Who Needs CMMC Certification? Do You Need It?

In November 2021, the U.S. Department of Defense (DoD) introduced major updates to the Cybersecurity Maturity Model Certification (CMMC) program, reshaping how contractors approach compliance. These changes left many organizations across the Defense Industrial Base (DIB) asking a critical question: Who needs CMMC certification—and does it apply to us?

The short answer is yes. If your organization works with the DoD or plans to bid on contracts, CMMC certification is required. However, the more important question is which level of CMMC certification your organization needs.

Your required level depends on the type of sensitive information you handle, such as Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Each level comes with its own set of cybersecurity requirements, timelines, and assessment expectations. Understanding where your organization falls is essential—not only for compliance, but for maintaining eligibility for DoD contracts.

What CMMC Certification Level Do You Need?

The CMMC certification level your organization must achieve will be specified in each DoD contract. However, there are clear baseline expectations based on the type of work you perform and the sensitivity of the information you handle.

In general, organizations must meet one of three CMMC levels:

• CMMC Level 1: Basic cybersecurity practices for companies handling Federal Contract Information (FCI)

• CMMC Level 2: Advanced requirements for organizations processing Controlled Unclassified Information (CUI)

• CMMC Level 3: Expert-level protections for high-priority DoD programs and critical national security data

In this guide, we’ll break down:

• Who needs each CMMC certification level

• What requirements you must meet

• How to achieve and maintain compliance

Maintaining the appropriate CMMC certification level is essential not only for protecting sensitive data, but also for remaining eligible for current and future DoD contracts.

 

Regulatory Context and Sources of CMMC Certification

The Cybersecurity Maturity Model Certification (CMMC) program is overseen by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). It was developed to strengthen cybersecurity across the Defense Industrial Base (DIB) and enforce compliance with the Defense Federal Acquisition Regulation Supplement (DFARS).

At its core, CMMC certification standardizes how DoD contractors protect sensitive information by aligning with established frameworks from the National Institute of Standards and Technology (NIST), including:

• NIST SP 800-171: Requirements for protecting Controlled Unclassified Information (CUI)

• NIST SP 800-172: Enhanced safeguards for high-value assets and critical programs

These frameworks form the foundation of CMMC requirements. The type of sensitive information your organization handles—such as CUI—determines which CMMC certification level applies and which security controls you must implement to remain compliant.

Who Needs CMMC Level 1 Certification?

Understanding who needs CMMC certification begins with organizations that fall under CMMC Level 1 requirements.

The primary goal of the CMMC framework—alongside U.S. Department of Defense regulations such as the Defense Federal Acquisition Regulation Supplement (DFARS) and NIST standards—is to protect sensitive information critical to national security. At Level 1, this includes Federal Contract Information (FCI), as defined in FAR Clause 52.204-21.

If your organization stores, processes, or transmits FCI—but does not handle more sensitive data like Controlled Unclassified Information (CUI)—you will likely need to achieve CMMC Level 1 certification.

At this level, organizations are required to perform annual self-assessments to demonstrate compliance. These assessments confirm that basic cybersecurity practices are in place to protect FCI and meet DoD contract requirements. Maintaining this level of CMMC certification is essential for continuing to work with the DoD.

CMMC Level 1 Requirements

Achieving CMMC Level 1 certification requires implementing 17 basic cybersecurity practices across six domains. These foundational controls are designed to protect Federal Contract Information (FCI) and establish a baseline level of security for organizations working with the DoD.

Unlike higher levels, Level 1 focuses on essential safeguards rather than the full NIST SP 800-171 framework.

Level 1 Practices by Domain

• Access Control (AC) – 4 practices
  Limit system access to authorized users, control system functions, and secure external connections.

• Identification and Authentication (IA) – 2 practices
  Identify users and devices, and require authentication before granting access.

• Media Protection (MP) – 1 practice
  Sanitize or destroy media containing FCI before disposal.

• Physical Protection (PE) – 4 practices
  Restrict facility access, monitor visitors, and protect physical systems.

• System and Communications Protection (SC) – 2 practices
  Secure system boundaries and separate public and private networks.

• System and Information Integrity (SI) – 4 practices
  Detect vulnerabilities, protect against malware, and keep systems updated.

Together, these practices form the foundation of CMMC certification at Level 1, ensuring consistent protection of FCI against common cyber threats.

Who Needs CMMC Level 2 Certification?

Organizations that handle Controlled Unclassified Information (CUI) must achieve CMMC Level 2 certification.

CUI is more sensitive than FCI and includes data such as technical drawings, defense system details, and operational information. Because of this, Level 2 introduces significantly stricter security requirements aligned with NIST SP 800-171.

Key Assessment Requirements

• Third-Party Assessments (C3PAO):
  Most organizations must undergo a triennial assessment conducted by a certified third-party assessor.

• Annual Self-Assessments (Limited Cases):
  Some contractors may qualify for self-assments depending on contract sensitivity.

Achieving Level 2 demonstrates your organization’s ability to protect CUI and qualifies you for the majority of DoD contracts.

CMMC Level 2 Requirements

To achieve CMMC Level 2 certification, organizations must implement all 110 security practices defined in NIST SP 800-171 across 14 domains.

These controls represent a significant step up in cybersecurity maturity and are essential for protecting CUI.

Key Requirement Areas

• Access Control: Enforce least privilege and secure privileged accounts

• Audit and Accountability: Log, monitor, and review system activity

• Identification and Authentication: Implement MFA and strong credential policies

• Incident Response: Detect, report, and respond to security incidents

• Configuration Management: Maintain secure system baselines\

• System Protection: Encrypt CUI and secure communications

These requirements create a comprehensive defense framework against cyber threats, insider risks, and unauthorized access.

Note: CMMC Level 2 aligns closely with CMMC v1.02 Level 3, reflecting a streamlined but still rigorous model.

Who Needs CMMC Level 3 Certification?

CMMC Level 3 certification applies to organizations handling high-value CUI tied to critical national security programs.

While final requirements are still evolving, Level 3 is expected for contractors that:

• Manage large volumes of sensitive CUI

• Support high-priority defense programs

• Previously required CMMC v1.02 Level 5
  
  

Assessment Requirements

• Government-led assessments every three years

• Conducted by authorized federal assessors

Achieving Level 3 demonstrates the highest level of cybersecurity maturity and readiness for the most sensitive DoD contracts.

CMMC Level 3 Requirements

CMMC Level 3 certification builds on NIST SP 800-171 and introduces enhanced controls from NIST SP 800-172.

This level focuses on advanced threat protection and proactive security strategies.

What We Know So Far

• Requirements will align closely with CMMC v1.02 Level 5
  
  
• Focus on protecting high-value CUI

• Emphasis on advanced access controls and threat detection

Organizations should begin preparing early by strengthening their cybersecurity programs and aligning with advanced NIST guidance.

How RSI Security Can Help with CMMC Certification

Achieving CMMC certification can be complex, especially at higher levels. Partnering with an experienced advisor ensures your organization meets all requirements efficiently and avoids costly delays.

RSI Security is recognized by the Cyber AB as a Certified Third-Party Assessment Organization (C3PAO) and provides end-to-end CMMC support, including:

• Gap assessments and readiness planning

• Implementation of NIST SP 800-171 and 800-172 controls
  
• Evidence collection and audit preparation

• Support for self-assessments and third-party certification

With RSI Security, you can streamline your path to CMMC certification, strengthen your security posture, and maintain eligibility for critical DoD contracts.

Contact RSI Security today to start your CMMC certification journey.

Download our CMMC checklist