CMMC Requirements: Levels 1-3 Explained

The Department of Defense (DoD) has over 300,000 companies in its defense industrial base that may have access to government-sensitive information. To safeguard federal contract information (FCI) and controlled unclassified information (CUI) on the contractors’ information systems and control the rise of cybercrime and its devastating effects, DoD has developed the Cybersecurity Maturity Model Certification (CMMC) framework.

Before CMMC, contractors were accountable for implementing and monitoring their own cybersecurity best practices. But now, the CMMC framework comes with a certification program and DoD appointed its own certification body to audit and validate the implementation of the contractors’ cybersecurity infrastructure.

CMMC Requirements Explained

The CMMC establishes three certification levels with which contractors need to comply to bid on future contracts. The level of certification depends on the contractor’s government customer requirements.

The CMMC levels focus on the type and sensitivity of information and threats: Level 1, basic safeguarding of FCI; Level 2, broad protection of CUI; Level 3, higher-level protection of CUI against advanced persistent threats.

Below is a more detailed explanation of each CMMC level:

Level 1: Basic safeguarding of FCI

This level corresponds to basic safeguards geared towards protecting Federal Contract Information (FCI). Level 1 requires annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.

Level 2: Broad Protection of CUI

Documentation is required under Maturity Level 2, which means an organization must keep records of their practices and policies, allowing them to be replicated and implemented repeatedly based on the documentation. This level requires annual compliance affirmation that the 110 security requirements in NIST SP 800-171 Revision 2 have been implemented. An initial self-assessment is acceptable but must be followed up with a CMMC Third-Party Assessment Organization (C3PAO) assessment. 

Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats

This level requires CMMC Level 2 C3PAO certification and the implementation of the 24 identified requirements from NIST SP 800-172. Annual verification of compliance is required. 

It is important to note that the CMMC requirements rule went into effect on November 10, 2025. Contractors should begin taking immediate steps to learn the CMMC’s technical requirements and prepare their cybersecurity infrastructure and/or best practices to be at par with the CMMC framework. Failure to do so could prevent them from bidding or working on government projects.

For contractors that are just starting to adapt to the CMMC standards, it may come across as an overwhelming task. Seeking assistance from a security expert can help your organization fully understand all the details.

Ensure Compliance with an Expert

Dynamic Systems has been helping federal agencies and their partners to accelerate transformation and ensure business continuity. As an organization that has previously worked with government contractors under the DoD, we are familiar with cybersecurity standards and are constantly upgrading our security solutions based on the latest cybersecurity and compliance trends.

Our team of security experts can help enhance your organization’s cyber hygiene practices and tailor solutions based on your CMMC requirement. Let’s connect today.