Your CMMC level is not yours to choose. The Department of Defense assigns it, and the contract tells you which one. But you can predict it from a single factor — the kind of information your systems touch. FCI and nothing more points to Level 1. Any CUI puts you at Level 2. The most sensitive programs reach Level 3. Here is how to read your own situation before you bid.
The short answer: your data decides, the contract confirms
The level you need is set by the program office or requiring activity buying the work — not by you, and not by your company's size. The CMMC program rule is explicit that DoD program managers or requiring activities determine which CMMC level and assessment type apply to a given procurement.
You find out by reading the solicitation. A provision called DFARS 252.204-7025 ("Notice of CMMC Level Requirements") states the required level in plain text, and you must have that status — or higher — recorded in the Supplier Performance Risk System (SPRS) before award. No SPRS status at the required level, no award.
That makes the practical question simple: which level will the government assign to work like yours? And that comes down to the data your systems will handle.
Three levels, but four labels
CMMC has three levels — but a solicitation can carry one of four labels, because Level 2 splits in two depending on how it is assessed. Knowing all four is the difference between preparing for the right bar and guessing.
Level 1 | Level 2 | Level 3 | |
|---|---|---|---|
Triggered when you handle | FCI only | CUI | The most sensitive CUI (priority programs) |
Security requirements | 15 (FAR 52.204-21) | 110 (NIST SP 800-171 Rev 2) | 110 + 24 (NIST SP 800-172) |
Assessment | Self-assessment | Self or C3PAO — the program office decides | DCMA DIBCAC (government-led) |
Label you'll see in DFARS 7025 | Level 1 (Self) | Level 2 (Self) or Level 2 (C3PAO) | Level 3 (DIBCAC) |
POA&M allowed? | No — all-or-nothing | Yes, within strict limits | Yes, within strict limits |
Cycle | Annual + annual affirmation | Every 3 years + annual affirmation | Every 3 years + annual affirmation |
Prerequisite | None | None | Final Level 2 (C3PAO) first |
For most small IT and cyber firms, the real decision is Level 1 versus one of the two flavors of Level 2. Level 3 is rare. Here is how to tell where you land.
Level 1: you handle FCI, and nothing more
Level 1 applies when your systems process, store, or transmit Federal Contract Information — and no CUI. It covers the 15 basic safeguarding requirements from FAR 52.204-21, assessed by an annual self-assessment with an annual affirmation in SPRS.
One feature sets Level 1 apart: there is no partial credit. A POA&M is not permitted at Level 1, so every requirement is scored MET or NOT MET, and you need all of them MET. The bar is low, but it is absolute.
What this means for you: the moment a single piece of CUI enters a system you operate, Level 1 is off the table and you are in Level 2 territory — where the requirement count jumps from 15 to 110.
Level 2: you handle CUI — the lane most small firms land in
Level 2 applies when your systems handle Controlled Unclassified Information. It covers all 110 requirements in NIST SP 800-171 Rev 2. This is where the four-label nuance matters, because Level 2 comes in two forms and you do not choose between them — the program office does:
Level 2 (Self) — a self-assessment, used for a limited subset of CUI contracts.
Level 2 (C3PAO) — a certification by an accredited Certified Third-Party Assessment Organization, expected for the bulk of CUI work.
During Phase 1 of the rollout — in effect now — DoD intends to require Level 1 (Self) or Level 2 (Self) for applicable contracts, while reserving the right to require a Level 2 (C3PAO) certification at its discretion. From Phase 2 (November 10, 2026), Level 2 (C3PAO) certification becomes a condition of award wherever the contract calls for it. The trajectory is clear: if you handle CUI, plan for third-party certification, not self-attestation.
One useful rule works in your favor: a higher status satisfies a lower requirement for the same scope. A Level 2 (C3PAO) status also covers your Level 1 (Self) and Level 2 (Self) obligations — so "or higher" always qualifies you.
Level 3: reserved for the most sensitive programs
Level 3 is the top tier, and the rule ties it to certain priority programs handling the most sensitive CUI. It adds 24 enhanced requirements from NIST SP 800-172 (with DoD-set parameter values) on top of the full 110, and it is assessed exclusively by the government's DCMA DIBCAC.
Two things make Level 3 distinct. First, you cannot pursue it cold: a Final Level 2 (C3PAO) certification for the same scope is a prerequisite — you must clear Level 2 by third party before DIBCAC will assess you. Second, it is rare. Most contractors handling CUI will never be assigned Level 3; if your contract requires it, the solicitation will say so explicitly.
How to figure out your level — in practice
Inventory your data. For each system you'll use on the contract, ask: will it process, store, or transmit FCI? CUI? That single answer drives everything.
Map it. No FCI or CUI → no CMMC requirement. FCI only → Level 1. CUI → Level 2. A priority program with the most sensitive CUI → Level 3.
