation | 4–8 weeks |
| Total Cost | $4,000–$6,000 (mostly internal labor) |
| Assessment Cost | $0 (self-assessed) |
| Ongoing Annual Cost | $2,000–$5,000 (tools + labor) |
Level 1 Pros & Cons
Pros:
- Low cost to implement
- Self-assessed (no C3PAO required)
- Good baseline for minimal CUI environments
Cons:
- Insufficient for most defense contractors
- No documented processes or risk management
- Doesn't meet prime contractor requirements
- Limited security controls
CMMC Level 2: Intermediate (Most Common)
What Is Level 2?
Level 2 is where most of you live. You need documented processes, a third-party assessor digging through your systems, and — yes — it costs real money. But about 80% of contractors dealing with meaningful CUI end up here.
The 110 Level 2 Practices
Level 2 includes all 17 Level 1 practices plus 93 additional practices across these 17 domains:
- Access Control: Fine-grained access controls, privileged access management
- Asset Management: Detailed inventory of hardware, software, and configurations
- Awareness & Training: Role-specific security training programs
- Configuration Management: System baselines and change management
- Data Protection: Encryption, data classification, DLP
- Defense: EDR, SIEM, vulnerability scanning, network monitoring
- Identification & Authentication: Strong MFA, account management
- Incident Response: Detailed IR procedures, testing, forensics
- Recovery: Backup/restore testing, disaster recovery planning
- Risk Management: Risk assessments, POA&M, vendor risk management
- Security Planning & Policy: System Security Plan, policies, procedures
- System Development & Maintenance: Software development security, code review
- System/Information Integrity: Patch management, malware detection
- And more...
Example Level 2 practices beyond Level 1:
- Implement multi-factor authentication (MFA) for all users accessing CUI
- Conduct monthly vulnerability scanning and remediation
- Encrypt CUI both at rest (on disk) and in transit (over networks)
- Implement network segmentation to isolate CUI systems
- Deploy EDR (endpoint detection & response) on all computers
- Implement SIEM for centralized logging and threat detection
- Conduct annual risk assessments and create remediation plans
- Document all security policies and procedures
- Conduct incident response drills and testing
- Implement privileged access management (PAM) for sensitive accounts
How Level 2 Is Assessed
An accredited third-party firm (a C3PAO) shows up, reviews your documentation, talks to your staff, and pokes around your systems. Figure on 3–5 days on-site if you're mid-sized. Pass and you're certified for 3 years.
Who Needs Level 2
- Most defense contractors handling CUI
- Subcontractors working for prime contractors
- Companies with DoD contracts requiring CMMC
Call your prime contractor right now and ask: "What CMMC level does our contract require?" Ninety times out of a hundred, they'll say Level 2.
Level 2 Costs & Timeline
| Metric | Cost / Timeline |
|---|---|
| Gap Analysis | 2–4 weeks, $10K–$30K |
| Technical Implementation | 3–6 months, $30K–$150K |
| Documentation & SSP | 2–4 weeks, $3K–$15K |
| C3PAO Assessment | 3–5 months wait + 3–5 days on-site, $105K–$118K |
| Total Year 1 Cost | $150K–$300K (depending on company size) |
| Total Timeline | 6–12 months from start to certification |
| Ongoing Annual Cost | $10K–$50K/year |
Level 2 Pros & Cons
Pros:
- Meets requirements for most defense contracts
- Documented processes reduce security risk
- Third-party validation (C3PAO) adds credibility
- Comprehensive but achievable for mid-size contractors
Cons:
- Significant cost ($150K–$300K first year)
- 6–12 month implementation timeline
- Requires skilled IT and compliance staff
- Ongoing compliance obligations
CMMC Level 3: Advanced
What Is Level 3?
Level 3 is the elite tier — automated monitoring, advanced threat detection, the whole security infrastructure. You typically only need this if you're handling the crown jewels or working on critical defense programs. Honestly? Less than 5% of contractors actually need this.
The 171 Level 3 Practices
Level 3 includes all 110 Level 2 practices plus 61 additional advanced practices:
- Continuous monitoring: Real-time automated threat detection
- Advanced incident response: Forensics, threat hunting, APT response
- Threat modeling: Identify and mitigate advanced threats
- Supply chain risk: Vendor security assessment and management
- Advanced access control: Zero-trust network access, behavioral analytics
- Security architecture: Advanced system design and isolation
Example Level 3 practices beyond Level 2:
- Implement continuous automated monitoring with behavioral analytics
- Conduct threat modeling for high-value systems
- Implement advanced incident response capabilities including forensics
- Perform supply chain risk assessments of all critical vendors
- Implement zero-trust network access model
- Conduct security architecture reviews for all new systems
How Level 3 Is Assessed
Third-party C3PAO assessment (same as Level 2, but with more depth). The assessor evaluates more complex systems and advanced controls.
