CMMC Levels Explained: Assessment, Cost, Requirements

Anwita

Anwita

Jan 08, 2025
cmmc-levels-explained-feature-image

If you are a contractor for the Department of Defense, you probably find yourself in the shoes of Efraim Diveroli from War Dogs, hustling for that million dollar deal. Your battlefield is cybersecurity and the shield is CMMC; each level is a new mission. The stakes are high—miss a step, and you’re out of the game. But the right moves are your ticket to US defense. Ready to arm up and conquer CMMC? Let’s break it down, one level at a time.

TL;DR

  • Determine your CMMC level based on the type of information your business handles—FCI (Level 1), CUI (Level 2), or sensitive CUI requiring advanced protection (Level 3).
  • Implement the required cybersecurity practices for your level, conduct self-assessments or third-party evaluations, and document progress where applicable.
  • Prepare for significant compliance costs, varying by level and business size, including one-time implementation, ongoing maintenance, and assessment expenses.

Setting the context before we get started…

We have used some compliance jargon throughout the article. If you are familiar with these, skip, or read for context. 

  • FCI (Federal Contract Information) is described as “Information not intended for public release [that] is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government”
  • CUI (Controlled Unclassified Information) refers to “Information that the Government or an entity creates or possesses for or on behalf of the Government.”  

Which CMMC level applies to my business?

If your business shares CUI or FCI with defense contractors and subcontractors, you need to be assessed and certified.

If your organization handles FCI only, it qualifies for self assessment. In that case, the contract qualifies as Level 1.

For organizations handling CUI, the contract falls within Level 2 Self or Level 2 C3PAO. The “Self” designation requires contractors to self attest annually. C3PAO designated contractors are required to undergo an assessment via a third party, known as CMMC Third-party Assessment Organization (C3PAO). 

If you have achieved CMMC status of Final Level 2 and have DFARS (Defense Federal Acquisition Regulations) clause 252.204-7012 in your contract, you are eligible for Level 3. 

It is important to note that Level 3 is not mandatory – unlike the previous levels, CMMC does not mandate clear rules for contractors to qualify for this level. While it applies to contractors handling “sensitive information”, the final rule fails to define what qualifies as sensitive. If you work with a highest priority program supporting critical technologies, this applies to you. 

CMMC Levels explained 

In July 2021, the US Department of Defense (DoD) released CMMC 2.0. The update changed the number of levels in the tiered model from five to three. The tiers (Level 1, Level, Level 3) progressively increase in terms of compliance requirements. 

Non compliance will result in the loss of any ongoing contract with the DoD as well as being excluded from future tenders, so it is crucial to familiarize yourself with the updated requirements.

To continue your contract or enter any new contract with the DoD, completing the CMMC assessment is mandatory. This process involves evaluating the required security controls to ensure they are functioning correctly and meeting the desired outcomes. 

We have put together some context – how to know if it applies to you, requirement of each level, assessment criteria, and cost. 

The complexity and requirements of CMMC progress with each Level. Let’s understand what each entails: 

Level 1 requirements

CMMC Level 1 (Foundational) focuses on the basics of cybersecurity. Organizations have the flexibility to implement the requirements without documenting them. The purpose of Level 1 is to protect FCI. 

This level requires you to implement 17 practices based on Federal Acquisitions Regulation (FAR) 52.204-21. These practices are extracted from six control families, cross referenced from NIST 800 171 Rev 2. Additionally, it consists of 59 objectives.

Level 1 assessment 

If you are a Level 1 contractor, conduct a self assessment annually, as per FAR clause 52.204-21. Submit your Supplier Performance Risk System (SPRS) as per the result of assessment. After the initial submission, conduct an assessment once a year. 

Despite being called “self assessment”, contractors may partner with a third party service provider to complete the evaluation process. 

Level 2 requirements 

CMMC Level 2 (Advanced) aims to offer a broader protection of CUI. Organizations falling under this category are mandated to document their processes and progress to achieve the maturity level. 

This level requires you to implement 110 practices aligned with NIST SP 800-171. Additionally, it consists of 320 objectives. 

Level 2 (Self Assessment)

Contractors self-assessing for Level 2 are required to comply with NIST 800-171. The SPRS should include the result of the self-assessment, an initial affirmation of compliance, and a Plan of Action and Milestones (POA&M) if applicable. 

Level 2 (Certification Assessment)

The certification assessment of Level requires contractors to adhere to the same set of requirements as self. An accredited C3PAO responsible for validating the implementation will share the certification assessment results. Contractors must submit the initial compliance affirmation along with the POA&M if applicable and then once every three years.

Level 3 requirements 

CMMC Level 3 (Expert) offers protection to contractors with highly sensitive CUI against advanced persistent threats (APTs). If you are a Level 3 contractor, you need to demonstrate the ability to protect CUI based on the level of threat. 

Level 3 comprises 134 requirements aligned with NIST 800-171 along with a subset of 24 requirements of NIST 800-172.  

Level 3 assessment 

In addition to the highest number of security requirements checklist based on NIST SP 800-172, CMMC Level 3 also has strict scoping regulations. Unlike the previous Level assessed by C3PAO, a Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC) is responsible for providing the certification assessment. Assessments are conducted once every three years. 

CMMC assessment costs: What can you expect?  

CMMC calculated the average cost for compliance based on the expenses for each level and size. 

  • $994,233 for Level 1 large entities for year one. 
  • $4,177,845 for Level 1 large entities for year one.
  • $1,538,092 for Level 2 large entities for year one (self assessment).
  • $3,491,193 for Level 2 small entities for year one (self assessment).
  • $75,974,425 for Level 2 large entities for year one (C3PAO)
  • $196,531,451 for Level 2 small entities for year one (C3PAO)
  • $130,417,818 for Level 3 small entities for one year.

CMMC costs fall into three categories:

  1. Nonrecurring Engineering Costs: One-time expenses for hardware, software, and labor to implement CMMC Level 3 requirements. Costs related to FAR 52.204-21 and NIST SP 800-171 R2 are excluded, assuming they’ve already been addressed.
  2. Recurring Engineering Costs: Annual expenses for maintaining and refreshing technology aligned with Level 3 requirements. Again, costs for FAR 52.204-21 and NIST SP 800-171 R2 compliance are not included.
  3. Assessment Costs: Expenses for preparing evidence, participating in assessments, and completing follow-ups. These assume a successful first attempt, with room for minor corrections or a Plan of Action and Milestones (POA&M).
  4. Affirmations: Organizations must submit affirmations of compliance to SPRS to confirm they meet the required CMMC Level. For most entities, except small ones at Levels 1 and 2, this process uses the same labor and effort as the final reporting phase of the assessment.

CMMC the smarter way

CMMC compliance has come a long way in recent years. While version 2.0 simplifies some aspects, it’s still a complex framework to fully understand and implement. 

Achieving and maintaining compliance doesn’t just protect your business and DoD contracts—it also secures critical data and saves time during annual third-party assessments.

Sprinto makes this journey easier. Our platform automates cybersecurity compliance with in-app risk assessments and gap analysis. It offers out of the box compliance and mapped controls and monitor them using automated checks. 

Sprinto’s real-time continuous monitoring saves your engineering team hours, letting them focus on driving growth while ensuring your CMMC certification process runs smoothly.

Preparing early helps streamline your processes and controls to meet CMMC requirements without last-minute stress.

Ready to simplify your compliance efforts? Let’s set up a call to explore how Sprinto can support your needs.

Anwita
Anwita
Anwita is a cybersecurity enthusiast and veteran blogger all rolled into one. Her love for everything cybersecurity started her journey into the world compliance. With multiple certifications on cybersecurity under her belt, she aims to simplify complex security related topics for all audiences. She loves to read nonfiction, listen to progressive rock, and watches sitcoms on the weekends.

How useful was this post?

0/5 - (0 votes)