Read the solicitation. DFARS 252.204-7025 confirms the assigned level — and tells you whether Level 2 means Self or C3PAO. The contract is the authority; your mapping is the prediction.
Remember it's per-system. The requirement attaches to each information system that handles FCI or CUI — so you can hold different levels for different contracts. Scope tightly, often into a dedicated enclave, so a single CUI contract doesn't drag your whole company up to the highest bar.
Three misconceptions that trip up small firms
"A bigger contract means a higher level." It doesn't. A $50K CUI task order and a $5M CUI award can carry the same Level 2 requirement. The information drives the level — not the dollar value, and not your NAICS code.
"In progress is good enough." It isn't. Your required CMMC status must be entered in SPRS at the time of award; planned or partially implemented compliance does not make you eligible. (A conditional status, earned within the rule's limits, does count — but "we're working on it" does not.)
"CMMC gives me a competitive edge." Not directly. CMMC is not a scored evaluation factor or a set-aside — it's a pass/fail eligibility gate. You either hold the required status or you're ineligible; exceeding it earns no extra points. The edge is simply staying in the running while less-prepared competitors drop out.
Key Takeaways
The government assigns your level; you read it off the solicitation in DFARS 252.204-7025. You can anticipate it from one thing — the data your systems handle.
FCI only → Level 1 (15 requirements, self-assessed, no POA&M). Any CUI → Level 2 (110 requirements). The most sensitive programs → Level 3 (rare, and only after a Final Level 2 C3PAO).
Level 2 has two forms — Self and C3PAO — and the program office decides which. Most CUI work trends toward C3PAO certification, especially from Phase 2 (November 10, 2026).
It's per-system: you can hold different levels for different contracts. Tight scoping keeps you from over-building.
It's pass/fail, not scored — and "in progress" doesn't count. Your status must be in SPRS at award.
FAQ
How do I know which CMMC level I need? Start with your data: identify whether each system you'll use on the contract handles FCI, CUI, or neither. FCI only means Level 1, any CUI means Level 2, and the most sensitive priority programs mean Level 3. Then confirm against the solicitation, where DFARS 252.204-7025 states the assigned level.
Is CMMC Level 2 always a third-party (C3PAO) assessment? No. Level 2 comes in two forms — Level 2 (Self) and Level 2 (C3PAO) — and the program office decides which a given contract requires. A limited subset of CUI contracts allow self-assessment, but the bulk are expected to require C3PAO certification, especially as the rollout reaches Phase 2 in November 2026.
Can my company be more than one CMMC level at once? Yes. The requirement attaches to each contractor information system that handles FCI or CUI, so you can hold Level 1 for one contract and Level 2 for another. This is why tight scoping matters — it keeps a single CUI contract from raising the bar across your whole environment.
Does a larger or higher-value contract require a higher CMMC level? No. The level is driven by the sensitivity of the information involved, not the dollar value of the contract or your NAICS code. A small CUI contract can carry the same Level 2 requirement as a large one.
Do I need Level 3? Almost certainly not, unless you support a priority program handling the most sensitive CUI. Level 3 is rare, and it requires a Final Level 2 (C3PAO) certification first. If your contract requires it, the solicitation will state so explicitly.
SOURCES
All primary. Verified as of June 2026.
DFARS 252.204-7025 — Notice of CMMC Level Requirements (acquisition.gov). The four contracting-officer fill-ins (Level 1 (Self) / Level 2 (Self) / Level 2 (C3PAO) / Level 3 (DIBCAC)); requirement of current CMMC status and affirmation in SPRS at award, per information system. Update trigger: DFARS revisions.
DFARS Subpart 204.75 (acquisition.gov). Procedures: the contracting officer includes the level set by the program office/requiring activity; no award without the required SPRS status. Update trigger: phase changes / Nov 10, 2028 full implementation.
32 CFR Part 170 (eCFR): § 170.3(e) (four-phase rollout and the Phase 1 Self / discretionary C3PAO logic); § 170.14 (the 15/110/24 requirement counts); §§ 170.15–170.18 (Level 1, Level 2 Self, Level 2 C3PAO, Level 3 requirements and the Final Level 2 prerequisite for Level 3); § 170.21 (POA&M — none at Level 1); § 170.23 (subcontractor application); § 170.24 (scoring). Update trigger: amendment, or Rev 3 incorporation.
Federal Register 89 FR 83214 (Oct. 15, 2024). Program managers / requiring activities determine the level and assessment type; CMMC is not an evaluation factor or set-aside; Level 2 applies to all contractors handling CUI.
DoD CIO — CMMC Assessment Guides, Levels 2 and 3 (v2.13, Sept. 2024), dodcio.defense.gov/CMMC. Level 3 prerequisite of Final Level 2 (C3PAO); DIBCAC as the Level 3 assessor; NIST SP 800-172 enhanced requirements with DoD-approved parameters.