CMMC 2.0 Explained: Which Level Does Your Business Need — and Why It Matters

Posted by GreylineOps | Cybersecurity & Compliance

If your company does business with the Department of Defense — or wants to — you’ve probably heard the acronym CMMC thrown around more and more. The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the DoD’s framework for ensuring that defense contractors and their suppliers protect sensitive federal information. And starting now, it’s not optional.

But here’s where a lot of small businesses in the Defense Industrial Base (DIB) get tripped up: CMMC isn’t one-size-fits-all. There are three distinct levels, each with different requirements, different costs, and different implications for your contracts. Knowing which level applies to you — and what you need to do about it — can mean the difference between winning DoD work and being shut out of it entirely.

Let’s break it down.

What Is CMMC 2.0?

CMMC 2.0 is the DoD’s updated certification framework, released in late 2021 as a streamlined evolution of the original CMMC 1.0. Its purpose is straightforward: verify that companies in the defense supply chain have the cybersecurity controls in place to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Under CMMC 2.0, the five-level model was simplified to three levels, and the requirements were more closely aligned with established frameworks — specifically NIST SP 800-171 and, at the highest tier, NIST SP 800-172.

Here’s a high-level look at all three levels before we dive into each one:

CMMC Level 1: Foundational

Who It’s For

Level 1 applies to any company that handles Federal Contract Information (FCI) — information provided by or generated for the government under a contract, but not intended for public release. If you make widgets for a DoD prime contractor, process government purchase orders, or provide basic support services to federal agencies, you likely fall into this category.

FCI is less sensitive than CUI, but it still requires protection. Think of it as the baseline — the cybersecurity hygiene every contractor should already have.

What’s Required

Level 1 maps directly to the 17 practices outlined in FAR Clause 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”). These are foundational controls grouped under six domains:

• Access Control – Limit system access to authorized users and devices
• Identification & Authentication – Authenticate the identity of users, devices, and processes
• Media Protection – Sanitize or destroy information system media before disposal
• Physical Protection – Limit physical access to organizational systems
• System & Communications Protection – Monitor and control communications at external boundaries
• System & Information Integrity – Identify, report, and correct system flaws in a timely manner

How You’re Assessed

Level 1 allows for annual self-assessment. Your leadership signs an attestation confirming compliance and submits it to the Supplier Performance Risk System (SPRS). No third-party auditor is required — but the attestation carries legal weight. Submitting a false attestation can expose you to liability under the False Claims Act.

The Bottom Line

Level 1 is the floor, not the ceiling. If you’re doing any DoD work at all, these 17 practices are non-negotiable. The good news: most of these controls represent solid basic security hygiene that your business should have regardless of compliance requirements.

CMMC Level 2: Advanced

Who It’s For

Level 2 applies to companies that handle Controlled Unclassified Information (CUI) — a broad category of sensitive government data that, while not classified, still requires protection by law, regulation, or policy. CUI includes things like:

• Technical data and engineering drawings
• Export-controlled information (EAR/ITAR)
• Personally Identifiable Information (PII)
• Procurement and acquisition-sensitive data
• Law enforcement sensitive information The vast majority of companies in the DIB that are actively working on defense programs will fall into Level 2. If your contract includes a DFARS 252.204-7012 clause, you’re almost certainly handling CUI and need to meet Level 2 requirements.

What’s Required

Level 2 maps to the 110 security practices defined in NIST SP 800-171, organized across 14 domains:

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity This is a serious, comprehensive security program. We’re talking about requirements like multi-factor authentication across all systems, detailed audit logging, documented incident response plans, vulnerability scanning, configuration baselines, controlled use of removable media, and more.

For many small businesses, going from minimal security to full NIST 800-171 compliance is a significant undertaking — one that requires months of planning, implementation, and documentation work.

How You’re Assessed

For most CUI contractors, Level 2 requires a triennial third-party assessment by a Certified Third-Party Assessor Organization (C3PAO). This isn’t a checkbox exercise — it’s a rigorous on-site (or remote) audit of your environment, policies, and processes.

There is a narrow exception: certain non-prioritized programs may allow self-assessment at Level 2. But for any program the DoD deems critical, a C3PAO assessment is mandatory. Don’t assume you qualify for the exception without confirming it with your contracting officer.

You’ll also need to maintain a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M) documenting any gaps and your remediation timeline.

The Bottom Line

Level 2 is where the heavy lifting is for most small defense contractors. The requirements are substantial, the documentation burden is real, and a failed C3PAO assessment can cost you contracts. This is the level where working with a specialized MSP pays the largest dividends.

CMMC Level 3: Expert

Who It’s For

Level 3 is reserved for companies supporting the DoD’s highest-priority programs — those involving the most sensitive CUI, particularly where advanced persistent threats (APTs), including nation-state actors, are a realistic concern. We’re talking about prime contractors and subcontractors working on cutting-edge weapons systems, sensitive R&D programs, or critical national security infrastructure.

