Choosing Between CMMC Level 1, 2, and 3
January 22, 2026
Not all defense contractors need the same level of CMMC certification. Learn which level applies to your contracts and what each level requires.
One of the most common questions defense contractors ask is: which CMMC level do I need? The answer depends on the type of information you handle and the specific requirements in your contracts.
CMMC Level 1: Foundational
Level 1 applies to companies that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). It requires 17 basic cybersecurity practices and allows annual self assessment.
Typical Level 1 contractors: Small subcontractors providing commercial off the shelf products or services that do not involve sensitive government information.
CMMC Level 2: Advanced
Level 2 is the most common level for defense contractors. It applies to companies handling CUI and requires 110 practices aligned with NIST SP 800-171.
Assessment requirements: Most Level 2 contractors require a triennial third party assessment by a CMMC Third Party Assessment Organization (C3PAO).
CMMC Level 3: Expert
Level 3 applies to companies working on the most sensitive DoD programs. It requires 110+ practices based on NIST SP 800-172 and involves government led assessments.
Who needs Level 3: Typically prime contractors on highly sensitive programs and companies with access to the most sensitive CUI.