If you sell to the DoD, CMMC levels aren’t a “someday” topic anymore. In January 2026, I’m seeing primes ask for proof earlier, even when a contract is still in draft. The reason is simple: the DoD wants consistent, verifiable protection for contract data across the supply chain, not just good intentions.
Most companies I talk with will land in Level 1 or Level 2. Level 3 is real, but it’s for a smaller slice of higher-risk programs.
In this post, I’ll compare what changes between levels: the data type (FCI vs CUI), the practices and process maturity, the assessment type (self vs third-party vs government-led), the evidence you’ll need, and what it can mean for contract flow-downs and award timing.
CMMC levels, at a glance: What changes from Level 1 to Level 3
Here’s the simplest way I explain it to IT and security leaders: each level changes what you protect, how much control you need, and who validates it. For the official model references, I point people to the DoD CIO’s CMMC program overview and the current CMMC Model Overview (v2.13).
| Category | CMMC Level 1 | CMMC Level 2 | CMMC Level 3 |
|---|---|---|---|
| Info protected | FCI | CUI (and FCI) | Highest-priority CUI |
| Practices baseline | FAR basic safeguarding | Aligned to NIST SP 800-171 | Builds on Level 2 with NIST SP 800-172 enhanced requirements (plus DoD direction) |
| Process maturity (plain English) | Do the basics consistently | Repeatable and managed practices, with clear proof | Tighter control, stronger monitoring, higher assurance |
| Assessment type | Self-assessment | Self or C3PAO (contract-driven) | Government-led (DoD) |
| Documentation and evidence | Basic policies and screenshots | SSP depth, tool evidence, test records | More formal evidence, stronger traceability |
| Typical contract flow-down | Basic safeguarding clauses | CUI-handling clauses, stronger supplier flow-downs | Limited, sensitive programs with heavier oversight |
A quick disclaimer: the contract language decides the required level and the assessment type. Program guidance can shift as the DoD updates policy and rule language (see the regulatory foundation at 32 CFR Part 170).
Level 1 (FCI): Basic cyber hygiene for low-risk contract data
FCI (Federal Contract Information) is information provided by or generated for the government that isn’t meant for public release, but it’s not CUI.
In real life, Level 1 looks like disciplined Small Business IT. I focus on access basics, strong passwords and MFA where it fits, Endpoint Security, patching, backups, and Device Hardening so laptops and desktops don’t become the weak link. This is common in Managed IT for Small Business shops that support a few government customers but don’t touch CUI.
Next steps for Level 1
- Confirm you only handle FCI (no CUI hiding in email or file shares)
- Lock down accounts, admin roles, and MFA for remote access
- Standardize patching, backups, and endpoint protections
Level 2 (CUI): NIST SP 800-171 alignment and stronger proof
CUI (Controlled Unclassified Information) is unclassified data that still requires safeguarding under law, policy, or regulation. That one change raises the bar fast.
Level 2 maps to NIST SP 800-171, which means you need more than “we do security.” You need repeatable controls and evidence: least privilege, account lifecycle management, logging, incident response, and secure configuration standards. This is where Cloud Infrastructure choices matter a lot.
When I’m doing an Office 365 Migration for a contractor, we treat the tenant like production security, not a default setup. I harden conditional access, tighten sharing, validate audit logs, and document the Secure Cloud Architecture so it’s defensible in an assessment. For a practical view of how Level 2 relates to 800-171, this mapping write-up is a helpful supplement: CMMC vs. NIST 800-171 similarities and mappings.
Next steps for Level 2
- Define CUI scope (systems, users, locations, vendors)
- Build or update your SSP, and a POA&M where allowed
- Plan for a C3PAO assessment if the solicitation or prime requires it
Level 3 (high-priority CUI): Built on Level 2 with extra protections
Level 3 isn’t “Level 2 plus a few knobs.” It’s for higher-risk work where the DoD wants increased confidence and added protections from NIST SP 800-172. I treat Level 3 as a program, not a project: more oversight, more monitoring, and less tolerance for informal operations.
If you want to see how the DoD frames it, the CMMC Assessment Guide Level 3 is the reference I keep bookmarked.
