The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Level 1 vs Level 2: Which One Does Your Contract Require?

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research
Published: Last reviewed:
Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

The CMMC level you need isn't a choice. It's set by the data your systems touch and the clause buried in your contract. If your systems only handle Federal Contract Information (FCI) — basic, non-public contract information — you need CMMC Level 1: 15 safeguards from Federal Acquisition Regulation (FAR) clause 52.204-21, a self-assessment you renew every year, no outside auditor. If your systems handle Controlled Unclassified Information (CUI) — sensitive information the government requires you to protect — you need CMMC Level 2: all 110 requirements in NIST SP 800-171 Revision 2, verified every three years either by your own self-assessment or by a Certified Third-Party Assessment Organization (C3PAO). Your solicitation tells you which.

Here's the catch most pages miss: there are really three answersin front of you, not two — Level 1 (Self), Level 2 (Self), and Level 2 (C3PAO). Pick the wrong one and you either lose a contract you were qualified for or spend six figures you didn't have to.

What we actually verified for this guide. We read the controlling rule text in the electronic Code of Federal Regulations — 32 CFR Part 170, sections 170.14 through 170.24. We confirmed the phase dates against the DoD Chief Information Officer's official CMMC program page. We pulled the cost figures from DoD's Regulatory Impact Analysis in the Federal Register. We checked the assessor ecosystem against the Cyber AB's March 2026 Town Hall data. Where a number was widely repeated but wrong — like “Level 1 has 17 practices” — we traced it back to the rule and corrected it. Full source list at the bottom, with verification dates.

Last reviewed June 2026

In short: CMMC Level 1 and Level 2 cover different information types and carry different assessment obligations, so the level you need is set by your contract — specifically whether you handle FCI or CUI — not by choice. Which level and provider category fit your situation depends on those details; use Find My CMMC Path to confirm before requesting quotes.

Your situation changes the answer

Find My CMMC Path

The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

  • What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
  • What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
  • Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find My CMMC Path →

CMMC Level 1 vs Level 2 at a Glance

Quick answer: CMMC Level 1 protects FCI with 15 self-assessed safeguards renewed annually and no outside auditor. CMMC Level 2 protects CUI with the 110 requirements in NIST SP 800-171 Revision 2, verified every three years by either a self-assessment or a C3PAO depending on the contract. The decisive differences are the type of data, the requirement count (15 versus 110), who performs the assessment, and whether you can defer a gap with a plan of action (Level 1 cannot; Level 2 can, under strict limits).

FactorCMMC Level 1 (Foundational)CMMC Level 2 (Advanced)
What triggers itYou process, store, or transmit FCI onlyYou process, store, or transmit CUI
Requirement count15 safeguards (FAR 52.204-21(b)(1))110 requirements (NIST SP 800-171 Rev. 2), across 14 families
Assessment objectives59 (NIST SP 800-171A)~320 (NIST SP 800-171A)
Who assesses youYou do (self-assessment)You do or a C3PAO — set by the contract
How oftenEvery yearFull assessment every 3 years + an annual affirmation
POA&M permitted?Not allowed — all 15 must be metAllowed for some requirements only; 180-day closeout
Conditional status?No — pass or failYes — Conditional, then Final within 180 days
System of recordSPRSSPRS (self) / eMASS → SPRS (C3PAO)
Cloud handling CUINo FedRAMP requirementFedRAMP Moderate (or equivalent) for any cloud touching CUI
Best forFCI-only DoD work — roughly 63% of the defense industrial baseAny contract or flow-down involving CUI
Contract clauseFAR 52.204-21; DFARS 252.204-7019/7020DFARS 252.204-7021; 32 CFR Part 170
First moveConfirm you have no CUI in scopeConfirm CUI scope, then confirm Self vs C3PAO

Sources: 32 CFR §§170.14–170.18; DoD CIO, “About CMMC”; Federal Register, Oct. 15, 2024.

