If your organization plans to work with the Department of Defense (DoD), understanding the CMMC 2.0 requirements is the first step toward compliance. These requirements are designed to safeguard sensitive federal information and are structured across three maturity levels:
- Level 1: Basic safeguarding practices with relatively limited requirements.
- Level 2: More advanced, detailed requirements that cover a wide range of cybersecurity practices.
- Level 3: The highest level, focusing on expert-level security and alignment with advanced DoD compliance standards.
This guide will walk you through what each level means and how to prepare for them as a beginner.
Overview of the Regulatory Context
The Cybersecurity Maturity Model Certification (CMMC 2.0) is a regulatory framework developed by the Department of Defense (DoD) to protect sensitive government data. It applies to all contractors, vendors, and stakeholders in the Defense Industrial Base (DIB), requiring them to meet specific CMMC 2.0 requirements before handling certain types of information.
At its core, CMMC is designed to safeguard two key data categories:
- Federal Contract Information (FCI): Basic information provided by or generated for the government.
- Controlled Unclassified Information (CUI): Sensitive but unclassified data requiring stronger protections.
CMMC 2.0 builds on existing standards from the National Institute of Standards and Technology (NIST), including:
- NIST SP 800-171: Protects CUI from unauthorized access.
- NIST SP 800-172: Adds advanced security controls to defend against sophisticated cyber threats like Advanced Persistent Threats (APTs).
Since its launch in November 2021, CMMC 2.0 has been in an extended rollout phase. Once fully implemented, compliance with CMMC 2.0 requirements will be mandatory for all DoD contracts, making early preparation essential for any organization in the defense supply chain.
CMMC 2.0 Level 1 Requirements
CMMC Level 1 represents the most basic tier of the CMMC 2.0 requirements, designed for organizations handling only Federal Contract Information (FCI) and facing lower risk environments. This level often applies to smaller contracts or contractors with limited cybersecurity responsibilities.
To achieve Level 1 requirement compliance, organizations must implement 15 foundational cybersecurity controls drawn from NIST SP 800-171. These practices focus on safeguarding FCI and form the building blocks for stronger protections at higher levels. Examples of these controls include:
- Using strong, regularly updated passwords
- Limiting system access to authorized users
- Protecting data during transmission and storage
Unlike higher tiers, Level 1 does not require third-party certification. Instead, contractors can self-assess annually and submit results directly to the DoD. Maintaining accurate records and completing these yearly self-assessments is essential to keep certification valid and ensure ongoing DoD Compliance.
CMMC 2.0 Level 2 Requirements
CMMC Level 2requi represents a major step up from Level 1 and is often considered the “core” of the CMMC 2.0 requirements. It applies to organizations that handle significant volumes of Controlled Unclassified Information (CUI), especially in environments with higher security risks.
At this stage, organizations must fully implement the 110 cybersecurity practices from NIST SP 800-171, grouped into 14 categories:
- Access Control (AC): 22 practices
- Awareness and Training (AT): 3 practices
- Audit and Accountability (AU): 9 practices
- Configuration Management (CM): 9 practices
- Identification and Authentication (IA): 11 practices
- Incident Response (IR): 3 practices
- Maintenance (MA): 6 practices
- Media Protection (MP): 9 practices
- Personnel Security (PS): 2 practices
- Physical Protection (PE): 6 practices
- Risk Assessment (RA): 3 practices
- Security Assessment (CA): 4 practices
- System and Communications Protection (SC): 16 practices
- System and Information Integrity (SI): 7 practices
These requirements go well beyond basic FCI protections, ensuring that CUI is properly secured against advanced threats.
Assessment at Level 2
Certification at Level 2 requirement is more rigorous than Level 1. Most organizations must undergo a third-party assessment conducted by a Certified Third Party Assessment Organization (C3PAO), accredited by the Cyber AB. A few lower-risk contractors may qualify for self-assessment, but the majority will need an independent review.
- Frequency: Full third-party assessments every three years
- Annual requirement: Yearly self-affirmation to maintain compliance
This makes Level 2 a significant investment in both cybersecurity controls and compliance management, but it is also the most common requirement across DoD contracts.
CMMC 2.0 requirements
CMMC 2.0 Level 3 Requirements
Level 3 represents the most advanced stage of the CMMC 2.0 requirements, reserved for contractors working on the Department of Defense’s most sensitive projects. It applies to organizations that manage large volumes of Controlled Unclassified Information (CUI) and operate in environments at risk from Advanced Persistent Threats (APTs).
Level 3 builds on the protections in Level 2 by incorporating additional, enhanced security requirements from NIST SP 800-172. While the DoD has not finalized the exact number of required controls, NIST SP 800-172 outlines 35 enhanced practices across the same 14 categories used in NIST SP 800-171. In practice, this means Level 3 contractors could face up to 145 total security requirements (110 from Level 2 + 35 enhanced controls).
Assessment at Level 3
Unlike Level 1 and Level 2, organizations at Level 3 must undergo a government-led triennial assessment. The DoD is still finalizing the agencies and exact processes, but contractors should prepare for a far more rigorous evaluation than what is required at lower levels.
Key Takeaway: Level 3 certification will demand significant cybersecurity maturity and resources. Contractors aiming for Level 3 requirement should begin aligning their systems with NIST SP 800-172 controls now to avoid delays once requirements are fully enforced.
Achieve and Maintain CMMC 2.0 Compliance
Securing future Department of Defense (DoD) contracts will depend on meeting the right level of CMMC 2.0 requirements. For many organizations handling Controlled Unclassified Information (CUI) as well as Federal Contract Information (FCI), this means achieving at least Level 2 certification, often through an independent assessment conducted by a Certified Third Party Assessment Organization (C3PAO).
As a C3PAO, RSI Security has been helping defense contractors prepare for compliance long before the CMMC framework was introduced. Our team provides:
- Readiness assessments to identify and close compliance gaps
- Implementation support for NIST 800-171 and CMMC practices
- Assessment guidance to ensure smooth certification with the DoD
Partnering with RSI Security means more than just passing an audit, it’s about building a sustainable cybersecurity program that keeps your contracts secure and your organization competitive.
Ready to get started? Contact RSI Security today to align your systems with the latest CMMC 2.0 requirements and secure your future with the DoD.
Download Our CMMC Checklist