Who Needs Level 3
- Large prime contractors (>500 employees, significant DoD work)
- Defense contractors handling classified or near-classified information
- Contractors on critical infrastructure projects (power grid, water systems, etc.)
- Companies with advanced persistent threat (APT) risk profile
Real talk: if you're unsure whether you need Level 3, you don't. Call your prime contractor and ask them straight up. They'll know.
Level 3 Costs & Timeline
| Metric | Cost / Timeline |
|---|---|
| Gap Analysis | 4–6 weeks, $30K–$50K |
| Technical Implementation | 6–12 months, $150K–$400K+ |
| Documentation & SSP | 4–8 weeks, $10K–$30K |
| C3PAO Assessment | 3–5 months wait + 5–7 days on-site, $105K–$118K |
| Total Year 1 Cost | $300K–$600K+ (can exceed $1M for very large orgs) |
| Total Timeline | 12–18 months from start to certification |
| Ongoing Annual Cost | $50K–$150K/year |
Level 3 Pros & Cons
Pros:
- Meets requirements for critical defense work
- Continuous monitoring and automation reduce incident response time
- Advanced controls reduce risk from sophisticated threats
- Demonstrates leadership in security maturity
Cons:
- Very high cost ($300K–$600K+ first year)
- 12–18 month implementation timeline
- Requires specialized security expertise
- Complex tool integration and management
- Continuous compliance burden and costs
Level 1 vs. Level 2 vs. Level 3: Side-by-Side Comparison
| Attribute | Level 1 | Level 2 | Level 3 |
|---|---|---|---|
| Practices Required | 17 | 110 | 171 |
| Assessment Type | Self-assessed | C3PAO audit | C3PAO audit (deeper) |
| Who Needs It | Minimal CUI, rare | Most contractors | Large primes only |
| Year 1 Cost | $4K–$6K | $150K–$300K | $300K–$600K+ |
| Timeline | 4–8 weeks | 6–12 months | 12–18 months |
| Annual Ongoing | $2K–$5K | $10K–$50K | $50K–$150K |
| Certificate Duration | 1 year (self-assessed) | 3 years | 3 years |
| Key Processes | None documented | SSP, policies, risk mgmt | All L2 + advanced monitoring |
| Tools Required | Basic (antivirus) | EDR, SIEM, scanning, MFA | All L2 + advanced SIEM, threat modeling |
Which Level Do I Need? Decision Framework
Stop guessing. Walk through these questions in order and you'll know:
- Do I have any DoD contracts that mention CMMC?
- No: You don't need CMMC (yet). Stop here.
- Yes: Go to question 2.
- Does my contract explicitly state a CMMC level requirement?
- Yes, Level 1: You need Level 1 (rare). Stop here.
- Yes, Level 2: You need Level 2. Stop here.
- Yes, Level 3: You need Level 3. Stop here.
- No, or unclear: Go to question 3.
- How much CUI do I handle?
- Minimal (a few documents): Level 1 is technically sufficient, but Level 2 is safer.
- Regular (CUI is part of normal operations): You definitely need Level 2.
- Strategic (CUI is central to your business): Go to question 4.
- Am I a prime contractor or handling critical/classified information?
- No: You need Level 2.
- Yes: You probably need Level 3. Consult the DoD contracting officer.
Bottom line: if you're on the fence, assume Level 2. That covers the vast majority of you. Level 3 is for the outliers. Level 1? Honestly, almost nobody needs it.
How CMMC Relates to NIST 800-171 and DFARS
NIST SP 800-171 is the Department of Commerce security standard. CMMC is based on NIST 800-171 but adds maturity levels and assessment rigor.
DFARS (Defense Federal Acquisition Regulation Supplement) is the contracting requirement that mandates CMMC compliance for certain contracts.
The relationship: DFARS says "you must be CMMC compliant" → CMMC says "implement NIST 800-171 controls at your level" → You implement NIST 800-171 practices grouped by CMMC maturity level.
FAQ: CMMC Levels
Can I downgrade from Level 2 to Level 1?
Technically yes, but it's a bad idea. If you've already achieved Level 2, the DoD and your prime contractor expect you to maintain it. Downgrading signals weakness in your security posture.
If I achieve Level 2, do I ever need to upgrade to Level 3?
Only if your contracts change or the DoD increases requirements. If your business stays the same (handling CUI but not critical information), Level 2 is sufficient long-term.
How often do I need to recertify?
Level 1: Annually (self-assessed)
Level 2 & 3: Every 3 years with a C3PAO
Can I combine Level 2 and Level 3 requirements?
No. You pursue one level. You can't "partially" do Level 3. If your contract requires Level 3, you must meet all 171 practices. If it requires Level 2, you must meet 110 practices (and can't be audited on Level 3 practices).
What if my contract changes mid-implementation?
If you're 6 months into a Level 2 implementation and your contract suddenly requires Level 3, you'll need to extend your implementation and assessment timelines. This is rare but possible. Stay in close communication with your prime contractor.