Next steps for Level 3
- Confirm the program truly calls for Level 3 (don’t guess)
- Expand monitoring and response readiness beyond Level 2 norms
- Coordinate early with primes and the DoD on scope and evidence
Assessments and evidence: What I prepare before a self-assessment or audit
A self-assessment is exactly what it sounds like: you assess your own environment and attest to results (often tied to posting results in SPRS, when required). A third-party assessment is performed by an authorized C3PAO. Level 3 is government-led.
No matter the path, I build the same core evidence set first, then scale it to the required CMMC level and the contract.
Evidence checklist I like to have ready:
- Policies and standards (access, change control, logging, media handling)
- System Security Plan (SSP) that matches the real environment
- POA&M, only when allowed, with owners and due dates
- Asset inventory (endpoints, servers, SaaS, network gear)
- Network and cloud diagrams (Secure Cloud Architecture)
- MFA and access control proof (screenshots, reports, config exports)
- Device baselines and Device Hardening standards
- Endpoint Security tool reports and alert workflow
- Vulnerability scans, patch records, exceptions with approvals
- Logging and monitoring evidence (what’s collected, where it’s stored)
- Incident response plan and last tabletop or test results
- Backup and restore test results
- Vendor and subcontractor flow-down tracking
- Business Continuity & Security plan (what happens when systems are down)
Scope matters. I only collect evidence for in-scope systems, because scoping mistakes are one of the fastest ways to fail an assessment and waste budget that should have gone to Infrastructure Optimization or Data Center Technology improvements.
What auditors and primes usually want to see, even before the formal assessment
Primes and contracting teams often ask early for screenshots, policy excerpts, SSP sections, and tool reports. This is where Technology Consulting helps because I can package evidence in a clean, repeatable set and act as a Business Technology Partner, not just the person who says “trust me.” It also supports IT Strategy for SMBs, since you can tie security work to real operating goals.
Which CMMC level do I need in 2026, and what is the rollout timeline?
My decision guide is a short flow:
- Do I handle FCI only? If yes, start at Level 1.
- Do I handle any CUI (including from a prime)? If yes, plan for Level 2.
- Does the solicitation or prime require Level 2 with a C3PAO? If yes, schedule it early.
- Did the DoD specify Level 3? If yes, treat it as a separate readiness program.
As of 2026, the phased rollout dates I use for planning are:
- Phase 1: Nov 10, 2025 to Nov 9, 2026
- Phase 2: starts Nov 10, 2026
- Phase 4 full implementation: Nov 10, 2028 and beyond
Misconceptions I correct fast:
- “Level 3 is for everyone.” It isn’t.
- “I can wait until 2028.” Many primes won’t.
- “An Office 365 Migration fixes compliance.” Not without secure tenant settings and evidence.
This isn’t legal advice. Final requirements come from the contract and current DoD guidance (this CMMC timeline summary is a decent secondary reference for planning conversations).
Common pain points I see in small businesses, and how to avoid them
The blockers are predictable: unclear scope, shared Microsoft 365 tenants, unmanaged endpoints, weak admin controls, missing logs, and informal processes. With Infrastructure Optimization, I separate in-scope systems from everything else. With Cloud Management, I design tenant boundaries and secure access. With Tailored Technology Services, I standardize endpoints, logging, and change control so controls stay consistent through Digital Transformation work, including Restaurant POS Support and Kitchen Technology Solutions.
CMMC levels FAQ (quick answers)
Can I use a POA&M for Level 2? Sometimes, but it’s limited and contract-driven. I plan to close gaps fast either way.
Does Level 1 require MFA? The level focuses on basic safeguarding, but MFA is often the safest practical choice.
Will my subs need the same level? Often yes. Flow-downs are common once FCI or CUI enters the chain.
Conclusion
Level 1 protects FCI with basic cyber hygiene. Level 2 protects CUI and expects NIST SP 800-171 alignment plus stronger proof. Level 3 builds on Level 2 for higher-priority CUI, with enhanced requirements and government-led oversight.
I don’t pick a level by gut feel. I base it on FCI vs CUI and what the contract clause actually says. If you want help, I can run a tight scoping workshop, deliver a readiness check, and build a plan that fits your budget and timeline. That includes Cybersecurity Services for endpoints and cloud, plus support for mixed environments like restaurants and offices where POS systems, back-office PCs, and secure cloud tools all share the same risk.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.