With the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework becoming a key requirement for Department of Defense (DoD) contracts, understanding the differences between Level 2 and Level 3 is essential for contractors handling sensitive federal information.
Whether you’re bidding on new contracts or trying to stay compliant with evolving regulations, this guide will help you navigate the critical distinctions between these two certification levels.
What is CMMC 2.0?
CMMC 2.0 is the DoD’s cybersecurity framework designed to ensure that contractors protect Controlled Unclassified Information (CUI). It streamlines the original five-level model into three tiers:
- Level 1 – Foundational (basic safeguarding of Federal Contract Information)
- Level 2 – Advanced (aligned with NIST SP 800-171)
- Level 3 – Expert (aligned with NIST SP 800-172)
CMMC Level 2: Advanced Cyber Hygiene
CMMC Level 2 is required for contractors handling CUI, and is based on full implementation of the 110 controls in NIST SP 800-171.
Key Characteristics:
- Focus: Protection of Controlled Unclassified Information (CUI)
- Assessment: May require a third-party assessment (C3PAO) or annual self-assessments (depending on contract sensitivity)
- Examples of Controls: Access control, configuration management, media protection, incident response, etc.
Who Needs It?
- Most small and medium-sized DoD contractors working on non-critical systems with access to CUI.
CMMC Level 3: Expert Cybersecurity
Level 3 goes beyond 800-171 and includes selected controls from NIST SP 800-172, which is focused on defending against Advanced Persistent Threats (APTs).
Key Characteristics:
- Focus: Critical national security information
- Assessment: Conducted exclusively by the DoD Assessment Team
- Includes: Advanced capabilities like proactive threat hunting, continuous monitoring, and enhanced access controls
Who Needs It?
- Prime contractors and subcontractors supporting high-priority DoD missions or weapons systems.