CMMC Level 1 vs Level 2 vs Level 3
A complete breakdown of all three CMMC 2.0 levels: requirements, practice counts, assessment types, and typical costs. Updated 26 March 2026.
| Feature | Level 1 | Level 2 | Level 3 |
|---|---|---|---|
| Practices Required | 17 | 110 | 110+ |
| Framework | FAR 52.204-21 | NIST SP 800-171 | 800-171 + 800-172 |
| Assessment Type | Self-Assessment | C3PAO (3rd party) | DIBCAC (Govt) |
| Assessment Frequency | Annual | Triennial | Triennial |
| MFA Required | No | Yes | Yes (enhanced) |
| SIEM Required | No | Recommended | Required |
| Pen Testing Required | No | No | Yes |
| Typical Cost (first year) | $15k - $50k | $100k - $500k | $500k - $3M+ |
| Annual Maintenance | $5k - $15k | $30k - $120k | $150k - $500k |
| SPRS Submission | Required | Required | Required |
Level 1
Foundational
FAR 52.204-21 (Basic Safeguarding)
$15,000 - $50,000
typical first-year cost
Practices
17
Assessment
Annual Self-Assessment
Assessor
Internal (no third party required)
Annual Maintenance
$5,000 - $15,000/yr
Who needs it: All DoD contractors processing, storing, or transmitting Federal Contract Information (FCI)
Key Requirements (10 shown)
- +Limit system access to authorised users
- +Limit system access to types of transactions authorised users are permitted to execute
- +Verify identities of users, processes, or devices before granting access
- +Sanitise or destroy information system media before disposal
- +Limit physical access to systems to authorised individuals
- +Escort visitors and monitor visitor activity
- +Maintain audit logs of information system activity
- +Provide security awareness training to personnel
- +Perform periodic scans of the information system
- +Provide protection from malicious code at appropriate locations
Note: Level 1 is the minimum baseline for all DoD contractors. Self-assessment is performed annually and an affirmation submitted to SPRS. No C3PAO required.
Level 2
Advanced
NIST SP 800-171 Rev 2
$100,000 - $500,000
typical first-year cost
Practices
110
Assessment
Triennial C3PAO Assessment
Assessor
Certified Third-Party Assessment Organization (C3PAO)
Annual Maintenance
$30,000 - $120,000/yr
Who needs it: DoD contractors handling Controlled Unclassified Information (CUI) under contracts that include the DFARS 252.204-7021 clause
Key Requirements (14 shown)
- +Access Control (22 practices) - granular user access, remote access policies
- +Audit and Accountability (9 practices) - logging, audit trail protection
- +Awareness and Training (3 practices) - role-based security training
- +Configuration Management (9 practices) - baseline configs, software whitelisting
- +Identification and Authentication (11 practices) - MFA mandatory
- +Incident Response (3 practices) - incident handling, reporting capability
- +Maintenance (6 practices) - controlled maintenance, remote maintenance
- +Media Protection (9 practices) - media sanitisation, transport protection
- +Personnel Security (2 practices) - screening, termination procedures
- +Physical Protection (6 practices) - facility access control
- +Risk Assessment (3 practices) - periodic risk assessment, vulnerability scan
- +Security Assessment (4 practices) - periodic assessment, POA&M management
- +System and Communications Protection (16 practices) - network segmentation, encryption
- +System and Information Integrity (7 practices) - malware protection, patch management
Note: Level 2 is the most common requirement for prime contractors and significant subcontractors. C3PAO assessments cost $30k-$150k and take 3-6 months. A Plan of Action and Milestones (POA&M) is allowed for up to 180 days post-assessment.
Level 3
Expert
NIST SP 800-171 + selected 800-172 practices
$500,000 - $3,000,000+
typical first-year cost
Practices
110+ (selected NIST SP 800-172 practices)
Assessment
Triennial DIBCAC Assessment
Assessor
Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
Annual Maintenance
$150,000 - $500,000/yr
Who needs it: Contractors on critical DoD programs with elevated risk of Advanced Persistent Threat (APT) activity - typically prime contractors on classified adjacency programs
Key Requirements (10 shown)
- +All 110 NIST SP 800-171 practices (full Level 2 compliance)
- +Enhanced access control with continuous monitoring
- +Advanced threat hunting and cyber threat intelligence
- +Insider threat awareness program
- +Enhanced supply chain risk management
- +Penetration testing of production systems
- +Advanced incident response with attribution capability
- +Hardware and firmware integrity verification
- +Security operations centre (SOC) or SOC-as-a-service
- +Cyber threat information sharing with DoD
Note: Level 3 is reserved for the highest-priority programs. DIBCAC assessments are government-led and cannot be substituted with commercial C3PAO assessments. DoD selects which contracts require Level 3. Many organisations contract a Managed Security Service Provider (MSSP) to meet Level 3 requirements.