Two abbreviations to lock in now. SPRS is the Supplier Performance Risk System — DoD's official database where your CMMC status and affirmation live, and the system a contracting officer checks before award. A C3PAO is a Certified Third-Party Assessment Organization — a company authorized by the Cyber AB to perform official Level 2 assessments.

The Real Difference: FCI vs CUI (and Why So Many Contractors Guess Wrong)

Quick answer: The single fact that decides whether you need CMMC Level 1 or Level 2 is the type of government information your systems handle. FCI is non-public information provided by or generated for the government under a contract; CUI is information that laws, regulations, or government-wide policy require you to safeguard. FCI-only work points to Level 1. The presence of CUI points to Level 2.

Most people anchor on the wrong thing. They look at company size, contract dollar value, or how “important” they feel in the supply chain. None of that sets your level. The data does.

FCIis the floor. Per FAR 52.204-21, it's information not intended for public release that the government provides to you, or that you generate for the government, under a contract to deliver a product or service. Think non-public purchase order details, internal contract correspondence, delivery schedules that aren't published. If that's all you touch, Level 1 is your world.

CUIis the line that changes everything. It's a defined category of sensitive — but unclassified — information that the government requires you to protect under law, regulation, or government-wide policy. In defense work it shows up as CUI-marked technical drawings, controlled technical information, engineering specifications, export-controlled technical data, and certain security or operational information. If CUI lands in your environment, Level 1 is not enough, full stop.

At Level 1, only the information systems that store, process, or transmit FCI are in scope. Level 2 scoping is broader and more formal, which is part of why the jump from one level to the other is bigger than the requirement count alone suggests.

The trap that costs the most money

Assuming you have “no CUI” when you actually do. CUI is not always neatly labeled, and a prime may flow it to you inside drawings or specs without a flashing sign. When it's ambiguous, you ask the contracting officer or your prime, in writing, and you keep the answer. We give you the exact email to send in the next section.

Which CMMC Level Do You Need — Level 1 or Level 2?

Quick answer:You likely need Level 1 if your DoD work involves FCI and no CUI. You likely need Level 2 if your contract, subcontract, technical data, or a prime's flow-down involves CUI — but the solicitation or flow-down determines whether that Level 2 is self-assessed or C3PAO-assessed.

Run this in order. It's the same logic a good readiness advisor walks you through on day one.

  1. Does the solicitation or subcontract already name a CMMC status? If it says Level 1 (Self), Level 2 (Self), or Level 2 (C3PAO), that's your answer — you're done guessing.
  2. Do you process, store, or transmit FCI? Almost certainly yes if you do any DoD work.
  3. Do you process, store, or transmit CUI?This is the swing question. If yes, you're in Level 2 territory.
  4. Is a prime flowing down CUI or a required CMMC status to you? If a prime sends you CUI, the obligation follows the data to you.
  5. If Level 2, does the clause say Self or C3PAO? Don't assume “Level 2” means “third party.” It often doesn't — yet.

When the answer is unclear, send this

“Please confirm whether this solicitation/subcontract requires CMMC Level 1 (Self), Level 2 (Self), or Level 2 (C3PAO) for the systems we will use, and confirm whether any information we will receive or generate under this effort is designated as CUI. We want to scope our compliance correctly before we incur cost.”

That one email can prevent five-figure mistakes. It moves the ambiguity onto the record and protects you if anyone later claims you should have known.

If you only handle FCI and your contract names Level 1, hear this plainly: you do not need a six-figure Level 2 program, you do not need a C3PAO, and you should not let anyone sell you one. Your path is a Level 1 self-assessment you can largely run in-house. Read the Level 1 requirements section below, grab the readiness checklist, and you're most of the way there.

Still mapping your situation?

Tell us your data type, contract clause, level, scope, and timeline and we'll match you with source-checked CMMC provider options — readiness, secure-cloud/enclave, software, or assessment — that fit where you actually are. No pressure, no obligation.

Find My CMMC Path →

Provider-category routing only — please don't enter CUI, drawings, or sensitive contract details.

CMMC Level 2 Self vs C3PAO: Which Level 2 Path Applies?

