top of page
Search

What CMMC Level Do You Need?

  • Writer: Cristian Almazan
    Cristian Almazan
  • Dec 8, 2025
  • 4 min read

Updated: Dec 10, 2025

By DefenseX | November 2025— Helping Defense Contractors Navigate CMMC with Confidence

 

One of the most common questions we hear from defense contractors is:“What CMMC level will my company need?”

It’s an important question — because your required CMMC level determines how much work, documentation, and security implementation you’ll need before you can be awarded particular Department of Defense (DoD) contracts.

 

The answer depends largely on the type of information your company handles for the DoD. Let’s break it down in simple terms.

 

First, a Quick Recap: What Is CMMC?

 

The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s framework for protecting sensitive information in the defense supply chain.

It’s built around three tiers of cybersecurity maturity:

  • Level 1 – Foundational

  • Level 2 – Advanced

  • Level 3 – Expert

 

Each level adds more security requirements and verification rigor based on the sensitivity of the information your company works with.

Step 1: Identify What Kind of Information You Handle

 

This is the key factor that drives your CMMC level.

 

🔹 Federal Contract Information (FCI)

If your company handles Federal Contract Information, you’re working with data that’s not meant for the public, but is also not considered highly sensitive.

Examples include:

  • The statement of work (SOW) or performance requirements in your government contract

  • Contract proposals, quotes, or pricing information exchanged with the government

  • Delivery schedules, project timelines, or logistics details from a DoD contract

  • Internal communications with the government related to a contract (emails, memos, etc.)

 

If you only handle FCI, you’ll likely need CMMC Level 1 (Foundational).

 

🔹 Controlled Unclassified Information (CUI)

 

If your company creates, stores, processes, or transmits Controlled Unclassified Information (CUI), you’re dealing with data that could harm national interests if exposed.

 

Examples include:

  • Technical drawings or design files

  • Manufacturing processes or specifications

  • Defense-related research or prototypes

  • Defense-Specific Operations Information

  • DoD System Configuration and Network Architecture Data

 

If you handle CUI, you will almost certainly need CMMC Level 2 (Advanced) — and potentially Level 3 (Expert) if you work on programs tied to critical national security.

 

Step 2: Match Your Data to the CMMC Levels

 

Here’s a simplified way to think about it:​


Step 3: Understand How Your Contract Type Affects You

 

Your required CMMC level will be clearly stated in the contract solicitation (RFP or RFQ) — but you can make an educated guess ahead of time:

✅ You’re likely Level 1 if:

  • You provide commercial off-the-shelf products or basic services to the DoD.

  • You don’t receive or create technical data, engineering drawings, or DoD-sensitive project information.

  • You mainly handle contracts with no CUI exposure.

 

✅ You’re likely Level 2 if:

  • You’re a manufacturer, fabricator, or technology service provider supporting DoD programs.

  • You handle or generate technical or export-controlled information.

  • You’re part of the DoD’s Defense Industrial Base (DIB) where sensitive designs or materials are involved.

  • You provide professional services such as engineering, software, systems administration, healthcare, etc.

 

✅ You’re likely Level 3 if:

  • You support mission-critical or national security programs.

  • You’re a prime contractor or high-level subcontractor dealing with significant amounts of CUI.

  • You have direct integration with DoD systems or highly sensitive operational data.

 

Step 4: Don’t Assume — Verify

 

Even if your work seems low-risk, CMMC levels are driven by your contract requirements, not just your business type.For example, a small machine shop producing a seemingly simple part could still need Level 2 certification if that part’s design data is considered CUI.

That’s why it’s crucial to:

  • Review your contract clauses for CUI or DFARS 252.204-7012 requirements.

  • Ask your prime contractor or contracting officer if CUI is involved.

  • Conduct a CUI data flow review — identify where that information is created, stored, or transmitted in your environment.

 

Step 5: Prepare Accordingly

Once you’ve identified your likely CMMC level, you can start aligning your organization’s cybersecurity practices.

 

At DefenseX, we help contractors:

  • Determine which level applies to their contracts

  • Map where CUI exists in their IT environments

  • Implement NIST 800-171 controls efficiently

  • Prepare documentation and evidence for third-party assessments

 

Our goal is to make CMMC readiness simple, achievable, and sustainable — not overwhelming.

 

The Bottom Line

If you handle only FCI, plan for CMMC Level 1.If you handle CUI, plan for CMMC Level 2 — and be ready for a third-party assessment.If you support highly sensitive or critical defense programs, Level 3 may apply.

 

Knowing where you fall now helps you budget, plan, and prepare before CMMC requirements are written into your next DoD contract.

 

At DefenseX, we simplify that process — helping you identify your CMMC level and build a compliant IT environment that keeps you ready for certification and future growth.

👉 Contact DefenseX today to schedule a CMMC readiness review and learn what level your business will likely need.

 
 
 

Recent Posts

See All

1 Comment

Trevor Bridgewater
Trevor Bridgewater
Dec 19, 2025

Great content! Keep it up!

Like
DEFx cybersecurity and compliance logo

Subscribe to our newsletter for the latest updates on features and product releases.

By subscribing, you consent to our Privacy Policy and agree to receive updates.

Stay Connected

bottom of page