CMMC 2.0 Framework: Understanding the Different Levels of Certification

CMMC 2.0: Three Levels of Certification

The current iteration of CMMC, known as CMMC 2.0, establishes a three-tiered approach to certification, with each level reflecting the sensitivity of information being protected and the corresponding rigor of security measures required. This tiered structure acknowledges that not every contractor requires the same level of security investment, enabling companies to tailor their cybersecurity efforts to the actual risks associated with the information they handle.

Level 1: Foundational 

Level 1 serves as the entry point for CMMC 2.0 compliance and is designed for companies that handle only Federal Contract Information. The requirements at this level focus on implementing 15 fundamental cybersecurity practices that align with Federal Acquisition Regulation Clause 52.204-21. These practices address basic security hygiene that every organization handling government information should maintain, regardless of the sensitivity of that information.

The foundational practices required for Level 1 certification include controls such as limiting system access to authorized users, establishing basic access controls, sanitizing or destroying information when it’s no longer needed, and restricting physical access to systems and equipment. These measures protect against common threats such as unauthorized access by outsiders, accidental data loss through improper disposal, and basic cyber intrusions that exploit obvious vulnerabilities.

An important distinction of Level 1 is that it relies on self-assessment rather than third-party verification. Businesses seeking Level 1 certification must conduct an annual self-assessment of their security practices, documenting their implementation of the required controls and submitting an affirmation of compliance. This approach recognizes that the information protected at Level 1, while important, doesn’t warrant the expense and complexity of a formal third-party assessment.

Examples of contractors who typically need Level 1 certification include those providing commercial services that don’t involve handling technical specifications or operational information, suppliers of basic office supplies or facilities maintenance services to defense installations, and businesses that interact with Federal Contract Information but have no exposure to Controlled Unclassified Information. A janitorial service contracted to clean a defense facility, for instance, might need to protect contract pricing information and facility access schedules, but wouldn’t be handling technical defense information requiring more protection.

Level 2: Advanced

Level 2 represents a substantial step up in both the scope of security requirements of the assessment processes. This level applies to companies that handle Controlled Unclassified Information and requires adherence to 110 security controls, as outlined in the National Institute of Standards and Technology’s Special Publication 800-171. These controls encompass a comprehensive cybersecurity program that addresses access control, incident response, system and communication protection, risk assessment, security assessment, and numerous other security domains.

The NIST SP 800-171 framework, upon which Level 2 is built, represents cybersecurity best practices developed through extensive research and real-world experience. The 110 controls encompass a range of measures, including implementing multi-factor authentication, encrypting CUI at rest and in transit, establishing incident response capabilities, and conducting regular security assessments. Achieving Level 2 compliance typically requires significant investment in both technology and processes, as companies must not only implement the controls but also document their implementation and maintain evidence of ongoing compliance.

A critical distinction within Level 2 involves the difference between prioritized and non-prioritized acquisitions. The Department of Defense recognizes that some contracts involve information or capabilities that are critical to national security or mission success. In contrast, others, though important, don’t rise to that level of criticality. For prioritized acquisitions involving systems, services, or capabilities deemed most critical, Level 2 certification requires a triennial third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). These independent assessments provide the government with confidence that security controls are correctly implemented and effective.

For non-prioritized acquisitions, businesses may complete an annual self-assessment instead of undergoing a third-party evaluation. This distinction enables the government to concentrate its limited assessment resources on the most critical contracts while maintaining a baseline level of security across the entire DIB. However, companies should be prepared for the possibility that contracts initially classified as non-prioritized might later be reclassified as priorities change or as the nature of the work evolves.

Contractors who typically need Level 2 certification include those developing or manufacturing defense systems or components, companies providing IT services that involve access to operational or technical information, subcontractors who receive CUI from prime contractors as part of their work, and service providers who must access government networks or systems containing CUI. An engineering firm designing components for a weapons system, a software company developing applications for defense use, or a maintenance contractor with access to technical manuals containing CUI would all likely require Level 2 certification.

Level 3: Expert

Level 3 represents the highest tier of CMMC 2.0 certification and is reserved for companies managing the most sensitive Controlled Unclassified Information, particularly in environments where Advanced Persistent Threats pose significant risks. The defense contractors most likely to face these threats are those working on cutting-edge technologies, sensitive operational systems, or other programs of highest importance to national security.

Level 3 builds upon the foundation of NIST SP 800-171 by adding a subset of enhanced security requirements from NIST SP 800-172. These additional controls focus on advanced protective measures, including enhanced monitoring and detection capabilities, more sophisticated access controls, advanced threat hunting, and other proactive security measures designed to detect and counter persistent adversaries. Where Level 2 focuses on implementing strong baseline security, Level 3 assumes that determined adversaries will attempt to breach defenses and therefore emphasizes capabilities to detect, respond to, and recover from sophisticated attacks.

Assessment at Level 3 is conducted exclusively by the Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC, a government organization with deep expertise in both cybersecurity and the specific threats facing defense contractors. The assessment process at this level is rigorous and comprehensive, reflecting the critical nature of the information being protected and the sophisticated threats it faces.

Companies requiring Level 3 certification typically include prime contractors on programs involving advanced technologies or highly sensitive operations, research and development organizations working on next-generation defense capabilities, and contractors supporting intelligence or special operations communities. A company developing hypersonic weapons technology, conducting research on artificial intelligence applications for defense systems, or supporting classified programs would likely require Level 3 certification. The number of companies requiring Level 3 is relatively small compared to the broader DIB, but these organizations handle information whose compromise could significantly impact national security.

Scope and Applicability CMMC 2.0

Understanding exactly who must comply with CMMC 2.0 requirements is important for defense contractors assessing their obligations. The framework applies to all businesses participating in the Defense Industrial Base that handle Federal Contract Information or Controlled Unclassified Information. This number includes both prime contractors who directly contract with the Department of Defense and subcontractors at any tier of the supply chain who receive or generate FCI or CUI as part of their work.

The concept of “flow-down” requirements is crucial for understanding CMMC’s reach through the supply chain. When a prime contractor receives a contract with CMMC requirements, they must ensure that any subcontractors who will handle FCI or CUI meet the same certification level. A prime contractor certified at Level 2, for instance, cannot simply pass CUI to a subcontractor who has only achieved Level 1 certification. This flow-down provision ensures that security isn’t compromised at any point in the supply chain, eliminating the historical problem of adversaries targeting the weakest link rather than attacking well-defended prime contractors directly.

There is, however, an important exemption for commercial off-the-shelf products. COTS products, or items developed for the commercial marketplace and sold to the government without modification, are exempt from CMMC requirements. This exemption recognizes that requiring CMMC certification for vendors of standardized commercial products would be impractical and wouldn’t significantly enhance security. However, this exemption is narrow; most service providers, custom manufacturers, and businesses that modify products or provide ongoing support will need to comply with CMMC requirements.

The specific maturity level assigned to a company is determined by the type and nature of information involved in the contract. For prime contractors, this determination is made based on the information specified in the contract solicitation. For subcontractors, the required level of detail is determined by the prime contractor based on the information the subcontractor will access or generate. A business may require different certification levels for various contracts, depending on the types of information involved. A manufacturer might need only Level 1 for a contract supplying standard hardware but Level 2 for a contract involving custom components whose specifications constitute CUI.