Why Choosing the Wrong CMMC Level Is a Costly Mistake
One of the most common questions I hear from compliance managers and executives at defense contracting firms is deceptively simple: Do we need CMMC Level 2 or Level 3? The answer depends on factors most organizations have not carefully examined—the type of information you handle, how your contract is structured, and how your program office classifies the work. Getting this wrong in either direction carries real consequences. Underestimate your requirement and you risk losing a contract or failing an audit. Overestimate it and you invest resources in a certification tier that was never required.
This post breaks down the core distinctions between the two levels, explains how to read your contract language, and gives you a practical framework for making the right determination before you spend a dollar on remediation.
A Quick Recap: The Three-Level Structure of CMMC 2.0
Under CMMC 2.0, the Department of Defense collapsed the original five-level model into three tiers. Level 1 covers basic cyber hygiene for contractors handling Federal Contract Information (FCI). Level 2 addresses the protection of Controlled Unclassified Information (CUI) and aligns directly with the 110 practices in NIST SP 800-171. Level 3 goes further, layering an additional subset of controls drawn from NIST SP 800-172 on top of the Level 2 baseline—reserved for contractors on the most sensitive DoD programs.
Understanding where your organization falls requires more than reading a number in a solicitation. It requires understanding the information environment your work creates.
What CMMC Level 2 Actually Requires
CMMC Level 2 is the standard that will apply to the vast majority of defense contractors in the Defense Industrial Base (DIB). If your organization receives, generates, processes, stores, or transmits CUI in the performance of a DoD contract, Level 2 is almost certainly your floor. The detailed breakdown of every practice across the 14 NIST SP 800-171 domains is covered in our post on CMMC Level 2 compliance requirements.
Key requirements at Level 2 include:
- Third-party assessment: Most Level 2 contractors on prioritized acquisitions must undergo a triennial assessment by a Certified Third-Party Assessment Organization (C3PAO). Some lower-risk Level 2 contracts may allow annual self-assessment, but this is the exception rather than the rule.
- 110 security practices: These span access control, incident response, audit and accountability, configuration management, identification and authentication, media protection, risk assessment, system and communications protection, and more.
- SPRS score submission: Your NIST SP 800-171 self-assessment score must be posted in the Supplier Performance Risk System (SPRS) as a prerequisite, independent of the formal C3PAO assessment timeline.
- System Security Plan (SSP) and POA&M: Documentation of your current security posture and a credible remediation roadmap are required—not optional artifacts.
For most small and mid-sized contractors, the path to Level 2 compliance is the primary challenge. If you are still mapping your environment or building your SSP, our realistic timeline breakdown for Level 2 compliance will help you set expectations with leadership.
What CMMC Level 3 Actually Requires
Level 3 is not simply a more thorough version of Level 2. It is a fundamentally different compliance tier designed for contractors working on programs that involve Advanced Persistent Threat (APT) risk—generally programs tied to the most sensitive weapons systems, research involving critical technologies, or work explicitly designated by the DoD as requiring enhanced protections.
At Level 3, contractors must satisfy all 110 NIST SP 800-171 practices plus an additional 24 practices selected from NIST SP 800-172. These additional controls address areas such as:
- Advanced threat hunting and monitoring capabilities
- Enhanced configuration and change management controls
- More rigorous penetration testing and vulnerability management
- Additional supply chain risk management requirements
- Increased requirements around personnel security and insider threat detection
Critically, Level 3 assessments are not conducted by C3PAOs. They are performed directly by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a government entity. This means the stakes, timeline, and preparation demands are substantially higher. For a deeper look at what this tier entails, see our existing overview of CMMC 2.0 Level 3.
How to Determine Which Level Your Contract Requires
The first and most reliable source is the contract itself. Here is what to look for:
- Review the Request for Proposal (RFP) or solicitation language. CMMC requirements must now be explicitly stated in DoD solicitations. Look for DFARS clauses referencing CMMC, and identify whether the clause cites Level 2 or Level 3.
- Examine the DD Form 254. The Contract Security Classification Specification (DD Form 254) identifies the classification and sensitivity of information involved in the contract. If you are handling information associated with programs designated as critical to national security, Level 3 may be indicated.
- Identify the CUI categories in scope. Not all CUI is equal. Review the CUI Registry categories that apply to your contract. CUI associated with nuclear, intelligence, or certain defense-critical programs may elevate requirements. Our post on CUI Specified explains how these distinctions work in practice.
- Consult your Contracting Officer (CO) or Program Manager. If the solicitation language is ambiguous, ask directly. The program office will know whether the acquisition has been designated as requiring Level 3 oversight by the DoD CIO.
- Assess your subcontractor obligations. Prime contractors flow CMMC requirements down to subcontractors. If you are a sub, your prime's contract language and the data you receive from them determines your level—not necessarily what you see in the original solicitation.
Common Scenarios: Where Organizations Typically Land
Scenario 1: You Support Standard DoD Acquisition Programs
If you manufacture components, provide IT services, develop software, or supply logistics support under standard DoD contracts where CUI is handled, you are almost certainly a Level 2 organization. This is the most common situation for contractors across the federal and defense sector, including suppliers in aerospace, manufacturing, and professional services.
Scenario 2: You Work on Classified or High-Priority Acquisition Programs
If your work touches programs explicitly designated by the DoD as involving advanced adversary risk—particularly programs tied to strategic weapons systems, hypersonics, directed energy, or similar emerging technology domains—you may be on the Level 3 path. The DoD has indicated that Level 3 will apply to a small subset of the overall contractor population, but that subset includes some of the largest and most critical programs.
Scenario 3: You Are a Subcontractor Receiving Technical Data
Your prime contractor's security requirements flow to you. If your prime holds a Level 3 contract and passes CUI to you in performance of that contract, you may inherit a Level 3 obligation. Confirm with your prime in writing. Assumptions here are expensive.
Building the Right Compliance Foundation
Whether your target is Level 2 or Level 3, the foundational work is the same: a mature, documented, and defensible security program. The difference is scope and rigor. Organizations that have invested in compliance program development are better positioned to absorb the incremental requirements of Level 3 if their contract classification changes—and in this environment, program reassessments happen more frequently than most contractors expect.
For organizations that want expert guidance without the overhead of a full-time CISO, our Regulatory vCISO services provide ongoing strategic oversight calibrated to your specific certification tier and contract portfolio. Our team works with contractors at every stage, from initial gap assessment through C3PAO or DIBCAC audit preparation.
If you are still working through the fundamentals of what CMMC 2.0 demands at each level, our resource CMMC 2.0 for DoD and Federal Contractors provides a practical reference for compliance teams building or maturing their programs.
Do Not Wait for Contract Award to Ask the Question
One of the most damaging mistakes I see organizations make is treating CMMC level determination as a post-award problem. By the time a contract is awarded, the window for remediation has already narrowed significantly. Contractors who identify their certification tier during the pre-proposal phase have time to build a realistic Plan of Action, allocate budget, and engage a C3PAO or prepare for DIBCAC review before the requirement becomes a gate.
The CMMC landscape continues to evolve. Staying current on what has changed in CMMC 2.0 compliance in 2026 is essential for any compliance manager supporting active or pending DoD contracts.
Ready to Determine Your CMMC Certification Path?
At Cleared Systems, we help defense contractors accurately identify their CMMC certification requirements, assess their current posture against those requirements, and build a credible, audit-ready compliance program. Whether you are starting from scratch or preparing for a formal C3PAO assessment, our team has the expertise to move you forward. Request a quote today to speak with a CMMC advisor who understands the full scope of what your contracts demand—and what it takes to meet that standard.