Quick answer:CMMC Level 2 has two assessment paths — Level 2 (Self), a self-assessment posted to SPRS, and Level 2 (C3PAO), an assessment performed by a Certified Third-Party Assessment Organization and recorded in eMASS. Both verify the same 110 NIST SP 800-171 Revision 2 requirements; the difference is who verifies and where it's recorded. The DoD program office or requiring activity decides which path a contract requires, and the solicitation specifies it (DFARS 252.204-7025). You do not get to pick the easier path.

Level 2 (Self) is your organization assessing itself against all 110 requirements, calculating a score, posting it to SPRS, and having a senior official affirm compliance. Full self-assessment every three years, affirmation every year.

Level 2 (C3PAO) is the same 110 requirements, but a Cyber AB-authorized C3PAO performs the assessment, issues a Certificate of CMMC Status, and the results flow through the CMMC instance of eMASS into SPRS. Reassessment every three years, affirmation every year.

During Phase 1(November 10, 2025 through November 9, 2026), DoD's own implementation focuses primarily on Level 1 and Level 2 self-assessments. Phase 2, beginning November 10, 2026, is when mandatory Level 2 C3PAO certification becomes standard for applicable contracts. But the actual clause in your contract always controls — and DoD can require a C3PAO for a sensitive Level 2 contract even during Phase 1.

Level 2 (Self)Level 2 (C3PAO)
Who performs itYour organizationAuthorized C3PAO
Requirements assessed110 (NIST SP 800-171 Rev. 2)110 (NIST SP 800-171 Rev. 2)
Recorded inSPRSeMASS → SPRS, plus a Certificate of CMMC Status
FrequencyEvery 3 years + annual affirmationEvery 3 years + annual affirmation
Evidence handlingYou hash and retain artifacts (6 yrs)You hash and retain artifacts (6 yrs); C3PAO uploads hashes to eMASS
When it dominatesPhase 1; non-prioritized Level 2 workPhase 2 onward; prioritized/sensitive CUI

Sources: 32 CFR §§170.16–170.17; DFARS 252.204-7025; DoD CIO, “About CMMC.”

One rule that protects you and surprises people: your readiness help and your formal assessment should stay separate. The CMMC ecosystem has strict conflict-of-interest rules about a firm both advising you on compliance and then assessing you for the same scope. Confirm independence and conflict-of-interest handling before you sign either engagement.

Know CUI is in scope but not assessment-ready?

Compare readiness provider categories — RPOs, CMMC-focused MSPs/MSSPs, and enclave specialists who get you ready — before you schedule a C3PAO. Getting assessment-ready first is what keeps a C3PAO engagement from turning into an expensive failed audit.

Self-Assessment vs C3PAO: the full decision guide →

What Are the CMMC Level 1 Requirements?

Quick answer:CMMC Level 1 is built on the 15 basic safeguarding requirements in FAR 52.204-21(b)(1)(i) through (xv). It is an annual self-assessment with an annual affirmation in SPRS, no POA&M is permitted, and the result is binary — every requirement must be fully met. The 15 requirements span six areas: access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity.

CMMC Level 1 doesn't invent new security rules. It points to the 15 safeguards every federal contractor handling FCI has technically owed since FAR 52.204-21 took effect. Here they are in plain English.

