Home Resources Choosing Your Level
Pre-Assessment · 9-minute read · Decision support

Choosing Your CMMC Level

CMMC has three levels and four assessment paths. Your level isn't a strategic choice — it's determined by the contracts you hold or pursue. This guide walks through how to read your contracts to determine which level you need, and what to do when the answer is ambiguous or you have mixed exposure.

Contract-Driven, Not Strategic

The single most important point: your CMMC level is set by the data you handle on government contracts, not by an internal decision. You cannot choose to be Level 1 if your contracts require Level 2; you cannot choose to be Level 2 if your contracts only involve FCI; and you generally cannot opt into Level 3 unless a contract requires it.

The level is established by the combination of (1) what data the government provides you under the contract and (2) which DFARS or FAR clauses the contract incorporates. Both elements appear in the contract itself — usually in a clauses-incorporated-by-reference section, the statement of work, the DD-254 (if applicable), and the security classification guide.

Once you know what you have, you can plan and budget accordingly. Trying to plan without first reading your contracts produces remediation work targeted at the wrong level — almost always more expensive than necessary.

Reading the DFARS Clauses

Four contract clauses govern CMMC level applicability. Find them in your contracts before doing anything else.

ClauseIf Present, You NeedWhat It Tells You
FAR 52.204-21 Level 1 (basic safeguarding of FCI) The contract involves Federal Contract Information. Triggers the 15 basic safeguarding requirements.
DFARS 252.204-7012 Level 2 (NIST 800-171 Rev 2) The contract involves Covered Defense Information (CDI). Triggers the full 110 NIST 800-171 requirements.
DFARS 252.204-7019 / 7020 Level 2 with SPRS posting and DoD assessment access You must have a current self-assessment posted to SPRS, and DoD reserves the right to perform a higher-level assessment. Almost always co-occurs with 7012.
DFARS 252.204-7021 Level 1, 2, or 3 — at the level the clause specifies The contract requires a CMMC certification at a stated level. The specific CMMC level (1, 2, 3) and assessment type (self vs. third-party) are named in the clause as filled in by the contracting officer.

If a contract has only FAR 52.204-21, it's a Level 1 obligation. If it has DFARS 252.204-7012 (and typically 7019/7020), you're at Level 2. The 7021 clause names the exact CMMC level required once the program reaches the relevant phase of the rollout — and that level may be Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 depending on what the contracting officer specifies.

Look at every active contract, not just the largest. A small contract with a 7012 obligation creates the same Level 2 obligation as a large one. The total compliance investment is driven by the highest level any single contract demands — you cannot mix and match by contract.

Level 1 — Basic Safeguarding of FCI

CMMC Level 1 · Self-Assessment

Federal Contract Information only

Triggered by FAR 52.204-21; covers contractors that handle FCI but no CUI.

Requirements: 15 basic safeguarding requirements in FAR 52.204-21(b) itself. CMMC Level 1, which incorporates the FAR 52.204-21 requirements, names 17 practices total — the 15 FAR safeguards plus 2 additional controls. Both numbers are correct in their respective contexts: cite the FAR clause for 15 and the CMMC Level 1 model for 17. These map to a subset of NIST SP 800-171 controls — primarily access control, identification and authentication, media protection, physical protection, and system and communications protection.

Assessment: Annual self-assessment by the contractor's authorized senior official, with results affirmed in SPRS. No third-party assessor is involved at Level 1.

Typical contractor: A subcontractor performing services under a federal contract that does not transmit CUI — for example, a janitorial service, a logistics support contractor, or a small parts supplier whose technical drawings come from public catalogs.

What is not Level 1: Any contractor who receives CUI, including controlled technical information, source selection information, or export-controlled data — even occasionally. The presence of even one CUI document received under contract pushes you to Level 2.

Level 2 — Self-Assessment Path

CMMC Level 2 · Self-Assessment

CUI handled, but contract specifies self-assessment

Triggered when DFARS 252.204-7021 specifies "Level 2 (Self)" — applicable to contracts where the CUI exposure does not warrant third-party assessment.

Requirements: All 110 NIST SP 800-171 Rev 2 requirements — the same as the C3PAO path.

Assessment: Annual self-assessment by the contractor's senior official, with results affirmed in SPRS. No third-party assessor.

Typical contractor: A small population. The Level 2 (Self) designation is reserved for the limited set of contracts where the contracting officer determines the CUI sensitivity does not warrant third-party rigor and explicitly designates self-assessment in the 7021 clause. Most CUI-handling contracts default to the C3PAO path.

Key warning: Even though no third party assesses you, the senior official's affirmation creates legal exposure — under the False Claims Act and contractually. Self-assessment is not a lower bar of implementation. The 110 requirements still apply in full.

Level 2 — C3PAO Assessment Path

CMMC Level 2 · Third-Party Assessment

CUI handled and contract requires C3PAO certification

Triggered when DFARS 252.204-7021 specifies "Level 2 (C3PAO)" — the default for the vast majority of CUI-handling contracts.

Requirements: All 110 NIST SP 800-171 Rev 2 requirements, implemented and evidenced.

Assessment: A Certified Third-Party Assessment Organization (C3PAO) conducts a formal assessment, produces a Report on Conformity (ROC), and recommends certification. Certification is granted by the CMMC PMO based on the C3PAO recommendation. Valid for three years.

Typical contractor: The vast majority of DIB contractors handling CUI on DoD contracts. DoD estimates approximately 80,000 contractors in the DIB will require Level 2 third-party certification for CUI handling — effectively the default path for any CUI work that the contracting officer has not explicitly carved out for self-assessment.

Cost reality: The Pentagon's most recent estimate puts the C3PAO assessment alone at $105K–$118K for a typical small-to-medium contractor. Total preparation plus certification is more often in the $50K–$200K range. See the C3PAO selection guide for cost considerations.

Level 3 — Highest Sensitivity (NIST 800-172)

CMMC Level 3 · DoD Assessment

CUI of highest sensitivity, advanced persistent threat exposure

Triggered when DFARS 252.204-7021 specifies "Level 3" — reserved for contractors handling CUI critical to national security.

Requirements: All 110 NIST SP 800-171 Rev 2 requirements plus 24 enhanced requirements drawn from NIST SP 800-172 — covering advanced persistent threat protection, dual authorization, audit log analytics, threat intelligence, and other elevated controls.

Assessment: Conducted by DoD itself, specifically by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not by C3PAOs. Higher-rigor assessment, longer engagement, more expensive.

Typical contractor: A narrow population — primes and Tier 1 subs working on highly sensitive programs (next-generation aviation platforms, advanced weapons systems, certain space and cyber programs). Most contractors will never see Level 3.

How you'll know: The contracting officer specifies Level 3 in the 7021 clause. You will not be surprised by a Level 3 designation — these contracts are negotiated and the requirement is communicated explicitly during pre-award discussions.

Common Scenarios

A small machine shop receives blueprints from a prime to manufacture parts for a defense program. The blueprints are marked "CUI//SP-CTI."

Level 2. Receipt of CUI under a DoD contract triggers DFARS 7012 and CMMC Level 2. The default assessment path is C3PAO; the prime's flow-down clause will specify which.

A logistics contractor moves equipment between government facilities. They receive transportation orders that are not marked CUI but list shipment contents and destinations.

Possibly Level 1, possibly Level 2. If the transportation orders contain only FCI (information about contract performance not intended for public release), Level 1 applies. If the orders contain operational information that meets a CUI category — for example, force movement information — Level 2 applies. Read the contract clauses, ask the contracting officer, and treat ambiguous data as CUI until clarified.

A software company has one DoD subcontract for a research project (CUI flows down) and several commercial contracts that have no government nexus.

