Skip to content

The Three Levels of CMMC

 

Explore basic concepts about the three levels of CMMC, compliance requirements for each level, their connection to NIST SP 800-171 Rev 2 and more, through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.

Table of Contents

What are the three levels of CMMC and what does each protect? 

 

Summary: CMMC establishes three compliance levels

  1. Foundational (Level 1)
  2. Advanced (Level 2)
  3. Expert (Level 3) 

Each level corresponds to the sensitivity of the federal information the contractor handles and the sophistication of the cybersecurity protections required. 

Level 1 (Foundational) protects Federal Contract Information (FCI) and requires contractors to implement 17 basic safeguarding practices drawn from FAR clause 52.204-21. An annual self-assessment with results posted to SPRS satisfies Level 1. Level 2 (Advanced) protects Controlled Unclassified Information (CUI) and requires full implementation of all 110 security controls across 14 domains in NIST SP 800-171 Rev 2. Most Level 2 contractors must undergo a triennial third-party assessment by a Cyber AB-authorized C3PAO, with annual affirmations between cycles. 

Level 3 (Expert) protects CUI associated with high-value assets and critical defense programs and requires the 110 NIST SP 800-171 Rev 2 controls plus 24 additional enhanced controls from NIST SP 800-172. Level 3 assessments are conducted exclusively by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and require a valid CMMC Level 2 certification as a prerequisite.

 

What are the compliance requirements for CMMC Level 1 (Foundational)? 

 

Summary: CMMC Level 1 requires defense contractors to implement 17 basic safeguarding practices governing the protection of Federal Contract Information on contractor information systems, as specified in FAR clause 52.204-21, demonstrated through an annual self-assessment with all 17 requirements marked MET. 

These 17 practices address six fundamental security areas: limiting system access to authorized users and functions; preventing unauthorized user access; identifying information system users, processes, and devices; sanitizing or destroying information system media before disposal or reuse; limiting physical access to organizational information systems; and protecting organizational communications. 

Compliance is demonstrated through an annual self-assessment against all 17 requirements evaluated across 59 assessment objectives. All 59 objectives must be MET, no POA&M is permitted at Level 1. Results and an affirmation by a senior company official must be submitted to SPRS annually. No C3PAO is required for Level 1.

 

What are the compliance requirements for CMMC Level 2 (Advanced)? 

 

Summary: CMMC Level 2 requires implementation of all 110 security controls across 14 domains in NIST SP 800-171 Rev 2, demonstrated through 320 specific assessment objectives, making it the most consequential level for the majority of defense contractors. 

CMMC Level 2 applies to any contractor whose information systems process, store, or transmit Controlled Unclassified Information (CUI). The 110 security controls span 14 domains: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity. 

Each of the 110 controls is broken into specific assessment objectives, 320 in total, that define exactly what an assessor will evaluate. All 320 objectives must be met for Final Level 2 certification. A minimum SPRS score of 88 out of 110, with all deficiencies limited to 1-point controls, qualifies for Conditional Level 2 certification, with POA&M closure required within 180 days. For most contractors handling CUI, certification requires a triennial C3PAO assessment with annual senior official affirmations in SPRS between assessment years.

 

What are the compliance requirements for CMMC Level 3 (Expert)? 

 

Summary: CMMC Level 3 requires implementation of all 110 NIST SP 800-171 Rev 2 controls plus 24 additional enhanced security requirements from NIST SP 800-172, and is assessed exclusively by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). 

Level 3 is designed to protect CUI associated with critical defense programs, breakthrough technologies, large aggregations of sensitive data, or systems whose compromise would create widespread vulnerability across the DoD. The 24 additional NIST SP 800-172 requirements address Advanced Persistent Threat (APT) protection across domains including enhanced access control, configuration management, incident response, risk assessment, and system and communications protection. 

A valid CMMC Level 2 certification from a Cyber AB-authorized C3PAO is a mandatory prerequisite before a Level 3 assessment can be scheduled. The DIBCAC assessment is conducted by government assessors from the Defense Contract Management Agency (DCMA). A Conditional Level 3 status can be granted if the organization scores at least 80 percent on Level 3-specific controls, with POA&M closure required within 180 days. Level 3 certifications are valid for three years with annual affirmations required.

 

What is FAR clause 52.204-21 and which CMMC level does it govern? 

