To work with the Department of Defense (DoD) as a contractor or vendor, your company must protect sensitive data and meet strict cybersecurity requirements. One of the key requirements for DoD contracts is CMMC Certification (Cybersecurity Maturity Model Certification). But who actually needs CMMC certification? And if your business does, how do you determine the right certification level for your organization?
CMMC Certification 101: What Every DoD Contractor Needs to Know
Companies aiming for preferred contractor status with the Department of Defense (DoD) must understand the importance of CMMC certification. If you want to unlock the benefits of working with the DoD, start by asking:
- Do I need CMMC certification, and why is it required?
- Which CMMC certification level applies to my company, and what are the requirements for each level?
In this guide, we’ll answer both questions and explain how your organization can achieve CMMC certification at any level with the support of a trusted CMMC compliance partner.
Who Needs CMMC Certification and Why? Understanding the Defense Industrial Base (DIB)
If your company operates within the Defense Industrial Base (DIB), you most likely need CMMC certification to work with the Department of Defense (DoD).
The DIB includes vendors, suppliers, contractors, and other strategic partners that provide goods and services to the DoD. According to the Cybersecurity and Infrastructure Security Agency (CISA), the DIB is one of 16 Critical Infrastructure Sectors. This means that any security breach within the DIB could have serious consequences for the US economy and national security.
While not every DIB stakeholder is required to obtain CMMC certification, the majority are. With over 100,000 companies involved in DIB contracts, CMMC certification is essential for organizations seeking long-term, reliable, and lucrative relationships with the DoD.
Moving from NIST SP 800-171 Compliance to CMMC Certification
One strong indicator that your company will need CMMC certification is compliance with NIST SP 800-171. If your organization has followed SP 800-171 requirements to secure contracts since 2017, achieving CMMC certification will likely be mandatory.
The National Institute of Standards and Technology (NIST) sets cybersecurity standards for many federal and state-adjacent agencies. Special Publication 800-171 specifically applies to Defense Industrial Base (DIB) entities—the same organizations now required to obtain CMMC certification. SP 800-171, currently in Revision 2 (February 2020), is titled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
SP 800-171 outlines 110 requirements across 14 families, which form the foundation for the CMMC framework. CMMC builds upon and expands these controls, increasing the complexity and depth of security measures. Meeting SP 800-171 standards today not only strengthens your cybersecurity posture but also smooths the path toward achieving CMMC certification.
Understanding DFARS Requirements and CMMC Certification Enforcement
The Defense Federal Acquisition Regulation Supplement (DFARS) requires Defense Industrial Base (DIB) companies to comply with both NIST standards and CMMC certification. Clause 204.7304 specifies that all subsequent clauses apply to solicitation provisions and contracts between the DoD and third-party contractors.
Key clauses include:
- Clause 252.204-7012 – Outlines requirements for safeguarding Covered Defense Information (CDI) and protocols for reporting cyber incidents.
- Clauses 252.204-7019 and 252.204-7020 – Mandate the implementation and assessment of NIST SP 800-171 and notification to parties required to maintain NIST compliance.
- Clause 252.204-7021 – Requires current CMMC certification at the appropriate level, which must be embedded in contracts before exchanging goods or services.
The only exceptions involve contracts for exclusively commercial off-the-shelf (COTS) products purchased through third-party vendors. For all other DoD business, NIST compliance and CMMC certification are mandatory, making them critical for securing and maintaining DoD contracts.
What Are CMMC Levels, and Which CMMC Level Do You Need?
The CMMC certification level your company needs depends on the type of DoD contract you plan to pursue. The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) has not issued a formal rubric for assigning levels, but future Requests for Information (RFIs) or Proposals (RFPs) will specify required levels.
Companies can estimate their required level based on the type of data they handle:
- FCI (Federal Contract Information): Data generated by or for government agencies that is not intended for public release. Companies handling FCI typically need Level 1 certification.
- CUI (Controlled Unclassified Information): Sensitive but unclassified information, including technical or operational data. Organizations managing CUI generally require Level 3 CMMC certification or higher.
Levels 1 and 2 act as preparatory stages, leading up to full CUI protection at Level 3. Higher levels focus on continuously improving and optimizing cybersecurity controls.
Focus and Information Security at Each CMMC Level
The CMMC framework (v1.02, March 2020) defines the focus of each level:
- Level 1: Protect all FCI related to DoD and other federal contracts.
- Level 2: Transition to more robust protections of FCI and other Covered Defense Information (CDI), preparing for full Level 3 compliance.
- Level 3: Fully safeguard all CDI per DFARS requirements, including CUI such as technical data, military intelligence, and operational guides.
- Levels 4-5: Strengthen CUI protections and defend against Advanced Persistent Threats (APTs).