If your work involves this tier, you’ll know it. Your contracting officer will tell you explicitly, and your contracts will reflect it.

What’s Required

Level 3 builds on all 110 practices from Level 2 and adds 24 additional practices from NIST SP 800-172, which is specifically designed to provide enhanced protections against APTs. These additional controls include:

• Advanced threat hunting and detection capabilities
• More rigorous configuration and change management
• Enhanced supply chain risk management
• Penetration testing requirements
• Advanced security operations capabilities
• More stringent incident response and recovery procedures This level essentially requires a mature, well-funded security operation — it’s well beyond what most small businesses can build internally without significant investment.

How You’re Assessed

Level 3 assessments are conducted by the Defense Contract Management Agency (DCMA)’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This is a government-led assessment — no C3PAO involved. The bar is correspondingly higher, and the scrutiny is more intense.

The Bottom Line

Most small businesses in the DIB won’t need Level 3. But if your work takes you there, you’ll need a partner with deep expertise in both the technical requirements and the assessment process. Half-measures won’t cut it.

So Which Level Do You Need?

Here’s a quick decision framework:

• “We provide goods or services to the DoD but don’t handle sensitive technical data.” → Likely Level 1
• “Our contracts include DFARS 252.204-7012, and we receive or generate technical drawings, specs, or other sensitive program data.” → Almost certainly Level 2
• “We’re working on a program that DCMA or our contracting officer has specifically flagged for heightened security requirements.” → Potentially Level 3 When in doubt, review your contract language carefully and consult with your contracting officer. Getting this wrong — either under-preparing or over-investing — has real business consequences.

Why a CMMC-Specialized MSP Is the Smart Choice for Small DIB Businesses

Understanding the levels is one thing. Getting there is another.

Most small businesses in the defense supply chain aren’t cybersecurity companies. You make parts, provide services, do engineering work — that’s your core competency. Building a CMMC-compliant IT environment from scratch requires expertise that most small businesses simply don’t have in-house.

Here’s why partnering with an MSP that specializes in CMMC makes sense:

1. You Don’t Know What You Don’t Know

CMMC compliance isn’t just about checking boxes — it’s about understanding the intent behind each control and implementing it in a way that will hold up under assessment. A general-purpose IT provider can deploy software. A CMMC-specialized MSP knows which configurations will satisfy an assessor, which documentation is required, and where the common pitfalls are.

2. The Documentation Burden Is Massive

A compliant SSP for a Level 2 environment can run dozens of pages. Your POA&M needs to be accurate, credible, and maintainable. Policies and procedures need to exist, be current, and reflect your actual operations. A specialized MSP does this work every day — it’s not new territory.

3. Assessment Readiness Is a Skill

Passing a C3PAO assessment isn’t just about being technically compliant — it’s about being able to demonstrate compliance. That means having the right evidence, understanding what assessors look for, and being prepared to walk through your environment confidently. An MSP that lives in this space has seen assessments from every angle.

4. The Compliance Landscape Keeps Changing

CMMC 2.0 rules continue to be refined, DFARS clauses get updated, and CUI categories evolve. A specialized MSP stays current so you don’t have to. When something changes that affects your compliance posture, you hear about it from your provider — not six months later when you’re in the middle of an assessment.

5. The Cost of Non-Compliance Dwarfs the Cost of Compliance

Losing a DoD contract — or being excluded from future work — because of a failed assessment is a devastating business outcome. Investing in proper compliance is almost always the more economical path, especially when you can spread the cost over a managed services engagement rather than building everything internally.

6. Enclave Solutions Can Reduce Scope (and Cost)

One of the most effective strategies for small businesses is using a CMMC-compliant enclave — a segregated, pre-certified environment for handling CUI — rather than trying to make your entire IT environment compliant. A specialized MSP can architect this for you, often significantly reducing the scope and cost of your assessment.

GreylineOps Is Built for This

At GreylineOps, we work exclusively in the defense and compliance space. We understand CMMC not as a checkbox exercise, but as an operational reality for the small and mid-sized businesses that form the backbone of the U.S. defense supply chain.

Whether you’re figuring out which level applies to your contracts, building toward a C3PAO assessment, or trying to close gaps in an existing compliance program, we’re here to help.

The DIB doesn’t have time for generic IT support. Neither do you.

Contact GreylineOps to schedule a CMMC readiness consultation.

This post is for informational purposes. CMMC requirements and assessment standards continue to evolve. If you’re ready to evaluate your specific compliance posture, GreylineOps is a CMMC-specialized RPO built for small DIB businesses — reach out for a readiness consultation and we’ll help you figure out exactly where you stand.