FAR 52.204-21(b)(1) safeguardWhat it means in practiceEvidence you'd show
(i) Limit system access to authorized usersOnly approved people, processes, and devices reach FCI systemsUser list, access policy
(ii) Limit access to permitted functionsUsers can only do what their role allowsRole/permission settings
(iii) Verify and control external connectionsManage and validate connections to outside systemsFirewall/VPN config, diagrams
(iv) Control publicly posted informationKeep FCI off public-facing systemsPublic-release/review process
(v) Identify usersEvery user and device is uniquely identifiedAccount inventory
(vi) Authenticate usersVerify identities before granting access (passwords, MFA)Identity/authentication policy
(vii) Sanitize or destroy mediaWipe or destroy media with FCI before reuse/disposalDisposal/sanitization records
(viii) Limit physical accessControl who physically reaches systemsBadge/visitor logs
(ix) Escort visitors, keep physical audit logs, manage access devicesVisitors are escorted and logged; keys/badges are controlledVisitor log, key/badge inventory
(x) Monitor and protect communications at boundariesWatch and defend the network's edgesBoundary monitoring configs
(xi) Separate public systemsIsolate publicly accessible components from internal networksNetwork diagram showing segmentation
(xii) Identify and fix flawsPatch known vulnerabilities promptlyPatch reports
(xiii) Protect against malicious codeRun anti-malware where it countsEDR/AV console
(xiv) Update malware protectionKeep those protections currentUpdate logs
(xv) Scan files and the systemScan downloads in real time and the system periodicallySecurity tool logs

Source: FAR 52.204-21(b)(1); mapped in 32 CFR §170.15.

Notice safeguard (ix) does three jobs in one line — escorting visitors, keeping physical audit logs, and managing access devices. That explains the “15 vs 17” confusion we settle in the next section.

How you prove Level 1: you self-assess against all 15 requirements (measured across 59 assessment objectives in NIST SP 800-171A), achieve MET on every one, post the result to SPRS, and have a senior official affirm 100% compliance — then repeat annually (32 CFR §170.15, §170.22). What Level 1 does not require: no C3PAO, no 110-requirement program, no NIST 800-171 score, no POA&M.

And don't underestimate it. A senior official's affirmation is a formal attestation to the government. The Department of Justice's Civil Cyber-Fraud Initiative, launched in 2021, has used the False Claims Act against contractors that misrepresented their cybersecurity compliance. A careless “MET” you can't back up with evidence is real legal exposure. Keep your evidence — the rule expects you to retain assessment artifacts for six years.

What Are the CMMC Level 2 Requirements?

Quick answer: CMMC Level 2 requires full implementation of all 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families and measured across roughly 320 assessment objectives in NIST SP 800-171A. It demands a defined CUI scope, a System Security Plan, an evidence set, a calculated score, and either a self-assessment or a C3PAO assessment depending on the required CMMC status.

Level 2 is a different animal. Not 110 versus 15 as a number — 110 versus 15 as a program. You're documenting and proving an institutionalized security posture, not checking off basic hygiene.

NIST SP 800-171 Rev. 2 familyRequirementsWhat it governs
Access Control (AC)22Who can reach CUI systems and what they can do
Awareness and Training (AT)3Security training for people who handle CUI
Audit and Accountability (AU)9Logging, monitoring, and audit trails
Configuration Management (CM)9Secure baseline configs and change control
Identification and Authentication (IA)11Identity, authentication, and MFA
Incident Response (IR)3Preparing for, reporting, and handling incidents
Maintenance (MA)6Controlled system maintenance
Media Protection (MP)9Protecting and sanitizing media holding CUI
Personnel Security (PS)2Screening and personnel actions
Physical Protection (PE)6Physical access controls
Risk Assessment (RA)3Vulnerability scanning and risk processes
Security Assessment (CA)4SSP, assessment, POA&M, continuous monitoring
System and Communications Protection (SC)16Boundary defense, encryption, comms protection
System and Information Integrity (SI)7Flaw remediation, malware defense, alerts
Total110

Source: NIST SP 800-171 Revision 2, incorporated by reference at 32 CFR §170.2; family counts confirmed against the publication.

Three things to know before you scope a Level 2 program:

Does CMMC Level 2 Include Level 1? (And the “15 vs 17” Myth, Settled)

Quick answer:Yes — for the same CMMC Assessment Scope, achieving Level 2 (Self) or Level 2 (C3PAO) satisfies the Level 1 (Self) requirements (32 CFR §170.16). The important qualifier is “same scope”: a Level 2 enclave does not automatically cover FCI systems outside that assessed boundary. Separately, CMMC Level 1 has 15 requirements, not 17— the “17” is a count of the NIST requirements those 15 map to.

