In November 2021, the U.S. Department of Defense (DoD) introduced major updates to the Cybersecurity Maturity Model Certification(CMMC) program. These changes left many organizations in the Defense Industrial Base (DIB) wondering: Do we still need to comply with CMMC certification requirements?
The short answer is yes, but the more important question is which Level of CMMC certification applies to your organization. The required Level depends on the type of sensitive data you handle in your current or prospective DoD contracts. Understanding this distinction is critical, as it determines the cybersecurity controls you must implement—and how soon you need to meet them.
What CMMC Level Do I Need to Meet?
The CMMC certification level your organization must achieve will ultimately be specified in each DoD contract. However, there are general expectations for the types of work, and contracts that require Level 1, Level 2, or Level 3 certification.
This guide will break down:
- CMMC Level 1: Who needs it and how to achieve it
- CMMC Level 2: Who needs it and how to achieve it
- CMMC Level 3: Who needs it and how to achieve it
Maintaining the appropriate CMMC certification level is essential for safeguarding sensitive data and staying eligible for future DoD contracts.
Regulatory Context and Sources
The Cybersecurity Maturity Model Certification (CMMC) is overseen by the Office of the Under Secretary of Defense for Acquisition and Sustainment(OUSD[A&S]). It was developed to align organizations in the Defense Industrial Base(DIB) with the Defense Federal Acquisition Regulation Supplement (DFARS), ensuring consistent and enforceable cybersecurity requirements.
CMMC certification also builds on established National Institute of Standards and Technology (NIST) frameworks, including:
- NIST SP 800-171: Protecting Controlled Unclassified Information (CUI)
- NIST SP 800-172: Enhanced requirements for protecting high-value assets
The type of sensitive information an organization manages determines which CMMC certification level applies and which safeguards must be implemented to remain compliant.
Who Needs CMMC Level 1?
Understanding who needs CMMC certification starts with organizations that fall under Level 1 requirements.
The main goal of the CMMC framework—along with U.S. Department of Defense regulations like Defense Federal Acquisition Regulation Supplement (DFARS) and NIST SP 800-171 / NIST SP 800-172—is to safeguard sensitive information that’s essential to national security. The first type of data in this category is Federal Contract Information (FCI), defined in FAR Clause 52.204-21.
If your organization stores, processes, transmits, or has access to FCI, but does not handle more sensitive data—you will most likely need to achieve CMMC Level 1 certification.
At this level, organizations must complete annual self-assessments to demonstrate compliance and maintain their certification. These assessments verify that basic cybersecurity practices are in place to protect FCI and fulfill contract requirements with the DoD.
CMMC Requirements at Level 1
Achieving CMMC certification at Level 1 requires meeting a set of 17 foundational practices across six Domains. Unlike higher levels, CMMC 2.0 Level 1 does not cover all 14 Domains from NIST SP 800-171, but it establishes the essential cybersecurity safeguards needed to protect Federal Contract Information (FCI).
Here’s a breakdown of the required practices by Domain:
- Access Control (AC) – 4 Practices
- Authorize access to systems and data
- Control transactions and functions
- Secure external connections
- Manage public information access
- Identification and Authentication (IA) – 2 Practices
- Identify all users and system assets
- Require authentication before granting access
- Media Protection (MP) – 1 Practice
- Sanitize or destroy media containing FCI before disposal
- Physical Protection (PE) – 4 Practices
- Restrict physical access to systems and facilities
- Escort and monitor visitors
- Log and track physical access
- Control physical devices tied to data environments
- System and Communications Protection (SC) – 2 Practices
- Protect system boundaries
- Separate public and private networks
- System and Information Integrity (SI) – 4 Practices
- Identify and correct system flaws
- Defend against malicious code
- Keep protections updated promptly
- Scan systems for vulnerabilities during use
These safeguards form the foundation of CMMC Level 1 certification and closely align with earlier requirements under CMMC v1.02. Together, they ensure that organizations handling FCI apply consistent, baseline protections against cyber threats.
Who Needs CMMC Level 2?
Organizations that handle Controlled Unclassified Information (CUI) must achieve CMMC Level 2 certification. Unlike Federal Contract Information (FCI), which falls under Level 1, CUI represents a broader and more sensitive category of defense-related data. Examples include repair manuals for military equipment, technical schematics, or operational details that, while not classified, could pose national security risks if exposed.
The protections for CUI are outlined in DFARS Clause 252.204-7012 and mapped directly to the security requirements of NIST SP 800-171. These requirements make Level 2 certification significantly more rigorous than Level 1.
Key assessment requirements include:
- Third-Party Assessments: Most organizations seeking Level 2 certification must undergo a triennial assessment by a certified third-party assessment organization (C3PAO).
- Annual Self-Assessments (Limited Cases): A smaller subset of Level 2 contractors may qualify for annual self-assessments, similar to Level 1 requirements, depending on the sensitivity of their contracts.
By achieving CMMC Level 2, organizations demonstrate their ability to safeguard CUI in alignment with DoD standards, positioning themselves to win and maintain critical defense contracts.
