Which CMMC Level Do You Need? Level 1, 2, or 3 — Explained.

The CMMC Program has three certification levels, each mapped to the sensitivity of the information you handle in your DoD contracts. Your contract will specify which level is required. Here is a plain-language comparison of all three levels, based on official DoD and CyberAB guidance.

Level 1: Foundational

  • Who needs it:

    • Contractors handling Federal Contract Information (FCI) but NOT Controlled Unclassified Information (CUI)

  • Requirements:

    • 15 basic cybersecurity practices from FAR clause 52.204-21

  • Assessment type:

    • Annual self assessment, no C3PAO required

  • Affirmation:

    • Annually entered into SPRS

  • POA&Ms:

    • NOT Permitted

  • Examples of practices:

    • password management, physical access controls, and basic malware protection

  • Const indicator:

    • Low - internal effort only

Level 2: Advanced

  • Who needs it:

    • Contractors handling Controlled Unclassified Information (CUI) — the most common CMMC requirement for the DIB

  • Requirements:

    • 110 security practices aligned with NIST SP 800-171 Rev 2 across 14 domains

  • Assessment type (high-priority programs):

    • Third-party certification assessment by an accredited C3PAO every 3 years

  • Assessment type (select programs):

    • Self-assessment every 3 years (determined by DoD per solicitation)

  • Affirmation:

    • Annual, entered in SPRS

  • POA&Ms:

    • Permitted for non-critical requirements; must be closed within 180 days for Conditional CMMC Status

  • Certificate validity:

    • 3 years from CMMC Status Date

  • Cost indicator:

    • Moderate to significant — requires C3PAO engagement for most programs

Level 3: Expert

  • Who needs it:

    • Contractors working on the highest-priority DoD programs involving CUI and facing Advanced Persistent Threats (APTs)

  • Pre-requisite:

    • Must first achieve CMMC Level 2 (C3PAO certification) for the same assessment scope

  • Requirements:

    • All 110 Level 2 practices PLUS 24 additional practices from NIST SP 800-172

  • Assessment type:

    • Conducted by DCMA's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) — NOT a C3PAO

  • Frequency:

    • Every 3 years

  • Affirmation:

    • Annual, entered in SPRS

  • POA&Ms:

    • Permitted; must be closed within 180 days

  • Cost indicator:

    • Highest — DIBCAC-led federal government assessment

Erudio Corp conducts CMMC Level 2 certification assessments as an accredited C3PAO. If your program requires Level 3 we will complete the required Level 2 C3PAO assessment as a prerequisite, and DCMA DIBCAC then conducts the Level 3 assessment on top o f the foundation. If your program requires Level 1, no C3PAO is needed - but we can review your readiness if requested.

Erudio Corp is a CyberAB accredited C3PAO that brings together credentialed Lead CCAs, a rigorous ISO/IEC 17020-aligned Quality Management System, and an independent QA review process on every engagement. So your certification is defensible, documented, and done right the first time. We never operate as assessors and consultants for the same OSC, ensuring the impartiality your DoD contracts demand. From a transparent, scoped proposal to a complete CMMC Assessment Report at close, we are built to give defense contractors a clear, compliant path to CMMC Level 2 certification.

Want to know more? Ask us your questions here!