The Final Rule states that achieving Level 2 for a given scope also satisfies Level 1 for that same CMMC Assessment Scope (32 CFR §170.16). The catch is in those last four words. If your Level 2 effort covers a CUI enclave but you still run FCI on systems outside it, those outside systems aren't automatically handled.

Now the myth. You've probably seen pages say CMMC Level 1 has “17 practices.” It's wrong, and here's the precise truth:

So “17” isn't fiction — it's just answering a different question. Level 1 itself is 15 requirements. The “17” is how those 15 land on the NIST framework. If a source says “Level 1 has 17 practices” without that explanation, it's repeating a CMMC 1.0-era number it never updated.

POA&M, Conditional Status, SPRS, and Affirmations: What's Different Between Level 1 and Level 2

Quick answer:Level 1 permits no POA&M — every requirement must be fully met or you fail, and there is no conditional status. Level 2 allows a limited Plan of Action and Milestones: you can reach Conditional status with a score of at least 88 out of 110 (the 0.8 threshold), but only 47 of the 110 requirements are eligible to sit on a POA&M, and you have 180 days to close it and reach Final status. Both levels require an SPRS submission and an annual affirmation from a senior Affirming Official.

Level 1: no safety net.A POA&M — a documented plan to fix open gaps — is not permitted at Level 1, ever (32 CFR §170.21(a)(1)). If a requirement isn't met, you don't get to defer it, and you should not affirm Final Level 1 status. Pass or fail.

Level 2: a narrow safety net, with hard limits. Level 2 lets you reach Conditional status with some gaps still open — but the rule (32 CFR §170.21(a)(2)) fences it tightly:

The number to plan around: 63 of the 110 requirements must be fully met on assessment day — only 47 are even eligible for a POA&M. Multifactor authentication is on the must-be-met list (it's a 5-point control). So is a complete SSP. Don't walk into an assessment assuming you can defer your way to a pass.

Then the clock starts: you have 180 daysfrom the Conditional status date to close every POA&M item and complete a closeout assessment that converts you to Final(32 CFR §170.21(b)). Miss the 180 days and your Conditional status expires — and if that happens during a contract's period of performance, standard contractual remedies can follow.

SPRS and affirmations — what actually goes in:

Subcontractors and Flow-Down: What Level Do You (or Your Subs) Need?

Quick answer: CMMC applies through the supply chain wherever a subcontractor processes, stores, or transmits FCI or CUI. A subcontractor handling FCI only can be required to meet Level 1; a subcontractor handling CUI must meet at least Level 2 (Self), and if the prime contract requires Level 2 (C3PAO), the subcontractor needs Level 2 (C3PAO) too; a prime with a Level 3 obligation must require its CUI-handling subcontractors to hold Level 2 (C3PAO). The obligation follows the data (32 CFR §170.23).

If you're a small sub, this is probably why you're here — a prime sent a note that said some version of “be CMMC Level 2 by [date].”Here's how the flow-down logic actually works.

If the situation is…The subcontractor must be at least…
Sub will handle FCI onlyLevel 1 (Self)
Sub will handle CUI, and the prime requirement is Level 2 (Self)Level 2 (Self) — minimum
Sub will handle CUI, and the prime requirement is Level 2 (C3PAO)Level 2 (C3PAO)
Prime has a Level 3 obligation and the sub handles CUILevel 2 (C3PAO)

Source: 32 CFR §170.23.

The principle to remember: if you touch the data, the obligation can follow the data. A prime can require Level 1 of a sub that only handles FCI; the moment CUI flows to you, you're looking at Level 2 — and the assessment type matches the prime's obligation.

Before you spend a dollar reacting to a flow-down, get the specifics in writing. Send this to your prime:

“Please confirm the CMMC status required for our subcontract, whether CUI will be flowed down to us, whether the required status is Level 2 (Self) or Level 2 (C3PAO), and which systems or work packages are expected to process, store, or transmit that information.”

And know when to push back. If a prime generically demands “Level 2” without flowing any CUI and without a specified CMMC status in the contract, you're entitled to ask for clarification before you build a program you may not need. Calm, professional, in writing. See also: CMMC flow-down requirements explained.

How Much Does CMMC Level 1 vs Level 2 Cost?

Quick answer:A CMMC Level 1 self-assessment is inexpensive — DoD's Regulatory Impact Analysis models it at roughly $5,977 per year for a small entity, and industry-reported all-in costs typically run $5,000 to $20,000. Level 2 is far larger: DoD models the assessment-and-affirmation portion at about $37,196 over three years for a self-assessment and about $104,670 over three years for a C3PAO assessment — but those figures exclude the cost of actually implementing the controls. Industry-reported first-year Level 2 spend commonly runs $75,000 to over $300,000, with the assessment fee itself only 20–30% of the total.

Cost viewLevel 1Level 2 (Self)Level 2 (C3PAO)
DoD modeled cost (assessment + affirmation only)~$5,977/yr (small entity); ~$4,000 + ~$584 affirmation (other-than-small)~$37,196 over 3 years (small entity)~$104,670 (small) / ~$117,690 (other) over 3 years
What it does NOT includeRemediation if basic safeguards are missingImplementing the 110 NIST controlsImplementation, tooling, enclave, managed services, scheduling delay
Industry-reported all-in~$5,000–$20,000Folded into program cost below~$75,000–$300,000+ first year
Main cost driverExisting IT hygieneCUI scope + evidence maturityCUI scope + evidence maturity + assessment readiness

Sources: DoD Regulatory Impact Analysis (Federal Register, Oct. 15, 2024); industry cost analyses, 2025–2026 (ranges are industry-reported, not DoD figures). See CMMC Level 2 Cost Guide for the full breakdown.

Here's the part the official numbers don't shout: DoD's RIA deliberately excludes the cost of implementing the Level 1 and Level 2 security requirements. Why? Because the rule assumes you've already been required to meet NIST SP 800-171 since December 31, 2017, under DFARS clause 252.204-7012. So if you've genuinely been compliant since 2017, the modeled figures are close to your reality. If you haven't — and most of the defense industrial base hasn't fully — then your true Level 2 cost is the remediation, and that's where the bigger numbers live. On a C3PAO engagement, the assessment fee is typically only 20–30% of what you actually spend.

There is no honest single price for CMMC Level 2 until your scope is defined. Any provider who quotes you a serious Level 2 number before they've confirmed your CUI boundary, your assessment type, your cloud and external-provider dependencies, and your current evidence maturity is asking you to buy before anyone has defined the actual problem. A defined enclave that isolates CUI to a small boundary can cut scope — and cost — dramatically.

Quote-sanity checklist — require all of these before you sign anything

Want quotes that actually match your scope?

Tell us your level, assessment path, CUI boundary, and timeline, and we'll help you line up scoped quotes from matched provider categories — so you're comparing apples to apples before you commit.

Get Matched →

Routing only — please don't send sensitive contract details.

Which Provider Type Should You Talk to First?

Quick answer:If you're Level 1, you may only need an internal owner plus, optionally, a Registered Practitioner Organization (RPO) or an MSP familiar with FAR 52.204-21. If you're Level 2 but not assessment-ready, start with readiness, scoping, MSP/MSSP, enclave, or GRC software help before engaging a C3PAO for formal assessment. Readiness/remediation and formal assessment should remain separate engagements under CMMC conflict-of-interest rules.

Provider categoryBest forNot forWhat to verify before hiring
RP / RPO (Registered Practitioner / Organization)Readiness planning, gap interpretation, light validationIssuing any certificationCyber AB listing, scope of advice, independence limits
MSP / MSSP (Managed / Managed Security Service Provider)Implementing controls, running your security stackPerforming a formal C3PAO assessmentCUI experience, shared-responsibility split, who owns the tools
CUI enclave providerShrinking scope by isolating CUI workflowsEnterprise-wide compliance by defaultBoundary design, FedRAMP/CSP/ESP responsibilities, evidence exports
GRC / evidence softwareSSP/POA&M workflow, evidence, ongoing compliance opsReplacing actual security controlsData handling, templates, evidence traceability
C3PAOThe formal Level 2 (C3PAO) assessmentReadiness or remediation for that same engagementCurrent Cyber AB authorization, assessor team, conflict-of-interest handling

A note on software: no software, by itself, satisfies CMMC. GRC and evidence platforms are a genuine help for managing the work — but they're a supporting layer, not the whole solution. You still have to implement and prove the controls.

