The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find your CMMC path
Trust guide

CMMC Level 1 vs Level 2 vs Level 3: which one applies to your contract?

The level is set by the data your contract handles and what the contracting officer flows down — not by your company size or industry.

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research
Published: Last reviewed:
Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

The CMMC level for a given contract is determined by the information types the contract requires you to handle and by the contract-specific CMMC level designated by the contracting officer. There is no "company-wide CMMC level." The same contractor may hold Level 1 status for some contracts and Level 2 for others.

Level 1 — Basic safeguarding of FCI

Level 1 applies to contractors handling Federal Contract Information (FCI) but no CUI. Level 1 maps to the 15 basic safeguarding requirements at FAR 52.204-21. The assessment is an annual self-assessment with a senior official affirmation in SPRS — no third party involved.

Level 2 — Protection of CUI

Level 2 applies to contractors handling CUI on the contract. Level 2 implements the 110 NIST SP 800-171 Rev. 3 security requirements. The assessment is either an authorized C3PAO assessment (most CUI contracts) or a self-assessment plus senior official affirmation (a narrower set, contract-defined). Most small defense contractors who handle CUI fall here.

Level 3 — CUI on high-priority programs

Level 3 applies to contractors handling CUI in support of programs DoD identifies as high priority and high risk. Level 3 implements the 110 NIST SP 800-171 Rev. 3 controls plus a defined subset of NIST SP 800-172's enhanced security requirements. Assessment is performed by the DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not by a C3PAO.

32 CFR Part 170 — Cybersecurity Maturity Model Certification (CMMC) Program

The CMMC Final Rule. Defines the three levels, the assessment types per level, the affirmation requirements, and the conditional / final certification mechanics.

View at ecfr.gov

Quick-reference table

DimensionLevel 1Level 2Level 3
DataFCI onlyCUICUI on high-priority programs
Controls15 (FAR 52.204-21)110 (NIST 800-171 r3)110 + subset of 800-172
AssessorSelfC3PAO (most) / selfDIBCAC
CadenceAnnual self + affirmationEvery 3 years + annual affirmationEvery 3 years + annual affirmation
Posted in SPRSYesYesYes

Where to go next

If your contract handles CUI, the next questions are what Level 2 will cost and who to hire first.

Find your CMMC path