 

FAR clause 52.204-21, titled “Basic Safeguarding of Covered Contractor Information Systems,” is the Federal Acquisition Regulation clause that establishes the 15 basic safeguarding requirements for protecting Federal Contract Information on contractor information systems, and it serves as the governing security standard for CMMC Level 1 compliance. 

The clause, codified at 48 CFR 52.204-21, was established to ensure that all federal contractors implement foundational cybersecurity practices when their systems process, store, or transmit FCI. When assessed under CMMC, the 15 FAR 52.204-21 requirements are evaluated across 17 assessment objectives. All 17 objectives must be marked MET in a Level 1 self-assessment for the contractor to post a compliant entry in SPRS. 

Unlike NIST SP 800-171 Rev 2, which uses a weighted scoring methodology, Level 1 is strictly pass/fail, a single NOT MET finding fails the entire assessment. FAR 52.204-21 is required in virtually all federal contracts above the micro-purchase threshold where FCI will be handled, making it the minimum baseline for the entire contractor community.

 

What is NIST SP 800-171 Rev 2 and how does it underpin CMMC Level 2? 

 

Summary: NIST Special Publication 800-171 Revision 2 is the cybersecurity standard published by NIST that defines the 110 security requirements defense contractors must implement to protect CUI, and it forms the complete technical foundation for CMMC Level 2, CMMC adds verification on top of requirements that already exist. 

Published in February 2020, NIST SP 800-171 Rev 2 organizes its 110 requirements across 14 security requirement families and is referenced by DFARS clause 252.204-7012 as the mandatory standard for contractors handling CUI. CMMC Level 2 does not add requirements beyond NIST SP 800-171 Rev 2, it adds verification. Where DFARS 252.204-7012 required contractors to self-attest compliance, CMMC Level 2 requires most contractors to prove compliance through a C3PAO-conducted assessment. 

The DoD has confirmed, including in a class deviation memorandum, that CMMC assessments will continue to be conducted against Rev 2 until the DoD completes a future rulemaking to incorporate Rev 3. Contractors who have implemented Rev 3 controls are not penalized, but assessors evaluate against the Rev 2 standard.

 

What is NIST SP 800-172 and how does it underpin CMMC Level 3? 

 

NIST Special Publication 800-172, titled “Enhanced Security Requirements for Protecting Controlled Unclassified Information,” is the enhanced cybersecurity standard providing 35 additional security requirements designed to counter Advanced Persistent Threats (APTs), of which 24 are required for CMMC Level 3 certification. 

Published by NIST in February 2021, NIST SP 800-172 supplements, not replaces, NIST SP 800-171 Rev 2. It addresses scenarios where CUI is associated with programs of critical national importance and where sophisticated, state-sponsored attackers pose the primary threat. The 24 requirements selected by the DoD for CMMC Level 3 span enhanced access control, penetration testing, proactive threat hunting, advanced incident response capabilities, and supply chain risk management practices beyond those in NIST SP 800-171 Rev 2. 

Assessment procedures for these requirements are defined in NIST SP 800-172A. A contractor cannot pursue Level 3 certification without first holding a valid CMMC Level 2 C3PAO certification, making NIST SP 800-171 Rev 2 compliance a prerequisite for NIST SP 800-172 assessment.

 

Explore Blogs, Webinars and other Resources

Trusted by Reputed Companies

pVerify, Inc.
Electronic Data Solutions
Bernard Robinson & Company
Avance Care
iCliniq
Botsplash
Logically
Mr.Internet Systems
Vision Radiology
Tangible Solutions
Tangible Solutions
WorkSmart
Triyam
Med First Primary and Urgent Care
Arizona State Radiology
DataCaliper
Dose Spot Company Logo
DoseSpot
Forsyte I.T. Solutions
Tego Data

Accreditations and Associations

* Disclaimer: This list of accreditations is held by our team of employees and consultants.

What Our Clients Say

We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center

Our Growing List of Credentials

0 +
Assessments
0 +
Clients
0 +
Assessment Libraries
0 +
Years of Experience
0 +
No. of Staff Trained
0 +
HIPAA
0 +
SOC 2 Readiness
0 +
Pen Testing
0 +
ISO 27001 Certifications
0 +
Dollars Saved in Compliance Penalties