Level 2 for the in-scope environment. The CMMC obligation attaches to the systems handling the CUI from the DoD subcontract. The commercial work can remain out of scope provided you can enforce a boundary between the CUI-handling environment and the commercial environment. See the enclave architecture guide.

A staffing firm places engineers at a defense prime's site. The engineers handle CUI on the prime's systems while on assignment but the staffing firm does not have its own CUI-handling environment.

Likely Level 1 for the staffing firm. If the staffing firm itself does not store, process, or transmit CUI — only its placed personnel do, on the prime's systems — then the staffing firm's own CMMC obligation may be limited to FCI under FAR 52.204-21. Confirm with the prime: some primes flow Level 2 obligations to staffing firms regardless. The prime's contract terms control.

An electronics manufacturer is told by the contracting officer that the new contract will be Level 3.

Plan for Level 3 immediately. Level 3 adds 24 NIST SP 800-172 enhanced requirements, requires a DIBCAC (DoD-conducted) assessment rather than a C3PAO, and substantially increases cost and timeline. If your current posture is not Level 2 mature, you have a multi-step climb ahead. Begin by achieving Level 2 (C3PAO) certification; then layer the 800-172 enhancements.

Mixed and Ambiguous Exposure

Real organizations rarely have a single, clean level. Common patterns and how to handle them:

  • Mostly FCI with occasional CUI. Even one CUI-handling contract pushes you to Level 2 for the systems that handle it. Decide whether to enclave the CUI work (keeping the rest of the org at Level 1 posture) or to bring the whole org to Level 2.
  • Mostly Level 2, one Level 3 contract on the horizon. Achieve Level 2 first; the Level 3 enhancements layer on top. Trying to leapfrog directly to Level 3 without a solid Level 2 foundation tends to fail under DIBCAC scrutiny.
  • FCI today, CUI in your pipeline. If pursuing CUI-handling contracts is part of your growth strategy, plan for Level 2 readiness ahead of award, not after. The 12–18 month preparation timeline does not compress well.
  • Subcontractor whose obligations are unclear. Read the prime contract's flow-down language. If it incorporates DFARS 7012 by reference, you are bound by the same Level 2 obligation as the prime for the CUI you handle. See the flow-down guide.
  • Government data that is sensitive but appears to lack a CUI marking. Some legacy government data was never properly marked. The marking obligation does not retroactively define the data's status — if the data meets a NARA registry category, it is CUI regardless of marking. When in doubt, ask the contracting officer in writing for confirmation.

Changes During the Three-Year Cycle

Your level can change. A few common triggers:

  • New contract at a higher level. If you win a Level 3 contract while certified at Level 2, you must achieve Level 3 certification before you can perform on the Level 3 contract.
  • Loss of all CUI-handling contracts. If you no longer have any contracts with 7012, you may step back to Level 1 — but only after the existing certification expires and you have no contractual obligation to maintain it.
  • Significant change to your environment. A major change (adoption of a new enclave platform, M&A activity, change of cloud provider) may trigger a re-assessment requirement before the three-year mark. Your existing certification is not automatically valid across organizational changes.
  • Cyber incident with material impact. A reportable incident may trigger DoD review and, in serious cases, suspension of your certification pending demonstrated remediation.

Authoritative References

DoD CIO CMMC Program Office
The authoritative source for CMMC level definitions, scoping guidance, and program documentation
DFARS 252.204-7021
The clause that names the CMMC level required by a specific contract
FAR 52.204-21
The basic safeguarding clause for Federal Contract Information — the foundation of CMMC Level 1
NIST SP 800-171 Rev 2
The 110 requirements that define CMMC Level 2
NIST SP 800-172
The enhanced requirements layered on top of 800-171 to reach CMMC Level 3
DCSA / DIBCAC
The DoD entity that conducts Level 3 assessments and higher-level NIST 800-171 assessments under 7020

Next steps: Once you've identified your level, work through CUI scoping to know exactly what's in scope, then move to the architecture decision. For Level 2 (C3PAO) certification, see the C3PAO selection guide.