Written By Gerson Pacheco

If you’re feeling overwhelmed by the complexity of determining which CMMC level your organization needs, you’re not alone. With different requirements and varying levels of compliance, it can be tough to know where to start. In this quick guide, we’ll break down the key factors that influence which CMMC level is right for your organization, helping you navigate the decision-making process and avoid being stuck like Austin Powers. 

Understanding CMMC Levels 

The CMMC framework is designed to assess and enhance the cybersecurity posture of organizations within the Defense Industrial Base (DIB). The model is structured into different levels, each with a set of practices and requirements that increase in complexity and security as you go up. Curious to know which level you need? Here’s a breakdown of what you need to know about each level. 

 

CMMC Level 1: Foundational 

 

The Basics: 

CMMC Level 1 is the entry-level certification, which focuses on basic security hygiene to protect Federal Contract Information (FCI). At this level, the focus is on securing that data and ensuring that your organization is not vulnerable to common cyber threats. 

• 17 Practices: These are the fundamental cybersecurity practices aimed at protecting the confidentiality of FCI. 

• Annual Self-Assessment: A simple self-assessment to ensure your organization is meeting the basic requirements. This level doesn’t require third-party assessments. 

• Scope: Your organization should focus on implementing basic controls that ensure proper handling and safeguarding of FCI. 

 

When is Level 1 required? 

This level is typically required for organizations that handle low-risk contracts where only FCI is involved and there’s little to no risk of sensitive government data exposure. 

 

CMMC Level 2: Advanced 

 

The Transition to Higher Security: 

CMMC Level 2 takes things a step further, aligning with NIST SP 800-171 to provide more sophisticated security measures. This level requires a more structured and systematic approach to cybersecurity, particularly focused on Controlled Unclassified Information (CUI). If your organization deals with CUI or other sensitive information, Level 2 is likely where you’ll need to start. 

 

• 110 Practices: These practices are aligned with NIST SP 800-171 and address more advanced security concerns for protecting CUI. 

• Annual Self-Assessment for Select Programs: Depending on the nature of your contracts, you may need to perform an annual self-assessment or engage in more rigorous third-party assessments. 

• Third-party Assessments: For many organizations, a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) is required to validate your compliance with the practices. 

• Scope: You’ll be expected to handle and secure CUI (and in some cases, ITAR—International Traffic in Arms Regulations—information). This requires a more detailed and strategic cybersecurity approach. 

 

When is Level 2 required? 

Organizations that handle CUI or ITAR-related information as part of their contracts will need to meet Level 2 standards. This level is crucial for suppliers that are engaged in defense-related projects and need to safeguard sensitive unclassified information. 

 

CMMC Level 3: Expert 

 

The Highest Level of Security: 

Level 3 is where cybersecurity requirements become most stringent, focusing on the protection of highly sensitive data, including classified information. This level is designed for organizations that need to demonstrate expert-level cybersecurity practices and must undergo government-led assessments to ensure compliance. 

 

• 110+ Practices: Level 3 builds on the practices from NIST SP 800-171 and incorporates additional requirements from NIST SP 800-172, which provide guidance for securing critical infrastructure and sensitive data. 

• Prerequisite: Your organization must already be CMMC Level 2 certified before you can pursue Level 3 certification. 

• Government-Led Assessment Every 3 Years & Annual Affirmation: Unlike Level 2, where you can do self-assessments or third-party evaluations, Level 3 requires an assessment by the government every three years. However, annual affirmation is still required to maintain certification. 

• Scope: Organizations at Level 3 are expected to secure and handle top-secret information, in addition to all CUI and ITAR-related data handled under Level 2. 

 

When is Level 3 required? 

If your organization works with highly classified or sensitive government data, especially top-secret information, you will need to meet Level 3 standards. This is typically required for organizations directly involved with national security and the most sensitive defense-related contracts. 

 

 

 Final Thoughts 

Navigating the CMMC levels can seem daunting, but with a clear understanding of your organization’s needs and the level of security required, you can make an informed decision. Remember, selecting the right CMMC level ensures your company meets compliance requirements while protecting sensitive data. If you’re still unsure, consider consulting with a cybersecurity expert to guide you through the process. At KTL, we’re here to help you get started. Taking the right steps now will not only help you meet regulatory requirements but also strengthen your overall security posture for the future