If your Level 2 path requires a C3PAO, verify their status yourself

In January 2025, the DoD Office of Inspector General published an audit (Report No. DODIG-2025-056) finding that DoD had not effectively implemented the process for authorizing C3PAOs to perform Level 2 assessments. Reviewing 11 of the 48 C3PAOs authorized as of September 2023, the OIG found two authorized without a signed C3PAO Agreement and Code of Professional Conduct, four without verified quality-control-lead credentials, and all 11 without sufficient confirmation that a certified assessor and certified quality control lead were on the team.

We're not raising this to scare you, and the process has continued to mature since that audit. The practical takeaway is simple: when a C3PAO is required, confirm their current authorization directly in the Cyber AB Marketplace and ask about assessor credentials and conflict-of-interest handling before you rely on the engagement.

See our guide: Which CMMC provider type should you hire first? and Best C3PAOs for CMMC Level 2.

When Does CMMC Actually Hit Your Contracts? The Phase-In Timeline and the Readiness Reality

Quick answer: CMMC is phasing into contracts over four phases. Phase 1 runs November 10, 2025 through November 9, 2026, putting Level 1 and Level 2 self-assessments into applicable solicitations. Phase 2 begins November 10, 2026, making Level 2 C3PAO certification standard for applicable contracts. Phase 3 begins November 10, 2027 and introduces Level 3 (DIBCAC-assessed). Phase 4, full implementation, begins November 10, 2028.

Source: DoD CIO, “About CMMC”; 32 CFR §170.3.

Here's the state of the assessor ecosystem — a snapshot from the Cyber AB's March 2026 Town Hall, which we re-verify quarterly:

Do the math, and the urgency isn't a sales tactic — it's arithmetic. Level 2 readiness typically takes 6 to 18 months. Phase 2 lands November 10, 2026. And only about 1% of the companies that will need Level 2 have it. Our editorial read: the binding constraint for most contractors is no longer assessor supply — it's their own readiness. If a contract you intend to bid or renew will require Level 2, the realistic question isn't “when is the deadline” — it's “do I have enough runway.” Often the answer is: start scoping now.

What to Do Next: Your First 72 Hours, 30 Days, and 90 Days

Quick answer:If a contract or prime points you toward Level 2, don't start by buying software or booking an assessment. Start by confirming the required CMMC status, identifying your CUI boundary, documenting your systems and external providers, checking your current NIST SP 800-171 posture, and only then deciding whether you need readiness help, an enclave strategy, or a C3PAO.

First 72 hours

  1. Save the exact solicitation or flow-down language.
  2. Identify the required CMMC status (Level 1, Level 2 Self, or Level 2 C3PAO).
  3. Confirm whether CUI is in scope.
  4. If it's ambiguous, send the written clarification email to your contracting officer or prime (templates above).
  5. List the systems that process, store, or transmit FCI/CUI.
  6. List your cloud and external-service-provider dependencies.
  7. Pull your current SPRS/NIST 800-171 score, if you have one.
  8. Assign one internal owner. One.

First 30 days

Define your CUI boundary, draft your SSP, build an evidence inventory, produce a gap list, develop a realistic cost range, and shortlist provider categories — not providers, categories. Use the CMMC readiness checklist to structure this work.

First 90 days

Remediate the highest-risk gaps first, validate your evidence, and prepare either your self-assessment or your readiness plan for the C3PAO path. Build conservative POA&Ms where the rule allows them — and don't leave no-POA&M items or any requirement worth more than 1 point (multifactor authentication among them) for “later,” because those can block your Conditional status.

What We Actually Verified for This Guide

This guide separates three kinds of claims — regulatory facts cited to the controlling rule, current-state facts that are dated and re-verified on a schedule, and editorial judgments framed as our conclusions based on those facts.

Primary and authoritative sources we read:

We used practitioner forums and competitor pages only to understand how contractors describe this problem and what trips them up — never as authority for a regulatory, contractual, or assessment claim. Cost ranges labeled “industry-reported” are composites of public industry analyses, not DoD figures. Interpreting a specific contract can require federal-contracts counsel. Provider authorization status changes — verify it live. Our editorial standards, methodology, and corrections policy are published separately.

Frequently Asked Questions: CMMC Level 1 vs Level 2

Is CMMC Level 1 enough if we handle CUI?

No. Level 1 is the FCI/basic-safeguarding level. If CUI is in scope, Level 2 is the relevant level, with the assessment path (Self or C3PAO) set by the solicitation or flow-down.

How many requirements are in CMMC Level 1?

Fifteen. CMMC Level 1 uses the 15 safeguards in FAR 52.204-21(b)(1). Some sources say 17, which is the count of NIST SP 800-171 Rev. 2 requirements those 15 map to — not a count of Level 1 requirements.

How many requirements are in CMMC Level 2?

One hundred and ten, from NIST SP 800-171 Revision 2, across 14 control families.

Does every CMMC Level 2 contractor need a C3PAO?

No. Level 2 can be Level 2 (Self) or Level 2 (C3PAO). The solicitation or flow-down determines which, and the DoD program office or requiring activity makes that call.

Does Level 2 satisfy Level 1?

Yes, for the same CMMC Assessment Scope (32 CFR §170.16). Confirm that the scope covers any FCI systems outside your Level 2 boundary.

Can we self-assess at Level 2?

Yes, when the required status is Level 2 (Self). No, when the solicitation or flow-down requires Level 2 (C3PAO).

Can we use a POA&M at Level 1?

No. A POA&M is not permitted at Level 1 — all 15 requirements must be met.

Can we use a POA&M at Level 2?

Yes, but only for some requirements. You need a score of at least 88 out of 110, only 1-point requirements are eligible (63 of the 110 must be fully met at assessment, including multifactor authentication and your SSP), six specific 1-point requirements are barred outright, and any POA&M must be closed within 180 days.

Is NIST SP 800-171 Rev. 3 required for CMMC Level 2?

Not under the current rule. CMMC Level 2 maps to NIST SP 800-171 Revision 2 unless DoD amends 32 CFR Part 170.

What if our prime demands Level 2 but we don't think we receive CUI?

Ask for written clarification of the required CMMC status, whether CUI is being flowed down, and which systems are in scope — before you spend.

Should we hire a C3PAO first?

Only if you're assessment-ready or specifically need the formal Level 2 (C3PAO) assessment. If you need scoping, remediation, evidence, or implementation, start with readiness/provider-category help — and remember the same firm generally shouldn't both remediate and assess you for the same scope. See: best CMMC providers for small business.

Is CMMC Level 1 going away?

No. Level 1 remains part of the program. Phase 2 expands C3PAO use for applicable Level 2 contracts; it does not eliminate Level 1.

Which provider category fits your situation

Related Guides

Need help deciding what type of CMMC provider you need?

If you now know your data type, your likely path, and what to verify in writing, you've done the hard part. Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options.

Get Matched →

Do not submit CUI, export-controlled technical data, drawings, system diagrams, or sensitive contract details. Use this intake only for provider-category routing.

Provider-matching forms on this site may generate referral or lead-routing compensation. This page does not currently contain named provider rankings, endorsements, or "best provider" awards. If named provider reviews are published later, sponsored, affiliate, partner, or referral relationships will be labeled on the relevant provider card or review. See our Methodology and Editorial & Advertising Policy for details.

Your situation changes the answer

Find My CMMC Path

The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →