Book a Clarity Call

How To Determine Your Cybersecurity Maturity Model Certification (CMMC 2.0) Level And Avoid Overbuilding Security

You are hearing about CMMC 2.0 from primes, the board, and lenders. Everyone wants comfort that your cyber house is

Team Determines CMMC 2.0 Level

You are hearing about CMMC 2.0 from primes, the board, and lenders. Everyone wants comfort that your cyber house is in order through CMMC compliance, but no one is handing you a clear, business-focused answer to a simple question: what level do you actually need?

Most small and mid-market contractors in the Defense Industrial Base (DIB) will only need Level 1 or Level 2. The difference comes down to the type of federal data you touch, not how big your company is or how many tools you own.

This post gives you a fast way to narrow in on the right level, based on contracts and data, using CMMC 2.0 rules as of late 2025. The goal is simple: avoid overbuilding expensive controls you do not need, and avoid underbuilding in ways that will cost you contracts, credibility, and sleep. You can hand this process to your team and stay in control of the outcome.

CMMC 2.0 In Plain English: What The Levels Actually Mean

CMMC 2.0 is the Department of Defense (DoD)’s way of saying, “If you want our work, you must prove you can protect our data.” It takes long-standing rules that were often ignored and turns them into a contract requirement with documented assessments.

As of November 10, 2025, the Department of Defense (DoD) is in a phased rollout of CMMC 2.0 requirements under the Final rule tied to the DFARS rule. New defense contracts now include CMMC clauses tied to Levels 1 or 2, or CMMC Level 2, with full enforcement ramping over the next several years. The Department of Defense (DoD)’s own About CMMC page lays out the intent in detail.

At a high level:

  • Level 1 protects basic Federal Contract Information.
  • Level 2 protects Controlled Unclassified Information.
  • Level 3 is for the most sensitive programs.

Think of the levels as a filter based on data sensitivity, not company prestige.

Here is a quick view.

CMMC 2.0 LevelPrimary Data TypeTypical Business ImpactLevel 1FCI onlyLight requirements, self-assessment, still real workLevel 2Any CUILarger program, 110 controls, likely third-party auditLevel 3High-impact CUIAdvanced programs, deep scrutiny, limited subset of contractors

Most firms in the 2 to 250 million revenue band will sit in Level 1 or Level 2. You move to Level 2 when you touch CUI tied to a defense program. You move to Level 3 only if you support very sensitive missions, and that is usually obvious from day one. The Department of Defense (DoD) uses these levels to match cybersecurity to contract needs.

Level 1: Basic Cyber Hygiene For Federal Contract Information (FCI)

Federal Contract Information is non-public information the government gives you or you create for them under a contract. Examples include:

  • Contract details that are not posted online
  • Non-public pricing or delivery schedules

Level 1 is about basic cyber hygiene for that data. It aligns with 17 practices drawn from the Federal Acquisition Regulation (FAR) 52.204-21, such as antivirus, strong passwords, limiting access, and backing up key systems.

You complete an annual self-assessment, score yourself, and submit results into the Supplier Performance Risk System (SPRS). No third-party auditor is required, but false claims carry real legal and contract risk. The Department of Defense (DoD) relies on these self-assessments for basic protection.

Level 2: Protecting Controlled Unclassified Information (CUI) With NIST 800-171

Controlled Unclassified Information is sensitive but not classified. In business terms, it is data that would help an adversary or harm a mission if mishandled. Examples include:

  • Technical drawings or manufacturing instructions for a weapon component
  • Operations data tied to a defense program, such as maintenance procedures

Level 2 maps to the 110 controls in NIST SP 800-171. If your contract says you must follow NIST 800-171, you are in Level 2 territory.

During the current rollout, some Level 2 work uses self-assessments, but many contracts will require a triennial third-party assessment by a Certified Third Party Assessment Organization (C3PAO) for CMMC certification. The official CMMC Level 2 Assessment Guide from the Department of Defense (DoD) shows what those auditors look for.

Level 2 is a real investment in people, process, and tools. It often affects how your entire IT environment is designed, not just one folder.

Level 3: Advanced Programs Only

Level 3 is reserved for a smaller group of contractors supporting high-impact and mission-critical programs. It builds on Level 2, plus extra controls drawn from NIST SP 800-172, and uses government-led assessments.

Most small and mid-market firms will never touch Level 3. If you do, you will not be guessing; the program office or prime will tell you very clearly. The Department of Defense (DoD) applies Level 3 only where absolutely necessary.

A Simple Step-by-Step Checklist To Determine Your CMMC 2.0 Level

You do not need to run the assessment yourself. You do need a clear, no-spin decision on Level 1 vs Level 2. Use this checklist with your IT lead, contracts lead, and maybe outside counsel.

Step 1: Map Where You Touch Federal Contract Information (FCI) Or CUI

Start with a list, not a tool.

Ask your team to list all current and expected DoD or defense-related contracts, plus the Prime contractors and major subs involved. For each contract, capture:

  • Contract name and number
  • Prime or government customer
  • What data you receive or create

Coach your team to label the data type in plain language. For example, “non-public pricing and delivery dates” is almost always FCI. “Technical data package and part drawings” is usually CUI.

A simple table in Excel works:

  • Column 1: Contract
  • Column 2: Prime or agency
  • Column 3: FCI, CUI, or both

If your team struggles to separate FCI from CUI, a practical guide like this FCI vs CUI breakdown under 48 CFR can help sharpen the definitions.

Step 2: Read The Contract Language And Flow-Down Clauses

Next, ask your contracts or legal lead to review the actual language.

They should look for:

  • Any explicit CMMC 2.0 level requirement
  • References to NIST SP 800-171
  • DFARS clauses like DFARS 7012 (252.204-7012) and 252.204-7021
  • Requirements you must flow down to your own subcontractors

If the contract or RFP calls for CMMC Level 2, that decision is made. If CMMC is silent but NIST 800-171 appears, treat that as Level 2 exposure.

For a legal perspective on how the new rules show up in contracts, the Holland & Knight summary on CMMC regulations and key questions is a useful reference for your counsel.

Step 3: Match Your Data And Contracts To The Right CMMC 2.0 Level

Once you know where FCI and CUI live, the decision tree is short.

  • If you handle only FCI, you are almost always Level 1.
  • If you handle any CUI, you are almost always CMMC Level 2.

One CUI-bearing contract is enough to trigger CMMC Level 2 needs across any systems that store, process, or transmit that data. This is where smart scoping matters. Some firms choose to separate environments so only certain networks and teams come under Level 2.

Before locking in your decision, ask your prime contractor or contracting officer to confirm the expected level in writing. Guessing is expensive.

Step 4: Confirm Assessment Type And Timeline

Once you know the likely level, you still need to understand how you will be assessed and when.

In plain terms:

  • Level 1 uses annual self-assessments.
  • Level 2 uses self-assessments for some lower-risk work, but most contracts will shift to third-party C3PAO assessments required for obtaining CMMC certification during the 2026 phase.

As CEO, your questions are simple:

  • “Do any current or upcoming awards require a third-party CMMC assessment?”
  • “If yes, by what date do we need a passing score for contract award or renewal?”

CMMC 2.0 is phasing in over several years, so timing drives your roadmap, budget, and staffing plan.

What To Do Once You Know Your CMMC 2.0 Level

Deciding the level is step one. Turning that into a focused plan is where you protect revenue and avoid waste.

Level 1: Light-Weight Self-Assessment And Basic Controls

For Level 1, the playbook is straightforward.

Have your IT lead download the official Level 1 self-assessment guide from the Department of Defense (DoD)’s CMMC resources page. Ask them to:

  • Confirm the 17 security requirements are in place
  • Document evidence and gaps in plain English
  • Record and submit the score in SPRS

Push for a few high-value basics: multi-factor authentication, regular patching, tested backups, and short, recurring user awareness training.

Level 1 is not a box-check. But most mid-market firms can reach it with existing staff plus some targeted outside guidance, not a full security rebuild.

Level 2: Gap Analysis, Roadmap, And Certification Readiness

Level 2 is a real program, not a quick project. Treat it like any other strategic initiative.

At a high level, your team should:

  • Perform a NIST 800-171 gap analysis against the 110 controls
  • Build a System Security Plan (SSP) that describes the environment
  • Create a Plan of Action & Milestones (POA&M) with dates and owners
  • Prioritize high-risk gaps that impact CUI directly
  • Prepare for a C3PAO assessment seeking CMMC certification if your contracts require it

You can lower cost and disruption by segmenting systems so that only the parts of your business that touch CUI fall in scope. That often means a dedicated environment, tighter access, and clear data handling rules.

Many CEOs bring in a seasoned virtual CISO or CTO to own this work, coordinate vendors, and translate technical effort into business impact. The goal is a right-sized program seeking CMMC certification that achieves CMMC compliance, meets industry cybersecurity standards, passes audits, protects Department of Defense (DoD) trust, and still supports growth.

Conclusion

Your CMMC 2.0 level is not a mystery. It comes down to one central question: do you handle only FCI, or do you also handle CUI tied to Department of Defense (DoD) programs?

If your contracts and data map only to FCI, you are likely a Level 1 shop with a focused set of basic controls and self-assessments. If CUI appears anywhere, you are in Level 2 territory, with a larger but still manageable program. In both cases, a short, structured review of contracts, clauses, and data flows is enough to make a confident call and prepare your firm for requirements under the anticipated Final rule.

Once the level is clear, you can fund the right roadmap aligned with the DFARS rule, not an inflated one, prepare for CMMC certification, and speak to your board, lenders, and primes with real clarity.

If you want CTO-level guidance that aligns security, compliance, and growth without bloating your budget, visit https://www.ctoinput.com and keep learning on the CTO Input blog at https://blog.ctoinput.com.

Search Leadership Insights

Type a keyword or question to scan our library of CEO-level articles and guides so you can movefaster on your next technology or security decision.

Request Personalized Insights

Share with us the decision, risk, or growth challenge you are facing, and we will use it to shape upcoming articles and, where possible, point you to existing resources that speak directly to your situation.