CMMC Requirements at Level 2
Achieving CMMC 2.0 Level 2 certification requires full alignment with the NIST SP 800-171 framework. This includes all 110 security practices across 14 Domains, representing the jump from foundational to advanced cybersecurity maturity.
These practices are designed to protect Controlled Unclassified Information (CUI), making Level 2 a critical milestone for most DoD contractors. Below is a high-level overview of the requirements across each Domain:
- Access Control (AC): 18 advanced practices, including enforcing least privilege, controlling privileged account use, implementing session locks, and encrypting mobile device access.
- Awareness and Training (AT): 3 practices requiring role-based training, risk awareness, and insider threat education.
- Audit and Accountability (AU): 9 practices for auditing systems, protecting logs, reviewing events, and ensuring accountability.
- Configuration Management (CM): 9 practices to maintain secure system baselines, restrict unnecessary functionality, and control user-installed software.
- Identification and Authentication (IA): 9 practices, including multi-factor authentication (MFA), password complexity, and disabling inactive accounts.
- Incident Response (IR): 3 practices covering incident handling, reporting, and response testing.
- Maintenance (MA): 6 practices to secure maintenance activities, sanitize equipment, and enforce MFA for remote maintenance.
- Media Protection (MP): 8 practices to secure, label, encrypt, and control portable media containing CUI.
- Personnel Security (PS): 2 practices ensuring personnel screening and protecting CUI during employment changes.
- Physical Protection (PE): 2 practices requiring monitoring of facilities and alternate work sites.
- Risk Assessment (RA): 3 practices focused on vulnerability scanning, remediation, and periodic assessments.
- Security Assessment (CA): 4 practices requiring security control reviews, system security plans, and action plans.
- System and Communications Protection (SC): 14 practices including encryption for CUI, cryptographic key management, and VoIP/mobile code safeguards.
- System and Information Integrity (SI): 3 practices requiring monitoring for alerts, attacks, and unauthorized access.
Together, these 110 practices establish a comprehensive defense framework against insider threats, cyberattacks, and unauthorized access. While demanding, implementing them is essential for protecting CUI and qualifying for the majority of DoD contracts.
Note: These Level 2 requirements align closely with the CMMC v1.02 Level 3 controls, reflecting the DoD’s move to simplify the model while still ensuring strong security.
Who Needs CMMC Level 3?
Currently, it is not entirely clear which organizations will be required to achieve CMMC Level 3 certification. Level 3 is designed to provide maximum protection for Controlled Unclassified Information (CUI), building on the comprehensive safeguards established under NIST SP 800-171.
Organizations most likely to need Level 3 certification are those that:
-
Manage the largest volumes of CUI
-
Rely heavily on CUI for daily operations
A practical way to determine if your organization requires Level 3 is to compare your new contracts with previous ones that referenced the CMMC v1.02 framework. Under CMMC 2.0, Level 3 roughly corresponds to Level 5 in v1.02. If your organization previously required Level 5 certification, you will likely need Level 3 under the updated rules.
Assessment Requirements:
-
Level 3 certification requires triennial, government-led assessments conducted by authorized assessors.
-
These assessments ensure that organizations with high-value CUI meet the highest security standards outlined by the DoD.
Achieving CMMC Level 3 certification demonstrates that your organization is prepared to protect critical defense information at the highest level, positioning you for complex and sensitive DoD contracts.
CMMC Requirements at Level 3
Achieving CMMC Level 3 certification involves implementing advanced security controls based on NIST SP 800-172, which follows the same 14 Domains as SP 800-171. This level, often referred to as Expert security, is designed for organizations managing the most sensitive Controlled Unclassified Information (CUI).
At this time, the full scope of Level 3 controls has not been finalized. The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD[A&S]) is continuing to develop the model, and more detailed guidance is expected in the near future.
What is currently known:
-
Level 3 requirements will roughly align with CMMC v1.02 Level 5.
-
Organizations should begin planning and implementing advanced cybersecurity measures to prepare for upcoming assessments.
-
Compliance planning should focus on high-value CUI protection, rigorous access controls, and expert-level security practices.
Preparing proactively for CMMC Level 3 certification ensures organizations are ready for government-led assessments and can protect sensitive defense information at the highest standards.
How RSI Security Can Help
For current or prospective DoD contractors seeking CMMC certification at any level, choosing the right CMMC advisory partner is critical to achieving full compliance efficiently and effectively.
RSI Security is recognized by the Cyber AB (formerly CMMC Accreditation Body, CMMC-AB) as a CMMC Third-Party Assessor Organization (C3PAO). Our team is equipped to guide organizations through every stage of the implementation and certification process, including:
-
Understanding and applying NIST SP 800-171 and SP 800-172 requirements
-
Implementing controls to meet the required CMMC Level
-
Gathering and documenting evidence for annual or triennial assessments
Partnering with RSI Security ensures your organization can streamline CMMC certification, strengthen your cybersecurity posture, and stay eligible for critical DoD contracts.
Contact RSI Securitytoday to begin your path toward efficient, compliant, and confident CMMC certification.
Download Our CMMC Checklist