CMMC Requirements Explained: Levels, Controls, and What You Need to Know

After advising defense contractors through DFARS compliance for years, we have watched CMMC evolve from a proposed framework into a contractual reality. The single most common mistake organizations make is underestimating how different CMMC requirements are from a simple self-attestation checklist.

CMMC requirements represent the Department of Defense's most significant overhaul of cybersecurity standards for the defense industrial base (DIB) in over a decade. If your organization handles Controlled Unclassified Information (CUI) as a defense contractor or subcontractor, understanding these requirements is not optional — it is a prerequisite for winning and retaining DoD contracts. The Cybersecurity Maturity Model Certification framework replaces the previous self-attestation model under DFARS with verified, third-party assessments that ensure your cybersecurity controls actually work as documented.

This guide covers the full scope of CMMC requirements: the three certification levels, the specific controls and practice areas at each level, the assessment process, realistic cost ranges, and how CMMC relates to NIST 800-171 and DFARS. Whether you are a prime contractor or a small subcontractor in the supply chain, you will find actionable guidance for understanding where your organization stands and what it takes to achieve certification.

What Is CMMC and Why Does It Exist?

The Cybersecurity Maturity Model Certification is a unified standard developed by the Department of Defense to measure and verify the cybersecurity posture of organizations within the defense industrial base. CMMC exists because the previous approach — self-attestation to NIST 800-171 under DFARS clause 252.204-7012 — was not working. A 2019 DoD assessment found that a significant percentage of contractors claiming compliance were not actually meeting the required security controls, leaving sensitive defense information vulnerable.

CMMC addresses this gap by adding third-party verification. Rather than trusting contractors to accurately self-assess, CMMC requires independent assessments by Certified CMMC Third-Party Assessment Organizations (C3PAOs) for most contractors handling CUI.

Brief History: From DFARS to CMMC 2.0

The journey to CMMC started with DFARS clause 252.204-7012, which required contractors to implement NIST 800-171 controls to protect CUI. When self-attestation proved insufficient, the DoD introduced CMMC 1.0 in January 2020 with five maturity levels. Industry feedback led to a streamlined CMMC 2.0 in November 2021, reducing the framework to three levels and better aligning with existing NIST standards.

CMMC 2.0 became codified through the CMMC final rule (32 CFR Part 170) published in October 2024, with phased implementation beginning in 2025. Contract requirements under DFARS 252.204-7021 are rolling out in phases, meaning the clock is ticking for every organization in the defense supply chain.

Who Must Comply?

CMMC applies to any organization that processes, stores, or transmits:

• Federal Contract Information (FCI) — Information provided by or generated for the government under contract, not intended for public release. Requires CMMC Level 1 at minimum.
• Controlled Unclassified Information (CUI) — Information that requires safeguarding per government policy, such as technical drawings, export-controlled data, or personally identifiable information. Requires CMMC Level 2 or Level 3.

This includes prime contractors, subcontractors at every tier, and even commercial-off-the-shelf (COTS) providers if they handle CUI. If CUI flows through your systems at any point, CMMC requirements apply to you.

CMMC Levels Explained

CMMC 2.0 defines three levels of cybersecurity maturity, each building on the one below it. The level you need depends on the sensitivity of the information you handle and the specific contract requirements.

Dimension	Level 1 — Foundational	Level 2 — Advanced	Level 3 — Expert
Based On	17 practices from FAR 52.204-21	110 controls from NIST SP 800-171	110 NIST 800-171 + selected NIST 800-172 controls
Data Protected	FCI only	CUI	Critical CUI and high-value assets
Assessment Type	Annual self-assessment	Third-party (C3PAO) assessment	Government-led assessment (DIBCAC)
Assessment Frequency	Annual	Triennial	Triennial
Who Needs It	All DoD contractors handling FCI	Contractors handling CUI	Contractors on highest-priority programs
Estimated Organizations	~220,000	~80,000	~500
POA&Ms Allowed	No	Yes, with limitations	Yes, with limitations

Level 1: Foundational

Level 1 is the baseline for any organization doing business with the DoD. It requires 17 basic cyber hygiene practices derived from FAR clause 52.204-21, covering fundamentals like access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. These are practices most organizations should already have in place — limiting system access to authorized users, using antivirus software, and sanitizing media before disposal.

The key advantage of Level 1 is that it requires only annual self-assessment. You do not need a third-party assessor, though you must submit your affirmation through the Supplier Performance Risk System (SPRS).

Level 2: Advanced

Level 2 is where CMMC requirements become substantially more demanding. It maps directly to all 110 security controls in NIST SP 800-171 Revision 2, organized across 14 control families. This is the level most contractors handling CUI will need, and it requires a triennial assessment by a C3PAO.

The 110 controls span access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Each control must be not only implemented but also documented and demonstrably effective.

For a detailed breakdown of the NIST 800-171 controls that form the basis of Level 2, see our NIST 800-171 compliance guide.

Level 3: Expert

Level 3 applies to the most sensitive DoD programs and adds enhanced security requirements from NIST SP 800-172. Only an estimated 500 organizations will require Level 3, and assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) rather than commercial C3PAOs. Level 3 requirements include advanced threat detection, incident response capabilities, and security architectures designed to withstand advanced persistent threats.

Key CMMC Controls and Practice Areas

While the full set of 110 NIST 800-171 controls defines Level 2, several practice areas consistently prove most challenging for organizations. Understanding these high-impact areas helps you prioritize your compliance efforts.

Access Control (22 Controls)

The largest control family, access control governs who can access your systems and what they can do. Key CMMC requirements include enforcing least-privilege principles, separating duties, controlling remote access sessions, and managing wireless access. CMMC cyber requirements in this family extend to controlling information flow between systems and implementing session controls.

Audit and Accountability (9 Controls)

You must create, protect, and retain system audit logs that capture security-relevant events. This includes logging user actions, ensuring audit log integrity, and establishing an audit review and reporting process. Many organizations underestimate the storage and management requirements for maintaining audit logs across all in-scope systems.

System and Communications Protection (16 Controls)

This family includes CMMC encryption requirements that organizations frequently struggle with. You must encrypt CUI at rest and in transit, monitor and control communications at system boundaries, implement cryptographic mechanisms for data protection, and establish subnetwork isolation for publicly accessible system components. The encryption requirements alone can drive significant infrastructure changes.

Incident Response (3 Controls)

You need documented incident response capabilities including the ability to detect, report, and respond to cybersecurity incidents. This must include preparation, detection and analysis, containment, eradication, and recovery procedures. Many organizations have an incident response plan on paper but have never tested it — assessors will look for evidence of testing and exercise.

Configuration Management (9 Controls)

Establishing and maintaining baseline configurations for all information systems, tracking and controlling changes, and restricting the use of nonessential programs and functions. Configuration management is where CMMC requirements intersect with day-to-day IT operations most directly.

The CMMC Assessment Process

The assessment process differs significantly by level, and understanding what assessors look for is critical to a successful outcome.

Level 1: Self-Assessment

For Level 1, you conduct your own annual self-assessment against the 17 practices, generate a score, and submit an affirmation of compliance through SPRS. While no third party is involved, the DoD can audit your self-assessment, so documentation and accuracy matter.

Level 2: C3PAO Assessment

The Level 2 assessment is where most organizations will invest significant time and resources. The process involves:

1. Pre-assessment preparation — Conduct an internal gap analysis, remediate deficiencies, and prepare documentation including your System Security Plan (SSP), policies, and evidence of control implementation.
2. C3PAO selection — Choose a C3PAO from the Cyber AB marketplace. Availability is limited, so plan ahead.
3. Assessment execution — The assessment team reviews documentation, interviews personnel, and examines technical implementations over several days (typically 1-2 weeks for mid-sized organizations).
4. Findings and remediation — If the assessor identifies gaps, you may address some through Plans of Action and Milestones (POA&Ms), though not all controls are eligible. See our CMMC POA&M guide for details on what qualifies.
5. Certification decision — The C3PAO submits findings to the Cyber AB for a final certification decision.

For more on the various CMMC professional roles involved in assessments, refer to our guide on becoming a certified CMMC professional.

What Assessors Actually Look For

Assessors evaluate three dimensions for each control: whether the control is documented in policy, whether it is implemented in practice, and whether there is evidence of ongoing operation. A common failure point is having policies that do not match actual practice — if your access control policy states quarterly access reviews but you have no evidence of conducting them, the control will be scored as not met.

What Factors Drive CMMC Compliance Cost?

CMMC compliance investment varies widely based on several key factors:

Cost Factor	Impact	Description
Target CMMC level	High	Level 1 self-assessment is significantly less expensive than Level 2 third-party certification
Current security maturity	High	Organizations already aligned to NIST 800-171 face far less remediation than those starting fresh
Organization size	High	More employees, systems, and locations expand the scope of implementation and assessment
Remediation scope	Variable	The gap between your current posture and the required controls is the largest cost variable
Consultant engagement	Medium	Advisory-only support costs less than full implementation, but may extend timelines
GRC tooling	Medium	Compliance automation platforms are a recurring annual investment but reduce manual effort

The largest variable is remediation. Organizations with mature security programs aligned to NIST 800-171 may need minimal changes, while those starting from a low baseline face substantial infrastructure and process investments. For organizations pursuing multiple frameworks, a multi-framework compliance strategy can reduce overall costs by leveraging overlapping controls.

CMMC vs. NIST 800-171 vs. DFARS

These three frameworks are closely related but serve different purposes. Understanding how they fit together is essential for defense contractors.

Dimension	DFARS 252.204-7012	NIST SP 800-171	CMMC 2.0
What It Is	Contract clause	Security control framework	Certification program
Purpose	Contractual obligation to protect CUI	Defines the security controls	Verifies controls are implemented
Assessment	Self-attestation	Self-assessment (SPRS score)	Third-party or government assessment
Enforcement	Contract compliance	Score reporting	Certification required for contract award
Controls	References NIST 800-171	110 controls across 14 families	Levels map to NIST 800-171 and 800-172

In practice, these are layered requirements: DFARS creates the contractual obligation, NIST 800-171 defines the specific controls, and CMMC adds the verification mechanism. If you are already NIST 800-171 compliant, you have completed the technical foundation for CMMC Level 2 — the remaining work is documentation, evidence preparation, and the formal assessment.

For a detailed comparison including migration guidance, see our dedicated article on CMMC vs. NIST 800-171 vs. DFARS.

How Agency Can Help

Navigating CMMC requirements does not have to be an overwhelming process. Whether you are determining which level applies to your contracts, conducting a gap analysis against NIST 800-171, or preparing for a C3PAO assessment, having experienced compliance guidance makes the difference between a smooth certification and a costly delay.

Agency helps defense contractors and subcontractors achieve CMMC certification through structured readiness assessments, remediation planning, documentation support, and assessment preparation. Our approach builds on the same methodology we use for SOC 2 compliance, adapted to the specific requirements of the defense industrial base.

Ready to understand where your organization stands on CMMC readiness? Contact Agency for a compliance assessment and get a clear roadmap to certification.