RSI Security

Who Needs CMMC Certification? Do You Need It?

CMMC Certification

In November 2021, the U.S. Department of Defense (DoD) introduced major updates to the Cybersecurity Maturity Model Certification(CMMC) program. These changes left many organizations in the Defense Industrial Base (DIB) wondering: Do we still need to comply with CMMC certification requirements?

The short answer is yes, but the more important question is which Level of CMMC certification applies to your organization. The required Level depends on the type of sensitive data you handle in your current or prospective DoD contracts. Understanding this distinction is critical, as it determines the cybersecurity controls you must implement—and how soon you need to meet them.

 

What CMMC Level Do I Need to Meet?

The CMMC certification level your organization must achieve will ultimately be specified in each DoD contract. However, there are general expectations for the types of work, and contracts that require Level 1, Level 2, or Level 3 certification.

This guide will break down:

Maintaining the appropriate CMMC certification level is essential for safeguarding sensitive data and staying eligible for future DoD contracts.

 

Regulatory Context and Sources

The Cybersecurity Maturity Model Certification (CMMC) is overseen by the Office of the Under Secretary of Defense for Acquisition and Sustainment(OUSD[A&S]). It was developed to align organizations in the Defense Industrial Base(DIB) with the Defense Federal Acquisition Regulation Supplement (DFARS), ensuring consistent and enforceable cybersecurity requirements.

CMMC certification also builds on established National Institute of Standards and Technology (NIST) frameworks, including:

The type of sensitive information an organization manages determines which CMMC certification level applies and which safeguards must be implemented to remain compliant.

 

Who Needs CMMC Level 1?

Understanding who needs CMMC certification starts with organizations that fall under Level 1 requirements.

The main goal of the CMMC framework—along with U.S. Department of Defense regulations like Defense Federal Acquisition Regulation Supplement (DFARS) and NIST SP 800-171 / NIST SP 800-172—is to safeguard sensitive information that’s essential to national security. The first type of data in this category is Federal Contract Information (FCI), defined in FAR Clause 52.204-21.

If your organization stores, processes, transmits, or has access to FCI, but does not handle more sensitive data—you will most likely need to achieve CMMC Level 1 certification.

At this level, organizations must complete annual self-assessments to demonstrate compliance and maintain their certification. These assessments verify that basic cybersecurity practices are in place to protect FCI and fulfill contract requirements with the DoD.

 

CMMC Requirements at Level 1

Achieving CMMC certification at Level 1 requires meeting a set of 17 foundational practices across six Domains. Unlike higher levels, CMMC 2.0 Level 1 does not cover all 14 Domains from NIST SP 800-171, but it establishes the essential cybersecurity safeguards needed to protect Federal Contract Information (FCI).

Here’s a breakdown of the required practices by Domain:

These safeguards form the foundation of CMMC Level 1 certification and closely align with earlier requirements under CMMC v1.02. Together, they ensure that organizations handling FCI apply consistent, baseline protections against cyber threats.

 

Request a Free Consultation

 

Who Needs CMMC Level 2?

Organizations that handle Controlled Unclassified Information (CUI) must achieve CMMC Level 2 certification. Unlike Federal Contract Information (FCI), which falls under Level 1, CUI represents a broader and more sensitive category of defense-related data. Examples include repair manuals for military equipment, technical schematics, or operational details that, while not classified, could pose national security risks if exposed.

The protections for CUI are outlined in DFARS Clause 252.204-7012 and mapped directly to the security requirements of NIST SP 800-171. These requirements make Level 2 certification significantly more rigorous than Level 1.

Key assessment requirements include:

By achieving CMMC Level 2, organizations demonstrate their ability to safeguard CUI in alignment with DoD standards, positioning themselves to win and maintain critical defense contracts.

CMMC Requirements at Level 2

Achieving CMMC 2.0 Level 2 certification requires full alignment with the NIST SP 800-171 framework. This includes all 110 security practices across 14 Domains, representing the jump from foundational to advanced cybersecurity maturity.

These practices are designed to protect Controlled Unclassified Information (CUI), making Level 2 a critical milestone for most DoD contractors. Below is a high-level overview of the requirements across each Domain:

Together, these 110 practices establish a comprehensive defense framework against insider threats, cyberattacks, and unauthorized access. While demanding, implementing them is essential for protecting CUI and qualifying for the majority of DoD contracts.

 Note: These Level 2 requirements align closely with the CMMC v1.02 Level 3 controls, reflecting the DoD’s move to simplify the model while still ensuring strong security.

Who Needs CMMC Level 3?

Currently, it is not entirely clear which organizations will be required to achieve CMMC Level 3 certification. Level 3 is designed to provide maximum protection for Controlled Unclassified Information (CUI), building on the comprehensive safeguards established under NIST SP 800-171.

Organizations most likely to need Level 3 certification are those that:

A practical way to determine if your organization requires Level 3 is to compare your new contracts with previous ones that referenced the CMMC v1.02 framework. Under CMMC 2.0, Level 3 roughly corresponds to Level 5 in v1.02. If your organization previously required Level 5 certification, you will likely need Level 3 under the updated rules.

Assessment Requirements:

Achieving CMMC Level 3 certification demonstrates that your organization is prepared to protect critical defense information at the highest level, positioning you for complex and sensitive DoD contracts.

CMMC Requirements at Level 3

Achieving CMMC Level 3 certification involves implementing advanced security controls based on NIST SP 800-172, which follows the same 14 Domains as SP 800-171. This level, often referred to as Expert security, is designed for organizations managing the most sensitive Controlled Unclassified Information (CUI).

At this time, the full scope of Level 3 controls has not been finalized. The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD[A&S]) is continuing to develop the model, and more detailed guidance is expected in the near future.

What is currently known:

Preparing proactively for CMMC Level 3 certification ensures organizations are ready for government-led assessments and can protect sensitive defense information at the highest standards.

 

How RSI Security Can Help

For current or prospective DoD contractors seeking CMMC certification at any level, choosing the right CMMC advisory partner is critical to achieving full compliance efficiently and effectively.

RSI Security is recognized by the Cyber AB (formerly CMMC Accreditation Body, CMMC-AB) as a CMMC Third-Party Assessor Organization (C3PAO). Our team is equipped to guide organizations through every stage of the implementation and certification process, including:

Partnering with RSI Security ensures your organization can streamline CMMC certification, strengthen your cybersecurity posture, and stay eligible for critical DoD contracts.

Contact RSI Securitytoday to begin your path toward efficient, compliant, and confident CMMC certification.

 

Download Our CMMC Checklist


Exit mobile version