CMMC Level 2 vs. Level 3: How to Know Which Certification Your Contract Requires

The Certification Question Every Defense Contractor Is Asking

If you are a defense contractor trying to decode your cybersecurity certification requirements, you are not alone. Since the Department of Defense finalized the CMMC 2.0 rule, one of the most common questions compliance managers ask is straightforward: Does my contract require Level 2 or Level 3? The answer has significant implications for your timeline, budget, assessment process, and the ongoing rigor of your security program.

Getting this wrong in either direction is costly. Preparing for the wrong level wastes resources. Underestimating your requirements can disqualify you from contract awards entirely. This post breaks down the structural differences between the two levels, explains how to read your contract requirements, and helps you determine which path applies to your organization.

A Quick Recap: The CMMC 2.0 Level Structure

CMMC 2.0 streamlined the original five-level framework down to three levels. Each level is tied to the type of federal information you handle and the sensitivity of the programs you support.

• Level 1 (Foundational): Covers contractors handling Federal Contract Information (FCI). Requires 17 practices aligned with FAR 52.204-21. Annual self-assessment.
• Level 2 (Advanced): Covers contractors handling Controlled Unclassified Information (CUI). Requires 110 practices aligned with NIST SP 800-171. Triennial third-party assessment for most contracts; self-assessment permitted for non-prioritized acquisitions.
• Level 3 (Expert): Covers contractors supporting the DoD's most critical programs and Advanced Persistent Threat (APT) environments. Requires 110+ practices from NIST SP 800-171 plus a subset of controls from NIST SP 800-172. Government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

If you want a deeper look at the baseline requirements for each tier, our posts on CMMC 2.0 Level 2 and CMMC 2.0 Level 3 provide solid foundational overviews.

CMMC Level 2: Who It Applies To

Level 2 is the certification most defense contractors in the Defense Industrial Base (DIB) will pursue. If your organization receives, transmits, processes, or stores CUI in the performance of a DoD contract, Level 2 is almost certainly your floor.

CUI includes a wide range of controlled data categories: export-controlled technical data, military specifications, procurement-sensitive information, and more. If your contract contains DFARS clause 252.204-7012 or references the handling of CUI, you are operating in Level 2 territory.

The 110 security practices required for Level 2 map directly to the 14 control families of NIST SP 800-171, covering areas such as access control, incident response, system and communications protection, and configuration management. For most contracts designated as "prioritized acquisitions," the DoD will require a third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). A passing score must be submitted to the Supplier Performance Risk System (SPRS) before contract award.

The critical takeaway: Level 2 is not a light lift. Achieving and maintaining all 110 practices demands a mature, documented security program. Our team regularly works with contractors who underestimate the gap between their current posture and Level 2 readiness. Understanding how long CMMC Level 2 compliance actually takes is an essential first step before committing to a contract timeline.

CMMC Level 3: Who It Applies To

Level 3 is reserved for a smaller subset of contractors supporting DoD's highest-priority programs — those where Advanced Persistent Threats (nation-state actors in particular) represent a credible and targeted risk. These are programs involving weapons systems, sensitive research and development, and critical national security capabilities.

Level 3 adds a layer of enhanced security practices drawn from NIST SP 800-172, which was specifically designed to address APT threats that NIST SP 800-171 alone does not fully counter. The exact number of additional practices required beyond the 110 base Level 2 controls continues to be refined by the DoD, but contractors should expect requirements focused on enhanced supply chain risk management, insider threat detection, and advanced incident response capabilities.

Crucially, Level 3 assessments are not conducted by commercial C3PAOs. They are conducted directly by DIBCAC, a government entity. This means the process is more rigorous, the timelines are less predictable, and the documentation expectations are significantly higher. There is no self-assessment pathway for Level 3.

How to Determine Which Level Your Contract Requires

Your contract documents are your primary source of truth. Here is a practical approach to reading them correctly.

1. Check the solicitation or RFP for CMMC requirements language. DoD solicitations issued after the final CMMC rule took effect are required to specify the applicable CMMC level. Look for explicit language referencing "CMMC Level 2" or "CMMC Level 3" in Section L or Section M of the solicitation.
2. Identify the presence of DFARS 252.204-7012. This clause signals CUI handling requirements and is a strong indicator that Level 2 compliance is required. Review what categories of CUI your Statement of Work involves. Our existing post on DFARS 252.204-7012 compliance explains the clause in detail.
3. Ask your Contracting Officer directly. If the solicitation is ambiguous, submit a formal question. Contracting Officers are required to specify the applicable CMMC level for covered acquisitions. Do not assume.
4. Assess whether your work touches highest-priority program categories. If you are supporting critical weapons programs, classified adjacencies, or sensitive DoD research initiatives, there is a higher probability that Level 3 will be required. Your program manager or prime contractor should be able to confirm.
5. Review your subcontract agreements. If you are a subcontractor, your prime is required to flow down CMMC requirements to you at or above the level applicable to the prime's contract. Request the flow-down language explicitly.

Key Differences at a Glance

While a detailed comparison of every practice is beyond this post, the most operationally significant differences between Level 2 and Level 3 come down to these dimensions:

• Assessment authority: Level 2 uses C3PAOs for most prioritized acquisitions; Level 3 uses DIBCAC exclusively.
• Practice scope: Level 2 requires the 110 NIST SP 800-171 practices; Level 3 requires those 110 plus additional NIST SP 800-172 enhanced practices.
• Threat model: Level 2 addresses general CUI protection; Level 3 specifically addresses APT-level threats.
• Self-assessment option: Available at Level 2 for non-prioritized acquisitions; not available at Level 3.
• Program risk profile: Level 3 is triggered by program criticality designations made by the DoD, not solely by the type of data handled.

If you have not yet documented your current security posture against either standard, a federal risk assessment is the logical starting point. You cannot close a gap you have not measured.

Common Mistakes Contractors Make When Assessing Their Level

In our work with DIB contractors across aerospace and defense, manufacturing, and federal services, we consistently see the same missteps:

• Assuming Level 2 because "it's just CUI." The type of CUI matters. Export-controlled technical data supporting a sensitive weapons platform may trigger Level 3 consideration depending on program designation.
• Relying on past DFARS compliance as a proxy for CMMC readiness. Prior NIST SP 800-171 self-assessments submitted to SPRS do not automatically translate to C3PAO-assessed Level 2 compliance. The standards for a formal assessment are more demanding.
• Ignoring subcontractor obligations. If you are a prime contractor, you are responsible for flowing down the correct CMMC level to your subs. Failure to do so creates program risk and potential liability.
• Waiting for the contract award to begin preparation. Preparing for your CMMC audit well in advance — often 12 to 18 months before the assessment — is the only realistic path to a passing score without extraordinary disruption to your operations.

The Role of a Compliance Partner in Getting This Right

Determining your required CMMC level is only the first step. Building and sustaining the security program that supports it is where the real work begins. Whether your contract requires Level 2 or Level 3, the process demands documented policies, implemented technical controls, evidence collection, and ongoing monitoring.

Our CMMC, CUI, and DFARS compliance services are structured to support contractors at both levels — from initial gap assessments through remediation, System Security Plan (SSP) development, and C3PAO or DIBCAC assessment preparation. For organizations that need ongoing strategic guidance embedded within their leadership team, our Regulatory vCISO services provide that continuity without the cost of a full-time hire.

If you want a structured reference to build your compliance program around, our resource CMMC 2.0 for DoD and Federal Contractors is a practical guide designed for compliance managers navigating exactly these decisions.

Bottom Line

The difference between CMMC Level 2 and Level 3 is not merely a matter of degree — it reflects a fundamentally different threat environment, assessment process, and program risk profile. Most DIB contractors will land at Level 2. A smaller, strategically critical subset will be required to meet Level 3. Either way, the time to clarify your requirements and begin building your compliance posture is before the solicitation closes, not after.

If you are uncertain about your contract requirements or need an experienced partner to assess your current security posture and build a realistic path to certification, request a quote from Cleared Systems today. We work with defense contractors at every stage of the CMMC journey and can help you avoid the costly mistakes that derail otherwise competitive bids.