The levels.
Three levels, tied to what you handle — not to how big your company is.
Different data carries different risk, and the level tied to that risk is what your contract requires — not what a vendor tells you to buy. This page sets out what each level actually requires, who checks it, and how Level 3 builds on Level 2.
01Why three levels
CMMC has three levels because the security expectation is supposed to track what you actually handle, not the size of your company or the size of your contract. An eight-person shop shipping fasteners under a purchase order and a two-hundred-person prime holding a design database face different requirements because they hold different things — not because one is more diligent than the other.
Level 1 tracks Federal Contract Information (FCI): the baseline that shows up on almost any DoD contract. Levels 2 and 3 track Controlled Unclassified Information (CUI), which carries more specific handling rules because it is more sensitive. The Data page covers what separates FCI from CUI; this page assumes you already know, roughly, which one you’re dealing with, and want to know what happens next.
Which level a given contract actually requires is a fact about that contract, not a judgment call: it comes from the solicitation, the clauses written into your contract, and — if you’re a subcontractor — what a prime flows down to you. A vendor telling you which level you need is not the same thing as your contracting officer telling you.
02The three levels
The table below is the fact spine for the rest of this page — what each level is tied to, what requirement set it draws from, how it gets checked, and how often.
| Level | Data | Requirement base | Assessment path | Status rhythm |
|---|---|---|---|---|
| Level 1 | FCI | FAR 52.204-21 15 requirements |
Self-assessment | Annual self-assessment + affirmation |
| Level 2 | CUI | NIST SP 800-171 Rev. 2 110 requirements |
Self-assessment or C3PAO certification, depending on the contract | Triennial assessment + annual affirmations |
| Level 3 | Higher-risk CUI | 24 selected NIST SP 800-172 requirements on top of Level 2 |
DCMA DIBCAC | Triennial assessment + annual affirmations |
Sections 03–05 below cover each row in more detail, including what Conditional status requires at Levels 2 and 3.
03Level 1
Level 1 is the FCI level: 15 requirements, drawn from FAR 52.204-21, self-assessed once a year. It is the most common CMMC level because FCI is the most common thing a DoD contract involves — if you have ever held a DoD purchase order that wasn’t public information, you have likely handled FCI. Level 1, in practice walks all fifteen requirements, the self-assessment, and the affirmation end to end.
The rule says
“A POA&M is not permitted at any time for Level 1 self-assessments.”
32 CFR 170.21(a)(1)In practice
There is no partial credit at Level 1 and no interim status to hold a gap open. All 15 requirements have to be MET at the time of the self-assessment — not planned, not in progress. What carries the status forward year to year is the annual self-assessment plus the Affirming Official’s affirmation in SPRS (Section 06, below).
04Level 2
Level 2 is the CUI level: the 110 security requirements of NIST SP 800-171 Revision 2. It is also where the desk has to be careful with language, because Level 2 does not mean one fixed thing — it means one of two different assessment paths, and which one applies is not the contractor’s choice.
Self-assessment or certification — the solicitation decides
“Level 2” alone is not a complete answer to “what do I need.” A given contract requires either Level 2 (Self) or Level 2 (C3PAO) — and the difference is not cosmetic: one is a self-assessment you perform and post to SPRS, the other is a certification assessment performed by an accredited third party.
The rule says
“DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of contract award… DoD may also, at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status.”
32 CFR 170.3(e)(1)In practice
Whether a specific contract requires Level 2 (Self) or Level 2 (C3PAO) is written into that contract’s solicitation, not decided by the contractor after the fact. “Level 2 always means a C3PAO” is a common shortcut, and it is wrong often enough to be worth unlearning — check the actual clause and status requirement in front of you.
Conditional status: the POA&M mechanics
A Level 2 assessment does not have to land on a perfect score to reach a usable status. Conditional status exists for exactly this case — a small, bounded set of gaps, on a clock.
The rule says
“An OSA is only permitted to achieve the CMMC Status of Conditional Level 2 (Self) or Conditional Level 2 (C3PAO), as appropriate, if all the following conditions are met: (i) The assessment score divided by the total number of CMMC Level 2 security requirements is greater than or equal to 0.8; (ii) None of the security requirements included in the POA&M have a point value of greater than 1 as specified in the CMMC Scoring Methodology… except SC.L2-3.13.11 CUI Encryption may be included on a POA&M if encryption is employed but it is not FIPS-validated, which would result in a point value of 3; and (iii) None of the following security requirements are included in the POA&M” — six requirements, named in full below.
32 CFR 170.21(a)(2)In practice
Three conditions have to hold at once. The score has to be at least 88 of 110 (0.8 × 110). Every requirement left open on the POA&M has to be worth 1 point — with one named exception, SC.L2-3.13.11 (CUI encryption that’s in place but not yet FIPS-validated), capped at 3 points. And a short list of specific 1-point requirements can never sit on a POA&M at all, regardless of score, because the rule treats them as too foundational to leave open.
Never POA&M-eligible at Level 2, regardless of point value or score: AC.L2-3.1.20 (External Connections), AC.L2-3.1.22 (Control Public Information), CA.L2-3.12.4 (System Security Plan), PE.L2-3.10.3 (Escort Visitors), PE.L2-3.10.4 (Physical Access Logs), PE.L2-3.10.5 (Manage Physical Access). 32 CFR 170.21(a)(2)(iii)
A POA&M closeout assessment has to confirm every open item is closed within 180 days of the Conditional status date. Miss the window, and the Conditional status expires — it does not roll over quietly. 32 CFR 170.21(b)
05Level 3
Level 3 adds a further, narrower layer on top of Level 2: 24 requirements selected from NIST SP 800-172’s pool of 39 enhanced requirements, aimed at higher-risk CUI. Assessment moves from a C3PAO to DCMA DIBCAC — a government assessor.
The rule says
“The Level 3 CMMC Assessment Scope must be equal to or a subset of the Level 2 CMMC Assessment Scope… Any Level 2 POA&M items must be closed prior to the initiation of the Level 3 certification assessment. DCMA DIBCAC may check any Level 2 security requirement of any in-scope asset.”
32 CFR 170.19(e)In practice
Level 3 has a prerequisite: a Final Level 2 (C3PAO) status, on the same assessment scope Level 3 will use, or a broader one. Conditional Level 2 does not qualify — every Level 2 POA&M item has to be closed first. DIBCAC can also re-check any Level 2 requirement during the Level 3 assessment; a Level 2 gap that surfaces at this stage can pause, hold, or end the Level 3 assessment.
Which 24 of the 39 enhanced requirements apply is not a contractor choice either — the selection is fixed by rule, in Table 1 to 32 CFR 170.14(c)(4). Level 3 is the least common level on this desk’s reader base: it applies to the highest-risk CUI, and DIBCAC, not a C3PAO, performs the assessment.
06Affirmations, at every level
Every level carries the same ongoing obligation on top of the assessment itself: once a year, a senior official — the Affirming Official — submits an affirmation in SPRS stating that the organization continues to meet the security requirements behind its CMMC Status. This happens at Level 1, Level 2, and Level 3 alike, and again whenever a POA&M closes out.
An affirmation is not a formality. It is a representation to the government, made by someone with the standing to know whether it’s true, and it carries the exposure that comes with any representation made to secure a federal contract — the Department of Justice’s Civil Cyber-Fraud Initiative has pursued False Claims Act cases built on exactly this kind of misrepresentation.
See the Glossary for the full Affirmation / Affirming Official entry, and the Department of Justice’s Civil Cyber-Fraud Initiative announcement for the source. 32 CFR 170.4, 170.22; DFARS 252.204-7021(d)(3)–(4)
07Which level will your contracts require
The honest answer starts with your contracts, not with this page. Start Here walks through the specific clause signals — 252.204-7012, -7019, -7020, -7021, -7025 — that tell you what a given contract is actually asking for, and The System covers the four-phase rollout that determines when any of this reaches a contract that hasn’t been re-competed yet. Between the two, most readers can place themselves on this page’s table without guessing.