The 3 CMMC 2.0 Levels Explained

By Michael Joe, Security Consultant at QoS Consulting Solutions

Are you up to date on the latest changes within the CMMC levels? Is your organization teetering between which level of compliance to select? Let’s look at the changes that CMMC 2.0 brings and what that means for your organization.

The U.S Department of Defense (DoD) recognizes that a lacking cybersecurity stack opens organizations up to preventable vulnerabilities. This is why they mandate that organizations be compliant with CMMC requirements to bid on contracts. The DoD created the CMMC in response to increasing cyber threats to reduce risk with organizations eager to work with federal and state government agencies.

CMMC 2.0 recently replaced CMMC 1.0, the main change being a reduction of levels from 5 to 3. While this may seem counterintuitive to remove levels, the DoD stated that levels 2 and 4 were not necessary on a contract, so they decided to remove them.

Photo Credit: Acquisition & Sustainment Office of the Under Secretary of Defense

CMMC 2.0: Level 1 – Foundational

Level 1 is the most basic stage of compliance for CMMC 2.0, it focuses on practices corresponding to the safeguarding requirements and specified in Federal Acquisition Regulation (FAR) clause 52.204-21. These requirements consist of 17 cyber security practices within 6 domains including, Access control,  Identity and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity.

CMMC level 1 focuses on the protection of Federal Contract Information (FCI):

Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments. (Section 4.1901 Federal Acquisition Regulation)

Unlike CMMC Levels 2 and 3, Level 1 does not require a 3rd party assessment because it does not involve sensitive national security information. Level 1 will require an annual self-assessment validated by a senior company official.  That senior official will be liable under the False Claims Act.

CMMC 2.0: Level 2 – Advanced

Level 2 goes much further than Level 1 in terms of increasing the overall security practices of the organization. This level is focused on protecting Controlled Unclassified Information (CUI). CMMC Level 2 defines CUI as:

 Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.  (NIST SP 800-171 Rev 2)

Level 2 provides increased confidence to the DoD that your organization can adequately protect CUI equal to the risk present with subcontractors in a more complex supply chain. For Level 2 compliance, your organization will need to be compliant with all the security requirements in NIST SP 800 171, which has a total of 110 controls. Also, you should confirm if the additional 61 Non-Federal Organization (NFO) controls covered in Appendix E of NIST SP 800-171 are necessary as well.

Level 2 also requires a Plan of Action and Milestones (POA&M) and a 3rd party assessment. A POA&M assessment is defined as “A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.” (CSRC).

If your organization handles both FCI and CUI you will have to meet CMMC level 2 requirements or higher making Level 2 compliance arguably the most frequently required achievement for CMMC compliance. For a vast majority of contracts under CMMC Level 2, the DoD requires organizations to work with a 3rd party Assessment Organization (C3PAO), like QoS Consulting Solutions.

CMMC 2.0: Level 3 – Expert

CMMC Level 3 combined Levels 4 and 5 from CMMC 1.0. An organization seeking Level 3 certification will focus on the effectiveness of controls around protecting CUI from Advanced Persistent Threats (APT). Level 3 Is designed for organizations working with CUI on the DoD’s most important programs. The DoD is in the process of clarifying the specific controls needed to be compliant with Level 3, but they have indicated that it will be based on all 110 controls from NIST SP 800-171 plus a subset from NIST SP 800-172 controls. What makes Level 3 different from the previous two Levels is that it requires organizations to review and measure their controls over time to determine their effectiveness and take corrective action where necessary and inform organizationally defined personnel regularly.

Become CMMC Compliant

QoS Consulting Solutions is an approved C3PAO Candidate listed in the CMMC Marketplace. We have authorized Registered Practitioners and Provisional Assessors, directly on staff or through partnerships. There are only 153 Provisional Assessors in the country and Shannon Noonan, our co-founder, is one of them. QoS can assist organizations in implementing, assessing, and/or auditing most information security-related compliance standards. QoS provides our clients with audit support services in an advisory role within our clients’ internal compliance team or in place of an internal compliance team. Our expertise has proven instrumental in navigating the audit process.

For more information speak with a QoS consultant today,, or reach out through our contact form on our website,