With the growing threat to government data, businesses working with the Department of Defense (DoD) must meet CMMC compliance standards. But how do you know which of the three CMMC levels applies to your business? This guide will help you determine which level of CMMC certification your business needs to achieve.
Whether you're a small business just getting started with government contracts or a larger organization managing sensitive data, understanding the CMMC compliance levels is the first step toward staying secure and eligible to win contracts.
CMMC stands for Cybersecurity Maturity Model Certification. It was developed by the Department of Defense to strengthen the protection of sensitive information across the defense industrial base. The goal is to make sure that companies doing business with the DoD follow specific cybersecurity practices based on the type of data they access.
The first version of CMMC had five levels, but the updated model, known as CMMC 2.0, now includes three levels. These levels are easier to understand and better aligned with existing standards, especially NIST 800-171.
If you're new to the process, our Understanding CMMC: Why It Matters for Your Business – In Non-Technical Terms guide offers a beginner-friendly explanation.
What is a Level 1 CMMC? CMMC Level 1 is for businesses working with Federal Contract Information (FCI) and requires basic cybersecurity measures, including 17 practices aimed at protecting the confidentiality of that data.
There are three official CMMC levels in the updated framework, and each level builds on the one before it. These levels are designed to match the cybersecurity needs of businesses based on the type of government data they handle.
Understanding the CMMC compliance levels is essential if you're bidding on DoD contracts. Each level has a different set of requirements, and your business must meet the one that's appropriate for your contract.
For smaller organizations, it may help to explore Managed IT Services for small businesses to get a sense of what's needed to support compliance at any level.
CMMC level 1 requirements are designed for companies that work with Federal Contract Information (FCI)—this is information provided by or generated for the government that isn’t intended for public release.
To meet Level 1, your business must implement 17 basic security practices. These include:
Assessments at this level are typically self-conducted and must be done annually.
What is Level 1 CMMC compliance? Level 1 focuses on basic cybersecurity hygiene with 17 required practices that protect Federal Contract Information (FCI). It’s ideal for businesses handling less sensitive government data.
If you're looking for CMMC for small business solutions, Level 1 is often a good starting point. Our Fully Managed IT Services can support these foundational needs.
The next step up is CMMC Level 2, which applies to businesses that handle Controlled Unclassified Information (CUI). CUI includes sensitive data related to national security that is not classified.
CMMC level 2 requirements include 110 security practices based on NIST SP 800-171. These practices cover:
Depending on your contract, you may need either a self-assessment or a third-party assessment by an accredited organization.
What are the CMMC level 2 requirements? Level 2 includes 110 cybersecurity practices and is focused on businesses that handle sensitive information, such as Controlled Unclassified Information (CUI). It requires stronger security controls, including access control and continuous monitoring.
Our CMMC compliance page outlines how our services align with NIST standards and help you navigate Level 2.
CMMC Level 3 is the most advanced level and is intended for businesses that manage the most sensitive government information. This includes data related to national security or critical infrastructure.
At this level, companies must meet all practices in NIST SP 800-172. These include:
What is Level 3 CMMC compliance? Level 3 applies to businesses handling the most sensitive government data and requires advanced cybersecurity practices with continuous monitoring, as well as compliance with NIST 800-172 standards.
Companies pursuing Level 3 should consider leveraging external partners for Fully Managed IT to maintain high-level security around the clock.
The right level for your business depends on the type of data you manage and the nature of your DoD contracts. If you're only handling FCI, Level 1 is likely enough. If you’re working with CUI, then Level 2 or Level 3 will be required.
Which CMMC level do I need? Your business needs a specific CMMC level based on the type of data you handle (FCI vs. CUI) and the contracts you hold. If you handle sensitive government data, you will need a higher CMMC level (Level 2 or Level 3).
Our Managed IT Services for small businesses are designed to scale with your compliance needs, whether you're just getting started or aiming for Level 3.
If you're unsure, conducting a pre-assessment can help you understand where you currently stand and what steps you need to take to become compliant.
CMMC compliance is more than a checklist, it’s a vital part of securing your organization and staying eligible for Department of Defense contracts. At The IT Company, we specialize in helping businesses understand, meet, and maintain the right CMMC compliance levels for their needs.
For many small and mid-sized organizations, especially those just entering the defense space, Level 1 may be enough. But as your business grows—or your contracts become more complex—you’ll need to meet more advanced cybersecurity requirements. Whether it’s supporting your team with foundational practices or preparing you for the rigorous demands of CMMC level 3 requirements, we’re here to help.
Our experience with CMMC for small business clients means we understand how to align technical strategy with compliance goals—without disrupting your operations.
Ready to move forward? Book a Call with The IT Company today and let’s start your CMMC journey together.