Most contractors who land on this site already know they need CMMC Level 2. But if you’re not sure, or if your prime just said “you need CMMC” without specifying which level, this page will sort it out in about three minutes.
The short version
CMMC has three levels. Each one protects a different category of information and requires a different type of assessment.
If you’re reading this site, you almost certainly need Level 2. But let’s make sure.
How to figure out which level applies to you
Look at your contract (or the solicitation). The CMMC level is specified in DFARS clause 252.204-7021. If you don’t see it yet, ask your contracting officer or your prime.
The deciding factor is what type of information you handle:
If you only handle FCI (information provided by or generated for the government that isn’t public, but isn’t sensitive enough to be marked CUI), you need Level 1.
If you handle CUI (technical drawings, engineering data, test results, export-controlled information, or anything marked with a CUI banner), you need Level 2.
If you handle CUI on a critical national security program and the contract specifically calls for it, you need Level 3. You’ll know if this applies to you because the government will tell you directly.
If you’re not sure whether what you handle is FCI or CUI, that’s a scoping conversation worth having before you invest months in assessment prep. Start by looking at what your prime sends you and how it’s marked.
Level 1: Basic safeguarding
Who needs it: Contractors who handle FCI but no CUI.
What it requires: 17 basic cybersecurity practices. Things like using antivirus, limiting physical access to systems, and requiring passwords. If you’re running a reasonably managed IT environment, you probably meet most of these already.
How you prove it: Annual self-assessment. You score yourself against the 17 practices, enter your score into SPRS (the Supplier Performance Risk System), and affirm it annually. No assessor visits. No C3PAO.
What it costs: Minimal. The main effort is documenting that you do what you say you do and entering the score.
Self-assessment means you're certifying your own compliance. If an audit reveals you overclaimed, that's a False Claims Act risk. Be honest about your score.
Level 2: The big one
Who needs it: Any contractor who handles CUI. This is the majority of the defense industrial base that touches sensitive-but-unclassified information.
What it requires: All 110 security practices from NIST SP 800-171 Revision 2, organized into 14 families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
How you prove it: A C3PAO (Certified Third-Party Assessment Organization) sends assessors to evaluate your organization. They review your System Security Plan (SSP), examine evidence, interview your team, and verify that you meet each practice. You choose your C3PAO, schedule the assessment, and pay for it.
Timeline: Phase 1 (self-assessments for some contracts) is already underway. Phase 2 (mandatory C3PAO assessments for Level 2) begins November 10, 2026. Typical preparation takes 6 to 18 months depending on how much you already have in place.
What it costs: The C3PAO assessment itself runs anywhere from $30,000 to $100,000+ depending on the size and complexity of your environment. Preparation costs (gap analysis, remediation, documentation, MSSP support) vary widely. For a small contractor with 10-50 people and a decent MSP, expect $50,000-$150,000 total including the assessment.
Level 2 isn't primarily a technology problem. Most contractors already have the tools. It's a documentation and articulation problem. You need to define how each practice works in your environment, document it in your SSP, and be able to explain it to someone who has never seen your network. That's what this site is built to help with.
Level 3: Government-assessed
Who needs it: A small number of contractors working on the most sensitive defense programs. The contract will explicitly require Level 3.
What it requires: Everything in Level 2, plus a subset of enhanced practices from NIST SP 800-172. These go beyond standard CUI protection into things like threat hunting, advanced incident response, and security operations center capabilities.
How you prove it: The government conducts the assessment directly through DCMA (Defense Contract Management Agency). This isn’t a third-party audit you schedule yourself. The government comes to you.
What it costs: Significantly more than Level 2, both in preparation and in the operational security capabilities required. Most Level 3 contractors have dedicated security teams or deeply integrated MSSP partnerships.
Who this isn’t for: If nobody has explicitly told you that you need Level 3, you don’t need Level 3. It’s not something you accidentally stumble into.
Common confusion
“My prime says I need CMMC but didn’t specify a level.” Ask. The level should be in the contract language. If your prime can’t tell you, ask the contracting officer. Don’t guess and don’t assume Level 1 just because it’s easier.
“I handle some CUI but not much.” Volume doesn’t matter. If any CUI touches your systems, you need Level 2 for those systems. The question isn’t how much CUI you handle, it’s whether you handle any at all.
“Can I just get Level 1 and deal with Level 2 later?” Only if your current contracts genuinely don’t involve CUI. If they do and you self-assess at Level 1, you’re miscertifying. When the contract requires Level 2 and you don’t have it, you lose the contract.
“Do subcontractors need CMMC too?” If CUI flows down to them, yes. The requirement follows the data, not the contract tier.
“What about Level 2 self-assessment?” Some contracts allow Level 2 self-assessment instead of C3PAO assessment, but this is limited to contracts where the CUI risk is lower. The DoD specifies which option applies in the contract. Don’t count on self-assessment being available for your situation.
Not sure where to start with Level 2 preparation? The Start Here guide walks through the first steps, and the practice pages cover the hardest controls in detail. If you keep running into unfamiliar terms, the glossary has every acronym in plain English.