If your organization works with the Department of Defense (DoD), understanding your cybersecurity requirements starts with one important question:
What CMMC level does our contract require?
The answer determines the controls you'll need to implement, the documentation you'll be expected to keep up with, and the type of assessment you'll get.
Many organizations assume requirements are based on company size, contract value, or technical sophistication. In reality, the determining factor is much simpler: the type of information your organization handles.
Before diving into requirements, let's identify which level applies to your contract.
The Department of Defense determines compliance requirements based on the sensitivity of the information associated with a contract.
Organizations handling only Federal Contract Information (FCI) generally fall under Level 1 requirements. Organizations handling Controlled Unclassified Information (CUI) are typically required to meet Level 2 requirements, while those supporting highly sensitive national security programs may be subject to Level 3.
The important thing to remember is that organizations do not choose their compliance level.
Your contract determines your compliance level. You do not select it yourself.
Once you've identified the type of information your organization handles, the next step is understanding what each level requires.
Level 1 is designed for organizations that handle Federal Contract Information (FCI).
This level establishes a foundation of cybersecurity practices intended to protect non-public contract information from unauthorized access or disclosure.
Organizations pursuing Level 1 are expected to implement basic cybersecurity measures such as:
For many contractors, Level 1 serves as the starting point for demonstrating cybersecurity maturity within the Defense Industrial Base (DIB).
Level 2 applies to organizations that handle Controlled Unclassified Information (CUI).
For most contractors, this is where cybersecurity compliance becomes significantly more structured and documentation heavy.
Level 2 aligns with the 110 security controls outlined in NIST SP 800-171 and requires organizations to demonstrate that controls are not only implemented, but also documented, maintained, and operating effectively.
Organizations at this level are typically expected to:
Because CUI requires a higher level of protection, assessment expectations also become more strict.
Most organizations spend the majority of their compliance effort preparing for Level 2.
That's because Level 2 represents the point where cybersecurity controls, documentation, evidence collection, and assessment readiness all converge.
For many contractors, achieving Level 2 readiness directly impacts their ability to compete for future DoD opportunities involving Controlled Unclassified Information.
Level 3 is reserved for organizations supporting some of the Department of Defense's most sensitive programs.
This level builds upon the requirements established in Level 2 while introducing additional protections designed to defend against sophisticated cyber threats.
Organizations operating at this level often face heightened security expectations due to the nature of the information and missions they support.
Additional areas of focus may include:
Organizations must successfully satisfy Level 2 requirements before pursuing Level 3.
Although every level focuses on protecting sensitive information, the assessment process becomes more strict as requirements increase.
Understanding these differences can help organizations prepare appropriately and avoid surprises later in the compliance journey.
Now that we've reviewed each level individually, it's easier to see how they compare side-by-side.
One of the most common questions organizations ask is how NIST SP 800-171 fits into the broader compliance framework.
The relationship is straightforward.
Level 1 establishes foundational cybersecurity practices. Level 2 aligns directly with NIST SP 800-171 and its 110 security controls. Level 3 builds upon that foundation with additional protections designed for higher-risk environments.
For most organizations handling Controlled Unclassified Information, Level 2 is where NIST SP 800-171 alignment becomes critical for assessment readiness.
Determining your required compliance level is only the first step.
Once you've identified which requirements apply to your organization, the focus shifts to readiness. This includes defining scope, implementing controls, developing documentation, collecting evidence, and preparing for assessment.
Many organizations struggle because they jump directly into tools, technologies, or documentation before fully defining ownership, priorities, and scope. Taking a structured approach early can help reduce rework, avoid unnecessary costs, and create a more predictable path toward compliance.
Programs like RAMPQuest’s Progressing Pathways are designed to help organizations take a structured approach to readiness through guided planning, implementation milestones, and periodic reviews that keep progress moving forward.
Your contract requirements and the type of information your organization handles determine your required compliance level. Remember- do you handle federal contract information (FCI) or controlled unclassified information (CUI)?
No. Compliance requirements are assigned based on contract obligations established by the Department of Defense.
No. Organizations that handle Federal Contract Information may only need to meet Level 1 requirements.
Level 2 focuses on protecting Controlled Unclassified Information through alignment with NIST SP 800-171. Level 3 introduces enhanced protections designed for organizations supporting higher-risk national security programs.
Compliance can feel overwhelming, especially when you're trying to balance security requirements with everything else on your plate.
You don't have to figure it out on your own.
At RAMPQuest, we help organizations make sense of complex requirements, create realistic plans, and stay on track throughout the process. Whether you're just getting started or preparing for your next assessment, we'll help you focus on what matters most.
If you're looking for guidance and a team that's been there before, we're here to help.