CMMC 2.0 Levels and Requirements
This article is for educational purposes only and does not constitute professional compliance advice or legal counsel. Regulatory requirements and standards evolve, and you should consult with a qualified compliance professional about your specific situation.
Your contract specifies that you need CMMC Level 2 certification. Or maybe Level 1. Or maybe you're not sure what your contract actually requires. But knowing your target level is just the beginning. What does Level 2 actually mean when the auditor shows up? What practices must you have in place? How much implementation work are you really looking at? And how do you know whether you're already halfway there or starting from scratch?
The three CMMC levels aren't vague aspirations or marketing categories. Each one is a specific, auditable set of security practices that assessors will verify. You either have them or you don't. The gap between understanding "we need Level 2" and understanding "here's what Level 2 requires from our organization" is the difference between a vague sense of obligation and a concrete roadmap. This article closes that gap.
Level 1: Basic Cyber Hygiene
Level 1 is the foundation of CMMC, and if you've been running even a moderately security-conscious operation, you might already be close to compliance at this level. Level 1 incorporates 15 practices organized around basic protective measures. These are the security practices that every organization handling sensitive information should have: firewalls protecting your network from external threats, antivirus software on your endpoints detecting and removing malware, basic access controls ensuring that not everyone can access everything, system hardening following security configuration standards. You're also documenting your security practices, establishing basic change management so you're not deploying untested systems to production, and implementing multifactor authentication on critical systems so stolen passwords alone can't compromise access.
What's important to understand about Level 1 is that the word "basic" doesn't mean "easy." You need documented evidence that these controls exist and are functioning. You can't just say you have a firewall. You need configuration exports showing how it's configured. You need logs demonstrating that it's actually blocking traffic. You need documentation showing that someone maintains it. You need evidence that your antivirus is deployed and running on all endpoints. If you've been running security practices informally—"we do this, everyone knows we do it"—Level 1 assessment forces you to formalize and document them.
This is the part where organizations often discover they have larger gaps than expected. Many companies are running security controls but aren't documenting them properly. An auditor can't certify what they can't see. Level 1 requires putting formality and evidence around the practices you're probably already running. For a small organization that's mostly compliant, this might be doable in a few months. For an organization that's been running security on informal practices, Level 1 requires real work to document and formalize everything.
It's also worth noting that Level 1 certification is increasingly rare for defense contractors. Most contracts now require Level 2 or higher. But for small vendors or subcontractors just entering the defense supply chain, Level 1 is often the entry point, and it's the foundation that everything else builds on.
Level 2: Intermediate Practice and Organizational Maturity
Level 2 is where the majority of defense contractors operate, and it's where the work and complexity multiply. Level 2 incorporates all the practices from Level 1 and adds 23 additional practices focused on intermediate security measures. This is where security stops being something the IT department manages alone and becomes an organizational responsibility. At Level 2, you're not just protecting your network—you're operating security as a program.
This is where security awareness training becomes mandatory. Your team needs regular training on how to recognize phishing, how to protect passwords, how to handle sensitive information, what to do if they suspect a security incident. At Level 1, training is nice to have. At Level 2, it's required and auditors will ask for training records. You're also required to have an incident response plan—a documented process for what happens when a security event occurs. Who do you notify? How do you contain the problem? How do you investigate? How do you recover? An auditor will ask to see your plan and potentially ask whether it's been tested.
Access control maturity increases at Level 2. You're not just controlling who can access what—you're regularly reviewing access to ensure that people still need the access they have. You're implementing the principle of least privilege, where people can access only what they need to do their job, not more. You're potentially using role-based access control where access is determined by job role rather than granted individually. You're documenting who has access to what and why.
Encryption becomes mandatory at Level 2. You're encrypting sensitive data in transit—data moving across networks or the internet is encrypted so it can't be intercepted. You're encrypting sensitive data at rest—data stored on systems or backups is encrypted. The level of encryption required depends on the sensitivity of your data and your risk assessment, but encryption isn't optional anymore.
Asset management reaches a new level at Level 2. You need to know what systems you have, where they are, what software is running on them, who owns them, and what data they contain. This sounds obvious, but many organizations struggle with this. You might have servers running in your environment that nobody's actively responsible for. You might have systems that someone brought in for a project and never decommissioned. You might have external vendors running systems that touch your network but aren't on your inventory. Asset management at Level 2 requires getting serious about knowing your environment.
