CMMC Levels
Choosing the Right CMMC Level for Your Organization
Selecting the appropriate CMMC maturity level is a crucial first step in your compliance journey. This section presents a clear comparison of the three CMMC levels (Level 1, Level 2, and Level 3). The table below highlights the key differences in requirements, assessment processes, and frequency of assessments to help you determine which level aligns with your organization's current security posture and risk profile. Understanding these differences will allow you to plan your compliance strategy effectively.
Revised CMMC Framework Requirements
| CMMC Level | Requirements | Assessment Type | Assessment Frequency | Annual Affirmation |
|---|---|---|---|---|
| Level 1 | 15 - requirements aligned with FAR 52.204.21 | Self-Assessment | Annual | Yes |
| Level 2 | 110 - requirements aligned with NIST SP 800-171 r2 | C3PAO or Self-Assessment (select programs) | Every 3 years | Yes |
| Level 3 | 134 - requirements (110 from NIST SP 800-171 r2 plus 24 from 800-172) | DIBCAC | Every 3 years | Yes |
When specified in a solicitation, all CMMC requirements must be met prior to award.
Key Takeaways
Based on Assessment and Requirements
Based on Effort and Costs
Based on Security Posture
