CMMC: Where Does Your Company Fit In

The world of cybersecurity is constantly changing. As technology continues to grow, threats continue to evolve as well. Cybercrime is a looming danger for both public and private networks, and it is expected to cost the world $11 trillion in 2026 alone. This highlights the need for more stringent cybersecurity standards to govern agencies, especially those under federal jurisdiction. This is where the Cybersecurity Maturity Model Certification (CMMC) comes in.

The CMMC provides more structure to different cybersecurity standards, giving organizations a better idea of their readiness against threats and what they still need to address. It is divided into different levels, each with its own set of requirements that companies and agencies must meet to be certified. The US Department of Defense activated the finalized CMMC rule in November 2025, and because it is a relatively recent development, some agencies may have trouble navigating their way around it. The question is, how do you figure out where your company fits in?

The 3 Levels of CMMC

There are three CMMC levels, called maturity levels. These tell contractors and companies what kind of security capabilities and requirements they must meet to qualify for certain levels.

Level 1: Basic safeguarding of FCI

This level corresponds to basic safeguards geared towards protecting Federal Contract Information (FCI). Level 1 requires annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.

Level 2: Broad Protection of CUI

Documentation is required under Maturity Level 2, which means an organization must keep records of their practices and policies, allowing them to be replicated and implemented repeatedly based on the documentation. This level requires annual compliance affirmation that the 110 security requirements in NIST SP 800-171 Revision 2 have been implemented. An initial self-assessment is acceptable but must be followed up with a CMMC Third-Party Assessment Organization (C3PAO) assessment. 

Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats

This level requires CMMC Level 2 C3PAO certification and the implementation of the 24 identified requirements from NIST SP 800-172. Annual verification of compliance is required. 

Finding Your Place Within the CMMC

For most agencies that are starting to adjust to the CMMC standards, the first step is to determine the correct level for your organization. Only then can you figure out what you need to do to bring yourself up to standard. This is largely dependent on the nature of an agency, and the type of information it handles.

For example, companies that handle Controlled Unclassified Information (CUI) need a minimum of Maturity Level 2. However, some government organizations may require Level 3 based on the sensitivity of their information and assets. 

With the cybersecurity world constantly changing, it is better for organizations to level up their defenses sooner than later. That way, even when standards become even more stringent, adapting would not be a problem.

For the best chance of success, it is advisable to find a security partner who is familiar with cybersecurity standards, and who has previously worked with government contractors under the DoD. Among other considerations, a reliable partner will be able to help you bring your systems up to par using scalable solutions without any major disruption to your day-to-day operations.

Talk to an expert to find out how to boost your company’s cybersecurity.