CMMC Compliance Requirements for Level 1 Level 2 and Level 3

CMMC 2.0 recently replaced the previously cumbersome 5-tier system with a more streamlined 3-tier system which allows DoD contractors to better enforce safeguards when sharing DoD information among prime and subcontractors during contracted projects. Closing security gaps to eliminate threats from bad actors is what CMMC is all about—protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from landing in the wrong hands.

With nearly a million contractors outsourced by the DoD at any given time at home and overseas, the risk of cyberattacks on critical infrastructure has increased. The losses due to cyberattacks like ransomware, phishing and other malware aren’t just financial, they’re putting U.S. security at risk. This is why CMMC 2.0 is such a critical component of keeping the flow of government secure.

The 3-tiers are Level 1 basic, Level 2 advanced and Level 3 expert. Small- and medium-sized businesses (SMBs) handling FCI will need at least Level 1. Level 2 is where most prime and subcontractors will dwell since they will be handling CUI. The Level 3 framework is for top-tier contractors handling highly sensitive DoD projects.

Each tier has its own criteria it must meet but each level builds on the one before. CMMC 2.0 certification makes you desirable to the DoD since it upgrades company IT systems, closes security gaps and shows the DoD that you’re serious about cybersecurity. That builds trust. Plus, the ROI is unmistakably high as certification most certainly impacts your company’s bottom line when you are able to win contracts. On the flip side, there’s other impacts for sure—like the initial financial outlay and time needed for obtaining and maintaining CMMC certification. Penalties for non-compliance ups the financial and reputational costs considerably.

The impact of each level on a contracting company depends on the scope of the contract.

Key Requirements for Each CMMC Level

Certification in one of the CMMC levels is required for contracting companies to acquire and maintain DoD contracts. Level 1 basic certification is for those companies whose scope requires the most basic cyber hygiene like access control to contract critical, but less sensitive, information while Levels 2 and 3 merit more advanced or expert controls as contract information is more sensitive in nature.

Here’s a breakdown of each level’s key requirements.

CMMC Level 1: Basic Cyber Hygiene

Who needs it? SMBs handling FCI.

Key requirements: 17 security best practices aligned with FAR 52.204-21. This includes access control, password management and physical security.

Assessment process: Annual self-assessment required.

CMMC Level 2: Advanced Cybersecurity Controls

Who needs it? SMBs and corporations handling CUI and Controlled Technical Information (CTI). Most contractors are expected to fall under the Level 2 domain.

Key requirements: 110 security controls aligned with the stronger protections of NIST SP 800-171 R2. This includes multi-factor authentication, encryption and incident response planning.

Assessment process: Some companies can do the required annual self-assessment, but most will require a third-party (C3PAO) assessment every 3 years.

CMMC Level 3: Expert Cybersecurity Framework

Who needs it? Contractors handling highly sensitive DoD projects.

Key requirements: The 110 security controls aligned with the stronger protections of NIST SP 800-171 R2 plus 24 from NIST SP 800-172 for a total of 134 requirements. This includes continuous monitoring, zero-trust architecture and proactive threat detection.

Assessment process: Government-led assessments required, see DIBCAC.

Common Challenges and Solutions

Compliance misunderstanding coupled with legacy systems present two considerable challenges to CMMC readiness. SMBs often don’t have the capital for assessments and updates and security gaps are often overlooked by organizations that aren’t familiar with CMMC requirements before they bid. So, what are the solutions?

Understanding Compliance Requirements

The Challenge: Lack of Clear Guidance

Many businesses struggle to understand the relationship between their company and the required DoD security controls. This result is a lack of clear guidance through the certification process.

Mapping Out the Solution

Conduct CMMC readiness assessments and map existing security policies to CMMC standards to throw out the guesswork regarding what information falls under FCI, CUI and CTI.

Implementation of Security Controls

The Challenge: Enacting Controls

Smaller businesses and organizations may lack the expertise to implement advanced cybersecurity controls. Protecting informational assets at Level 2 requires understanding the scope of the processes, storage capabilities and transmission of project data.

The 365 Solution

Use Microsoft 365 GCC High and other compliant cloud solutions to simplify implementation.

Meeting Assessment Requirements

The Challenge: Third-party Assessments

The cost and complexity of third-party assessments can be a hurdle

The Solution

Work with a CMMC Registered Provider Organization (RPO) for guidance.

Best Practices for CMMC Compliance

There’s no doubt that CMMC 2.0 requires you to be proactive. Although the final rule is in effect, the full implementation of CMMC will take about three years. Whether you are a new contractor looking for your first DoD contract or a veteran contractor, this gives you some time to get all your ducks in a row. Review CMMC compliance best practices. Performing a gap analysis should be a first step. Adopt automation tools. Update legacy systems. Train employees so that they’re aware of best practices ensuring the entire company understands what it means to be CMMC compliant.

Best Practice 1: Perform a Gap Analysis

• Work to identify gaps between your current security practices and CMMC requirements.
• Use NIST SP 800-171 self-assessment tools to evaluate compliance readiness.

Best Practice 2: Adopt Security Automation Tools

• Leverage Microsoft Defender for Cloud (formerly Azure Security Center) for continuous monitoring of your security posture.
• Implement endpoint protection and threat intelligence tools.

Best Practice 3: Ensure Employee Training and Awareness

• Conduct regular cybersecurity training for employees handling CUI.
• Enforce strong password policies and MFA so that only authorized personnel can access sensitive information. MFA is required for all Microsoft 365 users. Mandatory MFA went into effect in February.

We’re Here to Guide You

CMMC 2.0 focuses on reducing risk and ensuring secure handling of sensitive information across your organization. Navigating the certification process can be complex, and having a knowledgeable partner by your side makes all the difference. Whether you’re just getting started or need help closing gaps, our experts are here to support you every step of the way. Contact us today to get the guidance you need for CMMC success.