Key takeaway: For most DIB entities, Level 1 or Level 3 CMMC certification will be mandatory by 2025, while Levels 4-5 will be required in the future.
Framework Integration and Process Maturity by Level
Each level combines Practices (security controls) and Process Maturity (how well practices are institutionalized):
- Level 1: 17 basic cyber hygiene practices; Process Maturity ensures practices are performed but not formally assessed.
- Level 2: 55 intermediate practices; Process Maturity requires documentation and policies establishing control requirements.
- Level 3: 58 practices; Process Maturity requires safeguards to be fully managed and integrated company-wide.
- Level 4: 25 proactive practices; Process Maturity requires continuous review and corrective actions.
- Level 5: 15 advanced practices; Process Maturity requires ongoing optimization of all controls.
Achieving higher CMMC certification levels becomes progressively more challenging, as organizations must integrate new practices while elevating existing processes to meet the next level’s requirements
How to Achieve CMMC Certification at Any Level
Achieving CMMC certification requires more than meeting the Practice and Process maturity thresholds for the desired level. Companies must also validate their compliance through an external audit conducted by a Certified Third-Party Assessor Organization (C3PAO).
All C3PAOs are accredited by the CMMC Accreditation Body (CMMC-AB). Because the CMMC framework is relatively new, the initial rounds of C3PAO approvals began in 2021. Organizations like RSI Security provide expert advisory services for NIST SP 800-171 and are actively participating in the C3PAO approval process.
This third-party verification is a major difference from NIST SP 800-171, which relied on self-assessment. Since CMMC certification builds upon NIST SP 800-171 and includes additional security controls, it is a more rigorous and comprehensive compliance standard. Working with a qualified C3PAO ensures your company meets all requirements and is prepared for formal certification at any maturity level.
Implementing the CMMC Framework’s Domains and Practices
The CMMC certification framework includes 17 Domains and 171 Practices, distributed across the five maturity levels. These Practices define the specific security controls and processes your organization must implement to achieve compliance. Each level builds upon the previous, and all Practices must be institutionalized according to the Process Maturity thresholds discussed earlier.
Below is a summary of Practices across the Domains and Levels:
| Domain | Total Practices | Level 1 | Level 2 | Level 3 | Level 4 | Level 5 |
| Access Control (AC) | 26 | 4 | 10 | 8 | 3 | 1 |
| Asset Management (AM) | 2 | – | – | 1 | 1 | – |
| Audit and Accountability (AU) | 14 | – | 4 | 7 | 2 | 1 |
| Awareness and Training (AT) | 5 | – | 2 | 1 | 2 | – |
| Configuration Management (CM) | 11 | – | 6 | 3 | 1 | 1 |
| Identification & Authentication (IA) | 11 | 2 | 5 | 4 | – | – |
| Incident Response (IR) | 13 | – | 5 | 2 | 1 | 5 |
| Maintenance (MA) | 6 | – | 4 | 2 | – | – |
| Media Protection (MP) | 8 | 1 | 3 | 4 | – | – |
| Personnel Security (PS) | 2 | – | 2 | – | – | – |
| Physical Protection (PE) | 6 | 4 | 1 | 1 | – | – |
| Recovery (RE) | 4 | – | 2 | 1 | – | 1 |
| Risk Management (RM) | 12 | – | 3 | 3 | 4 | 2 |
| Security Assessment (CA) | 8 | – | 3 | 2 | 3 | – |
| Situational Awareness (SA) | 3 | – | – | 1 | 2 | – |
| Systems & Communications (SC) | 27 | 2 | 2 | 15 | 5 | 3 |
| System & Information Integrity (SI) | 13 | 4 | 3 | 3 | 1 | 2 |
Note: “-” indicates no Practices at that Level for the Domain.
Implementing these Domains and Practices is essential for achieving CMMC certification. The number of Practices grows with each level, requiring companies to scale their cybersecurity controls and integrate them into day-to-day processes. Working with an experienced partner like RSI Security can help organizations navigate the entire process efficiently and ensure compliance at any maturity level.
RSI Security: Professional CMMC Certification at All Levels
The CMMC certification framework is one of the most robust cybersecurity programs a company can implement, designed to protect against even the most complex threats at its highest maturity levels. Any organization aiming for lucrative contracts with the Department of Defense (DoD) should begin implementing CMMC as soon as possible.
Who needs CMMC certification? Companies handling Federal Contract Information (FCI) typically require Level 1 certification, while organizations managing Controlled Unclassified Information (CUI) generally need Level 3 certification. Many companies may also need higher-level certification as their contracts and security requirements evolve.
To get a head start on achieving CMMC certification at any level, contact RSI Security today. Our team provides expert guidance, compliance advisory, and support throughout the certification process to ensure your company meets all CMMC requirements efficiently
Download Our CMMC Checklist