The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Trust guide

CMMC Level 1 vs Level 2 vs Level 3: which one applies to your contract?

The level is determined by the information types the contract requires you to handle and by the CMMC level identified in the solicitation, contract clause, or flow-down — not by your company size or industry.

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research
Published: Last reviewed:
Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

Last reviewed June 2026

In short: your CMMC level is set by the information your contract requires you to handle and by the level named in the solicitation, contract clause, or flow-down — not by your company size. Level 1 covers FCI, Level 2 covers CUI, and Level 3 covers CUI on high-priority programs.

Your situation changes the answer

Find My CMMC Path

The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

  • What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
  • What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
  • Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find My CMMC Path →
Note: The CMMC level for a given contract is determined by the information types the contract requires you to handle and by the CMMC level identified in the solicitation, contract clause, or flow-down. DoD program offices or requiring activities determine the required CMMC level under DoD policy, and the contracting officer inserts and administers the requirement. There is no “company-wide CMMC level” that automatically applies to every contract.

Level 1 — Basic safeguarding of FCI

Level 1 applies to contractors handling Federal Contract Information (FCI) but no CUI. Level 1 maps to the 15 basic safeguarding requirements at FAR 52.204-21. The assessment is an annual self-assessment with a senior official affirmation in SPRS — no third party involved.

Level 2 — Protection of CUI

Level 2 applies to contractors handling CUI on the contract. Level 2 implements the 110 NIST SP 800-171 Revision 2 security requirements. The assessment is either a triennial C3PAO assessment or a triennial self-assessment with annual affirmation (a narrower set, contract-defined). Most small defense contractors who handle CUI fall here.

Level 3 — CUI on high-priority programs

Level 3 applies to contractors handling CUI in support of programs DoD identifies as high priority and high risk. Level 3 implements the 110 NIST SP 800-171 Revision 2 controls plus a defined subset of NIST SP 800-172's enhanced security requirements. Assessment is performed by the DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not by a C3PAO.

32 CFR Part 170 — Cybersecurity Maturity Model Certification (CMMC) Program

The CMMC Final Rule. Defines the three levels, the assessment types per level, the affirmation requirements, and the conditional / final certification mechanics.

View at ecfr.gov

Quick-reference table

DimensionLevel 1Level 2Level 3
DataFCI onlyCUICUI on high-priority programs
Controls15 (FAR 52.204-21)110 (NIST 800-171 Rev. 2)110 + subset of 800-172
AssessorSelfC3PAO or self-assessment, as specified by the solicitation, contract, or flow-downDIBCAC
CadenceAnnual self + affirmationEvery 3 years + annual affirmationEvery 3 years + annual affirmation
Posted in SPRSYesYesYes

Which provider category fits your situation

Where to go next

If your contract handles CUI, the next questions are what Level 2 will cost and who to hire first.

Your situation changes the answer

Find My CMMC Path

The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →