Back

CMMC Compliance Requirements for Level 1 Level 2 and Level 3

CMMC certification requires different cybersecurity controls at each level. Learn the key requirements for Level 1, Level 2, and Level 3 compliance and how they align with NIST 800-171.

5 min read
Published on May 16, 2025
CMMC Compliance Requirements for Level 1 Level 2 and Level 3

CMMC 2.0 recently replaced the previously cumbersome 5-tier system with a more streamlined 3-tier system which allows DoD contractors to better enforce safeguards when sharing DoD information among prime and subcontractors during contracted projects. Closing security gaps to eliminate threats from bad actors is what CMMC is all about—protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from landing in the wrong hands.

With nearly a million contractors outsourced by the DoD at any given time at home and overseas, the risk of cyberattacks on critical infrastructure has increased. The losses due to cyberattacks like ransomware, phishing and other malware aren’t just financial, they’re putting U.S. security at risk. This is why CMMC 2.0 is such a critical component of keeping the flow of government secure.

The 3-tiers are Level 1 basic, Level 2 advanced and Level 3 expert. Small- and medium-sized businesses (SMBs) handling FCI will need at least Level 1. Level 2 is where most prime and subcontractors will dwell since they will be handling CUI. The Level 3 framework is for top-tier contractors handling highly sensitive DoD projects.

Each tier has its own criteria it must meet but each level builds on the one before. CMMC 2.0 certification makes you desirable to the DoD since it upgrades company IT systems, closes security gaps and shows the DoD that you’re serious about cybersecurity. That builds trust. Plus, the ROI is unmistakably high as certification most certainly impacts your company’s bottom line when you are able to win contracts. On the flip side, there’s other impacts for sure—like the initial financial outlay and time needed for obtaining and maintaining CMMC certification. Penalties for non-compliance ups the financial and reputational costs considerably.

The impact of each level on a contracting company depends on the scope of the contract.

Key Requirements for Each CMMC Level

Certification in one of the CMMC levels is required for contracting companies to acquire and maintain DoD contracts. Level 1 basic certification is for those companies whose scope requires the most basic cyber hygiene like access control to contract critical, but less sensitive, information while Levels 2 and 3 merit more advanced or expert controls as contract information is more sensitive in nature.

Here’s a breakdown of each level’s key requirements.

CMMC Level 1: Basic Cyber Hygiene

Who needs it? SMBs handling FCI.

Key requirements: 17 security best practices aligned with FAR 52.204-21. This includes access control, password management and physical security.

Assessment process: Annual self-assessment required.

CMMC Level 2: Advanced Cybersecurity Controls

Who needs it? SMBs and corporations handling CUI and Controlled Technical Information (CTI). Most contractors are expected to fall under the Level 2 domain.

Key requirements: 110 security controls aligned with the stronger protections of NIST SP 800-171 R2. This includes multi-factor authentication, encryption and incident response planning.

Assessment process: Some companies can do the required annual self-assessment, but most will require a third-party (C3PAO) assessment every 3 years.

CMMC Level 3: Expert Cybersecurity Framework

Who needs it? Contractors handling highly sensitive DoD projects.

Key requirements: The 110 security controls aligned with the stronger protections of NIST SP 800-171 R2 plus 24 from NIST SP 800-172 for a total of 134 requirements. This includes continuous monitoring, zero-trust architecture and proactive threat detection.

Assessment process: Government-led assessments required, see DIBCAC.

Common Challenges and Solutions

Compliance misunderstanding coupled with legacy systems present two considerable challenges to CMMC readiness. SMBs often don’t have the capital for assessments and updates and security gaps are often overlooked by organizations that aren’t familiar with CMMC requirements before they bid. So, what are the solutions?

Understanding Compliance Requirements

The Challenge: Lack of Clear Guidance

Many businesses struggle to understand the relationship between their company and the required DoD security controls. This result is a lack of clear guidance through the certification process.

Mapping Out the Solution

Conduct CMMC readiness assessments and map existing security policies to CMMC standards to throw out the guesswork regarding what information falls under FCI, CUI and CTI.

Implementation of Security Controls

The Challenge: Enacting Controls

Smaller businesses and organizations may lack the expertise to implement advanced cybersecurity controls. Protecting informational assets at Level 2 requires understanding the scope of the processes, storage capabilities and transmission of project data.

The 365 Solution

Use Microsoft 365 GCC High and other compliant cloud solutions to simplify implementation.

Meeting Assessment Requirements

The Challenge: Third-party Assessments

The cost and complexity of third-party assessments can be a hurdle

The Solution

Work with a CMMC Registered Provider Organization (RPO) for guidance.

Best Practices for CMMC Compliance

There’s no doubt that CMMC 2.0 requires you to be proactive. Although the final rule is in effect, the full implementation of CMMC will take about three years. Whether you are a new contractor looking for your first DoD contract or a veteran contractor, this gives you some time to get all your ducks in a row. Review CMMC compliance best practices. Performing a gap analysis should be a first step. Adopt automation tools. Update legacy systems. Train employees so that they’re aware of best practices ensuring the entire company understands what it means to be CMMC compliant.

Best Practice 1: Perform a Gap Analysis

  • Work to identify gaps between your current security practices and CMMC requirements.
  • Use NIST SP 800-171 self-assessment tools to evaluate compliance readiness.

Best Practice 2: Adopt Security Automation Tools

  • Leverage Microsoft Defender for Cloud (formerly Azure Security Center) for continuous monitoring of your security posture.
  • Implement endpoint protection and threat intelligence tools.

Best Practice 3: Ensure Employee Training and Awareness

  • Conduct regular cybersecurity training for employees handling CUI.
  • Enforce strong password policies and MFA so that only authorized personnel can access sensitive information. MFA is required for all Microsoft 365 users. Mandatory MFA went into effect in February.

We’re Here to Guide You

CMMC 2.0 focuses on reducing risk and ensuring secure handling of sensitive information across your organization. Navigating the certification process can be complex, and having a knowledgeable partner by your side makes all the difference. Whether you’re just getting started or need help closing gaps, our experts are here to support you every step of the way. Contact us today to get the guidance you need for CMMC success.

Related Posts

Azure Migration Planning A Complete Assessment Checklist for a Successful Transition

Azure Migration Planning A Complete Assessment Checklist for a Successful Transition

A successful Azure migration starts with proper planning. Use this step-by-step assessment checklist to evaluate infrastructure, dependencies, and tools before migrating.

Jun 23, 2025
7 min read
Migrate On-Premises VMs to Azure: Tips, Advice & Best Practices

Migrate On-Premises VMs to Azure: Tips, Advice & Best Practices

Learn how to migrate on-premises VMs to Azure with expert tips and best practices. Optimize your cloud migration strategy for security, performance, and cost efficiency.

Jun 20, 2025
9 min read
Azure Migration vs AWS Migration Key Differences

Comparing Azure Migration and AWS Migration Key Differences in Cloud Strategy

Comparing Azure and AWS for cloud migration? Learn the key differences in pricing, security, tools, and performance to choose the right platform for your business.

Jun 18, 2025
8 min read
Benefits and Challenges of Azure Cloud Migration

Key Benefits and Challenges of Migrating to Microsoft Azure

Migrating to Microsoft Azure offers scalability and security, but it comes with challenges. Explore the key benefits and hurdles of Azure cloud migration.

Jun 17, 2025
10 min read
Who Needs to Comply with CMMC Regulations? - Agile IT

Who Needs to Follow DoD Cybersecurity Requirements for CMMC Compliance

CMMC regulations apply to defense contractors, subcontractors, and suppliers handling DoD information. Find out who must comply and what certification level is required.

Jun 17, 2025
6 min read
What’s the Real Cost of CMMC Compliance?

The Real Cost of CMMC: Catching Up on What You Were Already Supposed to Be Doing

CMMC isn’t introducing new rules, it’s enforcing what should already be in place. Learn what’s really driving the cost of CMMC compliance.

Jun 16, 2025
4 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation