What Are CMMC Levels 1, 2 & 3?
When you hear about “CMMC levels,” it might sound like some complicated government program. And, well, it is — but don’t worry, we’re going to break it down. Whether you’re a small business bidding on your first Department of Defense (DoD) contract or you’ve been in the defense supply chain for years, understanding CMMC levels is key to keeping your work (and your data) safe.
Let’s take a deep breath and walk through what CMMC levels are, why they exist, and what you actually have to do about them. By the end, you’ll know exactly where to start.’
The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s way of making sure everyone in its supply chain is protecting sensitive information. Think of it as a grading system for cybersecurity.
Instead of everyone claiming, “Yeah, we’re secure,” the DoD created a model with three levels. Each level builds on the one before it, and the higher your level, the more security practices you have in place.
- Level 1 = Basic cyber hygiene
- Level 2 = Good cyber hygiene, protecting more sensitive data
- Level 3 = Advanced cybersecurity for the most critical missions
The higher the level, the harder the requirements — but also, the more contracts you’ll be able to bid on.
Why CMMC Levels Matter
Here’s the deal: if you work with the DoD, you are part of its defense industrial base — which means you might be handling information the government really doesn’t want in the wrong hands.
That’s why CMMC exists:
- To protect Federal Contract Information (FCI) so that basic contract data isn’t leaked.
- To protect Controlled Unclassified Information (CUI) like blueprints, maintenance records, and sensitive research.
- To keep bad actors (think hackers or even foreign governments) from using stolen data to gain an advantage.
If you don’t meet the right CMMC level, you won’t even be eligible for certain contracts. That means missed business — and competitors who are certified could win work you can’t.

Breaking Down the Three CMMC Levels
Let’s look at each level in plain English.
CMMC Level 1: The Starting Line
Level 1 is all about the basics. It’s what every contractor needs if they touch FCI.
You’ll be expected to show that you do things like:
– Use antivirus software
– Control who can log in to your computers
– Change passwords regularly
– Make sure your systems get security updates
For Level 1, you do a self-assessment once a year. You don’t need a third-party auditor, but you do have to affirm that you’re doing the work. Think of this like promising you brushed your teeth — but the DoD can still check later if they want.
CMMC Level 2: The Real Workhorse
Level 2 is where it gets more serious. This level is for companies that handle CUI, which is data that isn’t classified but still sensitive.
Here you have to follow all 110 security practices from NIST SP 800-171. That includes things like:
– Multi-factor authentication for users
– Encrypting data at rest and in transit
– Creating and maintaining a detailed System Security Plan (SSP)
– Documenting incidents and reporting them if needed
Some Level 2 contractors can still do a self-assessment, but most will need a C3PAO (Certified Third-Party Assessment Organization) to audit them every three years. And you’ll still have to submit an affirmation every year.
CMMC Level 3: The Elite Tier
Level 3 is for the companies that work on the DoD’s most sensitive projects.
This level adds 24 more practices on top of Level 2. These are taken from NIST SP 800-172 and are designed to stop advanced threats (think nation-state level attacks).
Level 3 companies will always get assessed by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), and they must stay on top of compliance continuously.
How to Know Which Level You Need
Figuring out which CMMC level you need isn’t rocket science, but it does take some planning. Ultimately, the government will provide the CMMC level requirements in its solicitations. However, it is best to be prepared. Ask yourself:
– Do you only handle contract basics like delivery dates or schedules?
➜ Level 1 is probably all you need.
– Do you get drawings, schematics, or sensitive project details?
➜ You’re dealing with CUI, so Level 2 is likely.
– Are you working on research, weapons systems, or highly critical missions?
➜ Welcome to Level 3 territory.
What Happens If You Don’t Meet Your Level?
Here’s the tough part: if you can’t meet the required level for a contract, you may not even be able to bid. And if you claim compliance but aren’t really doing it, you could face False Claims Act penalties — and nobody wants that.
How to Get Ready for Your CMMC Level
The good news? You don’t have to go from zero to hero overnight. Here’s a simple plan to get started:
1. Inventory your data – figure out what FCI and CUI you actually handle.
2. Map your systems – understand where that data lives and who has access.
3. Close the gaps – fix the most urgent security issues first.
4. Write your policies – document what you do so you can prove it during an assessment.
5. Train your team – human error is one of the biggest risks, so make sure people know the rules.
6. Study offical documents like CMMC 101 by the DoW, and the CMMC Program Overview.
The Bottom Line
CMMC levels don’t have to be scary. They’re just a way to prove that your company is taking cybersecurity seriously.
By understanding CMMC Level 1, Level 2, and Level 3, you can figure out what applies to your business, start closing gaps, and stay competitive for DoD contracts. And the earlier you start, the easier it will be to get through an assessment when the time comes.
Pro Tip: If you want your business to win more government work, don’t just aim for the minimum level. Treat CMMC like a growth opportunity — the more secure you are, the more trust you build with the DoD and your customers.
If you need help, Greypike has developed an AI-powered CMMC solution that incorporates support from an RPA to help get you ready for CMMC. Contact us to learn how we can help!