If you're using managed services or cloud services, vendor management becomes more sophisticated. You need to vet your vendors and ensure they're meeting your security requirements. You need contracts that specify what they must do, and you need a process for monitoring whether they're actually doing it. If your MSP is responsible for security monitoring, you need evidence that they're actually monitoring. If a cloud provider is hosting your systems, you need documentation of their security practices.
The organizational maturity aspect of Level 2 is where many contractors struggle. It's not just about technical controls. It's about having leadership visibility into security, having documented policies that actually guide behavior, having processes that people follow consistently. It's about security governance—who's responsible for security decisions, how are they made, how does security get integrated into business processes?
Level 3: Advanced Protections and Continuous Improvement
Level 3 is where organizations handling particularly sensitive information operate, and it requires everything from Levels 1 and 2 plus 18 additional practices focused on advanced defensive measures and continuous improvement. At this level, security becomes a mature program with specialized roles, advanced tools, and regular testing and assessment.
Continuous monitoring is a hallmark of Level 3. You're not just checking your systems periodically—you're monitoring them continuously for signs of attack or unauthorized access. You have security information and event management (a SIEM, in industry terms), which means a system that collects logs from across your environment and analyzes them for patterns that suggest something's wrong. You're actively hunting for threats, not just responding after something breaks.
Risk management becomes formal and integrated. You're not making security decisions in a vacuum. You're conducting risk assessments—identifying what could go wrong, how likely it is, what the impact would be if it happens, and what controls you should put in place based on that risk. You're updating risk assessments regularly as your business and threat landscape changes. You're documenting and tracking risk, and leadership is making informed decisions based on that risk assessment.
Incident response is regularly tested. At Level 2, you have a plan. At Level 3, you're testing it. You're running tabletop exercises where you walk through scenarios. You're conducting full simulations where you actually trigger an incident response and see how your team handles it. You're learning from those exercises and updating your plan based on what you learn. You're maintaining metrics about incidents—how long it took to detect them, how long to contain them, how long to recover from them.
Supply chain risk management becomes formal. You understand that your vendors' security practices directly affect your own security. If a vendor is compromised, you could be compromised through them. So at Level 3, you have a formal program for identifying vendors that have access to sensitive systems or data, vetting them for security practices, and monitoring their ongoing security. You have contracts that specify security requirements. You're conducting periodic assessments of critical vendors.
Penetration testing and security assessments are regular activities, not one-time events. You're bringing in external security professionals to try to break into your systems and find vulnerabilities. You're running vulnerability scans regularly. You're fixing vulnerabilities based on risk and impact. You're tracking vulnerability remediation to make sure things don't slip through cracks.
The Differences Are Material, But They're Cumulative
Understanding the differences between levels is important, but it's equally important to understand that each level builds on the previous one. Level 2 isn't "Level 1 controls but better." It's all of Level 1 practices plus additional practices. Level 3 is all of Levels 1 and 2 plus additional practices. You don't pick and choose. If you're certifying at Level 2, you must have all Level 1 practices in place and operating effectively, plus all Level 2 practices. If you're certifying at Level 3, same thing—you need everything from 1 and 2 plus the Level 3 practices.
This has implications for your implementation roadmap. You can't skip from Level 1 directly to Level 3. You must go through Level 2 first. If your contract requires Level 3, you're still probably going to go through a Level 2 assessment or at least implement Level 2 practices thoroughly before attempting Level 3 certification, because Level 3 assessment will verify that you have 1 and 2 in place.
What Each Level Actually Costs
The costs scale with the level of complexity. For Level 1, if you're mostly compliant already, you might achieve certification with minimal remediation work and auditor fees typically in the range of $10,000 to $30,000. This assumes you're mostly doing the right things already and just need to formalize and document them.
Level 2 is where costs multiply substantially. Auditor fees typically run $30,000 to $100,000, but that's only the auditor cost. You also need to account for remediation. If you're starting from a weak security baseline—no monitoring, poor access controls, no encryption, informal policies—you'll need to invest in tools, infrastructure, and consulting help. You might need to implement endpoint detection and response software. You might need to deploy encryption technologies. You might need to stand up monitoring capabilities. You might need to hire a security consultant to help you design and implement controls. You might need to invest in training. The total first-year cost for a contractor moving from zero compliance to Level 2 certification commonly runs $50,000 to $200,000 or more. Subsequent years are cheaper because you've built the foundation, but you still have maintenance costs.
