In short: your CMMC level is set by the information your contract requires you to handle and by the level named in the solicitation, contract clause, or flow-down — not by your company size. Level 1 covers FCI, Level 2 covers CUI, and Level 3 covers CUI on high-priority programs.
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Level 1 — Basic safeguarding of FCI
Level 1 applies to contractors handling Federal Contract Information (FCI) but no CUI. Level 1 maps to the 15 basic safeguarding requirements at FAR 52.204-21. The assessment is an annual self-assessment with a senior official affirmation in SPRS — no third party involved.
Level 2 — Protection of CUI
Level 2 applies to contractors handling CUI on the contract. Level 2 implements the 110 NIST SP 800-171 Revision 2 security requirements. The assessment is either a triennial C3PAO assessment or a triennial self-assessment with annual affirmation (a narrower set, contract-defined). Most small defense contractors who handle CUI fall here.
Level 3 — CUI on high-priority programs
Level 3 applies to contractors handling CUI in support of programs DoD identifies as high priority and high risk. Level 3 implements the 110 NIST SP 800-171 Revision 2 controls plus a defined subset of NIST SP 800-172's enhanced security requirements. Assessment is performed by the DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not by a C3PAO.
The CMMC Final Rule. Defines the three levels, the assessment types per level, the affirmation requirements, and the conditional / final certification mechanics.
View at ecfr.govQuick-reference table
| Dimension | Level 1 | Level 2 | Level 3 |
|---|---|---|---|
| Data | FCI only | CUI | CUI on high-priority programs |
| Controls | 15 (FAR 52.204-21) | 110 (NIST 800-171 Rev. 2) | 110 + subset of 800-172 |
| Assessor | Self | C3PAO or self-assessment, as specified by the solicitation, contract, or flow-down | DIBCAC |
| Cadence | Annual self + affirmation | Every 3 years + annual affirmation | Every 3 years + annual affirmation |
| Posted in SPRS | Yes | Yes | Yes |
Which provider category fits your situation
- C3PAO (Certified Third-Party Assessment Organization) — the only category that can perform a Level 2 certification assessment when your contract requires one.
- RPO/RP (Registered Provider Organization / Registered Practitioner) — readiness help to scope your environment and prepare before any Level 1 or Level 2 self-assessment or C3PAO assessment.
- MSSP (Managed Security Service Provider) — operates the day-to-day IT and security controls behind your required level.
- GRC platform — a system of record for control evidence and documentation across all three levels.
- CUI enclave — isolates CUI workflows to reduce scope if your contract puts you at Level 2 or above.
- You don't need a C3PAO yet if your contract only requires a Level 1 (FCI) self-assessment, or you are still scoping and remediating before assessment.
Where to go next
If your contract handles CUI, the next questions are what Level 2 will cost and who to hire first.
Find My CMMC Path
The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.
Find My CMMC Path →