CMMC 2.0 — Level 1 & Level 3

If you hold a DoD contract or are pursuing one, CMMC determines whether you are eligible to perform on it. It is not a best-practice framework you adopt voluntarily. It is a contractual requirement with pass/fail consequences — and the bar is getting harder to clear as the rule matures.

Understanding what changed between versions, what level applies to you, and what it actually takes to pass an assessment is the starting point. We have been through this with contractors at every stage of readiness.

CMMC 1.0 vs. CMMC 2.0 — What Changed and Why It Matters

CMMC 1.0 was published in January 2020 and created five maturity levels, each with its own set of practices and processes. It was ambitious and complicated — and contractors pushed back hard on the cost and burden, particularly at levels 2 and 4 which introduced practices beyond what NIST SP 800-171 required.

CMMC 2.0 was finalized in December 2024 and streamlined the model significantly. The five levels became three. The intermediate levels (old 2 and 4) were eliminated. The practices in the remaining levels were realigned directly to existing NIST standards rather than introducing new requirements. Third-party assessment requirements were clarified. Annual self-attestation was permitted for Level 1 and for a subset of Level 2 contracts.

The critical difference in practice: CMMC 1.0 was a framework that many contractors read as aspirational guidance. CMMC 2.0 is embedded directly in the DFARS clause 252.204-7021. When it appears in your contract, it is a legal obligation with defined assessment timelines. The DoD has made clear that waivers will be rare and temporary. Contractors who are not assessed and certified will not receive covered contracts.

If you were preparing for CMMC 1.0, your preparation largely transfers — but the level mapping changed, and the documentation requirements for 2.0 assessments have specific expectations that did not exist under 1.0. We help contractors understand exactly where they stand under 2.0 and what has to change.

Level 1 — Foundational

Level 1 applies to contractors who handle Federal Contract Information (FCI) — information provided by or generated for the government under a contract that is not intended for public release. This is a broad category. If you receive contract deliverables, performance data, or government-provided information that is not publicly available, you likely handle FCI.

Level 1 consists of 17 practices drawn directly from FAR 52.204-21. These are the basics: limit information system access to authorized users and transactions, verify the identity of users before granting access, sanitize or destroy information system media before disposal or reuse, limit physical access to organizational systems to authorized individuals, monitor and control communications at external boundaries, identify and authenticate users before allowing access, conduct basic security awareness training, and perform periodic scanning of systems and real-time scanning of files from external sources.

Level 1 allows annual self-assessment with an affirmation submitted to the DoD's Supplier Performance Risk System (SPRS). A senior official within your company signs the affirmation. That signature carries legal weight. Submitting an inaccurate self-assessment opens the contractor to False Claims Act exposure.

What Level 1 actually looks like in a properly prepared environment: documented access control policies with technical enforcement, MFA on systems handling FCI, a media sanitization procedure with records, endpoint protection on all systems in scope, and boundary protection between your internal network and the internet. It is achievable for small contractors, but only if the controls are actually implemented and documented — not just described in a policy document nobody enforces.

Level 3 — Advanced

Level 3 applies to contractors who handle Controlled Unclassified Information (CUI) on contracts supporting DoD programs. CUI is a defined category — information the government requires to be safeguarded under law, regulation, or policy. The CUI Registry maintained by NARA defines what qualifies. Defense acquisition information, export-controlled technical data, sensitive contract performance data, and law enforcement sensitive information are common examples in defense contracting.

Level 3 requires implementation of all 110 security requirements in NIST SP 800-171 Revision 2, plus a subset of enhanced requirements from NIST SP 800-172. The 800-172 additions are specifically targeted at contractors supporting programs that face advanced persistent threats — nation-state level adversaries who are actively trying to steal defense technology and acquisition information.

Unlike Level 1, Level 3 requires a third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) certified by the CMMC Accreditation Body. Self-assessment is not sufficient. The C3PAO conducts an evidence-based review of all 110+ requirements: interviews with personnel, technical testing, and documentation review. They produce an assessment report submitted to the DoD. Your certification is valid for three years, with annual affirmations required in years two and three.

What passing a Level 3 assessment actually requires: a complete and accurate System Security Plan documenting how each requirement is implemented, a Plan of Action and Milestones (POA&M) for any requirements not yet fully implemented (with very limited tolerance for open items at assessment time), network diagrams that accurately reflect the current environment and CUI data flows, evidence of implemented controls — not just policy statements — including configuration baselines, access control records, vulnerability scan results, incident response test records, and security awareness training completion logs.

The gap between where most contractors start and where a C3PAO assessment requires them to be is typically larger than they expect. Common failure areas: multi-factor authentication not implemented on all CUI-accessible systems, CUI not properly bounded within the assessed environment (meaning scope is larger than anticipated), audit logging not configured on all systems in scope, configuration management and change control processes not formalized, and incident response plans that exist on paper but have never been tested.

We perform a readiness assessment against all 110 requirements before any C3PAO is involved, identify and remediate gaps, write or update the SSP to accurately reflect the environment, develop the POA&M, and prepare your team for what the assessment interviews will cover. Our goal is that when the C3PAO shows up, there are no surprises.