Level 3 costs are higher still. Auditor fees can run $150,000 to $300,000 or more depending on the size of your organization and the complexity of your environment. Remediation and implementation costs for the advanced practices required at Level 3 can easily double the auditor cost or more. You're likely investing in advanced monitoring tools, conducting regular penetration testing, hiring dedicated security staff or a significant security consulting engagement. Total Level 3 implementations can easily exceed $500,000 in year one.
What drives the cost differences is more than just auditor fees. It's the complexity of what you need to implement. At Level 1, you're formalizing basic controls. At Level 2, you're implementing organizational processes and moderate sophistication. At Level 3, you're building an advanced security operation. The complexity of that work scales the total cost.
Scope Definition: What's In and What's Out
Here's a critical piece that many contractors get wrong: not everything in your environment is in scope for CMMC. Your contract defines what's in scope. It might be systems that touch Controlled Unclassified Information (which we cover in more detail in another article). It might be a particular business unit. It might be a subset of your network. It might be systems in a geographic location.
Scope definition is one of the most important conversations you have with your auditor because every system, device, and user in scope requires protection. You can't protect what you don't know exists. Before certification, you conduct a detailed asset inventory: what servers do you have, what workstations, what network devices, what databases, what applications, what cloud services. What users have access to in-scope systems. What data flows through those systems. That inventory is your scope statement, and it drives everything else—what needs to be hardened, what needs monitoring, what needs encryption, what access controls matter.
Scope creep is a real risk. If you define scope too broadly, you're protecting more than you need to, which costs more and takes more time. If you define scope too narrowly, you miss systems that should be protected, which can cause audit failure. This is where legal, procurement, and security teams need to coordinate. Your contract language defines what work you're doing, what systems you're using to do it, and what data you're handling. Your technical team needs to translate that into a concrete scope statement that the auditor can verify.
Timeline Expectations by Level
Level 1 certification, if you're mostly compliant, might happen in 3 to 6 months. You're formalizing and documenting things you're already doing.
Level 2 certification typically requires 12 to 18 months from the point where you start serious remediation work. This assumes you already have basic security in place. If you're starting from a weak baseline, add several months. The timeline breaks down roughly like: gap analysis (1-2 months), planning and resource allocation (1-2 months), remediation and implementation (6-12 months), evidence gathering and documentation (2-3 months), pre-audit review (2-4 weeks), audit itself (2-3 weeks). These overlap, but the total is substantial.
Level 3 certification rarely happens in less than 18 months, and many take two to three years. You're implementing advanced practices, testing them, refining them, and building the evidence that they're working. The organizational maturity required at Level 3 can't be rushed.
Your Level Is Determined By Your Contract, Not Your Risk Assessment
Before you make any decisions about which level to pursue, get your contract and read the security requirements section carefully. Your perceived risk, your preferred maturity level, even your auditor's recommendation doesn't matter if your contract specifies something different. If your contract requires Level 2 and you achieve Level 1, you're not in compliance. If your contract requires Level 2 and you go for Level 3, you're over-delivering without extra credit.
That said, if you're on a trajectory to win higher-level contracts, planning ahead for Level 3 infrastructure makes sense. But don't assume higher is always better. The cost and effort of Level 3 are substantial, and if your contracts don't require it, you're spending money that could be invested elsewhere.
Where You Are Now Matters
The size of the gap between where you are today and where you need to be drives both the timeline and the cost. A contractor with documented policies, basic monitoring, and decent access controls is much closer to Level 2 than a contractor that's been operating informally. Understanding your starting point is your first job. That's why the gap analysis—the assessment of where you are against your target level—is so important. It tells you exactly what work lies ahead, in what priority order, and roughly how long it will take.
You're now equipped to understand what your target level actually requires, what the cost and timeline implications are, and how to think about scope. The next conversation is how to actually get from where you are to where you need to be. That's the preparation and implementation roadmap—your path forward.
Fully Compliance provides educational content about IT compliance and cybersecurity. This article reflects general information about CMMC as of its publication date. Standards, requirements, and enforcement actions evolve — consult a qualified compliance professional for guidance specific to your organization.