CMMC requirements are not one-size-fits-all. The right level depends on contract clauses, the type of data your team touches, and the criticality of the systems that process that data.
Understanding which CMMC level your organization needs is the first step toward building an effective compliance program. This decision affects your timeline, budget, technology investments, and operational changes over the next 12-24 months.
The Three CMMC Levels
CMMC Level 1: Foundational
Who needs it: Organizations that handle only Federal Contract Information (FCI), not Controlled Unclassified Information (CUI).
Control requirements: 17 practices focused on basic cyber hygiene.
Assessment approach: Annual self-assessment. No third-party assessor required.
Typical timeline: 2-4 weeks from gap assessment to self-certification.
Key controls include:
- Basic access control (limit system access to authorized users)
- Awareness and training (security awareness for all personnel)
- System and communications protection (basic boundary protection)
- Physical protection (limit physical access to systems)
Level 1 is achievable for most organizations with existing IT discipline. If you already use commercial cloud, enforce password policies, and manage user accounts reasonably well, you're likely close to Level 1 readiness.
CMMC Level 2: Advanced
Who needs it: Organizations that handle CUI, which includes technical data, export-controlled information, contract performance data, and other sensitive but unclassified information.
Control requirements: 110 practices mapped directly to NIST 800-171.
Assessment approach: Third-party C3PAO assessment. This is a rigorous audit with document reviews, technical validation, and staff interviews.
Typical timeline: 4-9 months from initial gap assessment to certification, depending on current maturity.
Key domains:
- Access Control (22 practices)
- Audit and Accountability (9 practices)
- Configuration Management (9 practices)
- Identification and Authentication (11 practices)
- Incident Response (8 practices)
- Maintenance (6 practices)
- Media Protection (9 practices)
- Personnel Security (2 practices)
- Physical Protection (6 practices)
- Risk Assessment (3 practices)
- Security Assessment (3 practices)
- System and Communications Protection (18 practices)
- System and Information Integrity (10 practices)
Level 2 is where most defense contractors invest their effort. It requires operational maturity across identity, logging, monitoring, incident response, and evidence collection. You cannot pass a C3PAO assessment without demonstrable, repeatable implementation.
CMMC Level 3: Expert
Who needs it: Organizations supporting high-priority programs with advanced persistent threat (APT) concerns.
Control requirements: 110 NIST 800-171 practices plus additional advanced practices focused on threat hunting, advanced detection, and proactive defense.
Assessment approach: Government-led assessment through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Typical timeline: 12+ months.
Level 3 is a smaller target population. Unless your contract explicitly requires Level 3, you should focus on Level 2 first.
How to Choose Your Target Level
Step 1: Identify Your Data Types
The primary decision factor is whether you handle CUI. Ask:
- Do we access, store, or process technical data related to DoD programs?
- Do we handle export-controlled information?
- Do we receive contract deliverables or performance data that's marked CUI?
If yes to any of these, you need Level 2 minimum.
Step 2: Review Your Contracts
Check your current and future contract clauses. Look for:
- DFARS 252.204-7012 (Safeguarding CUI)
- DFARS 252.204-7021 (CMMC requirements)
- Specific CMMC level called out in solicitation
Prime contractors often flow down CUI handling requirements to subs. Review your subcontract agreements carefully.
Step 3: Assess Your Current Posture
Before committing to a level, understand where you are today:
- Do you use commercial Microsoft 365 or GCC High?
- Do you have SIEM/logging for security events?
- Do you have documented policies and procedures?
- Do you have an incident response capability?
- Can you demonstrate how you protect CUI from unauthorized disclosure?
Most organizations handling CUI on commercial infrastructure are 30-50% ready for Level 2. Closing that gap is where the work happens.
Common Implementation Paths
From Nothing to Level 1
Organizations starting from scratch can typically achieve Level 1 in 2-4 weeks:
- Gap assessment (1 week)
- Basic policy documentation (3-5 days)
- Access control hardening (3-5 days)
- Awareness training (2 days)
- Self-assessment submission
From Level 1 to Level 2
This is the most common journey. Plan for 6-9 months:
- Comprehensive gap assessment (2-3 weeks)
- GCC High or Azure Government migration (4-8 weeks)
- SIEM deployment and configuration (3-4 weeks)
- Identity and access control hardening (4-6 weeks)
- Endpoint protection and monitoring (3-4 weeks)
- Policy and procedure development (6-8 weeks, parallel to technical work)
- Evidence collection and documentation (4-6 weeks)
- Mock assessment and remediation (3-4 weeks)
- C3PAO assessment preparation (2-3 weeks)
From Level 2 to Level 3
Level 3 builds on Level 2 with advanced capabilities:
- Enhanced threat detection and hunting
- Advanced forensics capability
- Proactive defense measures
- Deeper security analytics
- More rigorous evidence standards
Plan for an additional 6-12 months beyond Level 2.
Cost Considerations
Budget ranges vary widely based on organization size and current maturity:
Level 1: Most organizations can self-implement with $5,000-$15,000 in consulting support.
Level 2: Budget $50,000-$150,000 for full implementation including:
- Consulting and project management
- GCC High licensing (incremental cost over commercial M365)
- Security tooling (SIEM, EDR, vulnerability scanning)
- Documentation and training
- C3PAO assessment fees ($15,000-$25,000)
Level 3: Budget $200,000+ given the advanced capabilities required.
Common Pitfalls by Level
Level 1 Pitfalls
- Treating it as "too easy" and skipping documentation
- Not maintaining evidence of annual self-assessment
- Assuming commercial cloud is sufficient (it may not be, depending on data sensitivity)
Level 2 Pitfalls
- Underestimating the operational change required
- Treating it as a documentation project instead of technical implementation
- Not budgeting for ongoing operations after certification
- Rushing to assessment before mock validation
- Poor evidence organization
Level 3 Pitfalls
- Attempting Level 3 without solid Level 2 foundation
- Not having dedicated security operations resources
- Insufficient threat intelligence integration
Making the Decision
For most defense contractors, the decision tree is straightforward:
Handle only FCI, no CUI? → Level 1
Handle CUI or will in next 12-18 months? → Level 2
Explicitly required for specific high-priority program? → Level 3
If you're uncertain about your data classification, start with a data flow assessment. Understanding what data you handle, where it lives, and who accesses it will clarify your CMMC obligations.
Next Steps
Once you've determined your target level:
- Conduct a gap assessment to understand your current state and required changes
- Build a phased roadmap that sequences work by risk and dependency
- Align technical and policy work so controls and documentation develop together
- Plan for ongoing operations so compliance is sustainable after certification
CMMC is not a checkbox exercise. It's an operating model that, when done well, improves both security outcomes and organizational resilience.
If you're planning your CMMC journey, we recommend starting with discovery before committing to a full implementation timeline. Understanding your gaps, dependencies, and realistic resource constraints will make your program more successful.