If you’re working with the Department of Defense (DoD), understanding CMMC requirements starts with one key question:
Which CMMC level do we actually need?
The answer depends on the type of information your organization handles. Getting this right early helps you avoid wasted effort and focus on the controls that actually matter.
The short answer:
CMMC Level 1 requirements apply if your contract involves Federal Contract Information (FCI)
CMMC Level 2 requirements apply if your contract involves Controlled Unclassified Information (CUI)
CMMC Level 3 requirements apply if your contract involves high-priority or sensitive CUI tied to national security programs
These CMMC requirements are defined by the DoD and are not optional. Your contract determines your level.
This process is often referred to as CMMC level applicability determination, and it comes down to a simple set of decisions.
Step 1: Does your contract involve CUI?
Step 2: Is the CUI tied to high-priority or mission-critical DoD programs?
For many organizations across the Defense Industrial Base (DIB), compliance starts with accurately answering this question. Misclassifying your level can lead to gaps in DoD cybersecurity compliance or unnecessary complexity.
Once you’ve identified your level, the next step is understanding what those CMMC level requirements actually involve.
CMMC Level 1 requirements focus on protecting Federal Contract Information using basic cybersecurity practices.
These DoD cybersecurity compliance expectations include:
Limiting access to authorized users
Verifying user identities
Managing connections to external systems
Securing physical access to systems and facilities
Maintaining basic protections like malware detection and system monitoring
Level 1 is designed to establish a baseline for DIB compliance. Organizations complete an annual self-assessment and submit results through Supplier Performance Risk Systems (SPRS).
CMMC Level 2 requirements apply to organizations handling CUI. This level represents the core of DoD cybersecurity compliance and aligns directly with the 110 controls defined in NIST SP 800-171.
To meet these CMMC requirements, organizations must:
Document how security controls are implemented
Maintain a System Security Plan (SSP)
Track gaps through a Plan of Action and Milestones (POA&M)
Collect and maintain evidence over time
Assessment requirements vary:
Some organizations may complete a self-assessment
Others require a third-party assessment by a C3PAO
For most of the DIB, compliance efforts are concentrated at this level, where NIST SP 800-171 alignment becomes critical.
CMMC Level 3 requirements are reserved for organizations supporting the DoD’s most sensitive programs.
These advanced CMMC requirements build on Level 2 and focus on defending against sophisticated threats. Key areas include:
Advanced monitoring and threat detection
Automated incident response
Network segmentation
Supply chain risk management
System resilience and recovery
Organizations must meet CMMC Level 2 requirements before pursuing Level 3. This level represents the highest tier of DoD cybersecurity compliance.
Understanding NIST SP 800-171 alignment helps clarify how these levels connect:
Level 1: Basic safeguarding requirements (not full alignment)
Level 2: Full alignment with NIST SP 800-171
Level 3: Builds on NIST SP 800-171 with additional advanced controls
For organizations navigating CMMC requirements, Level 2 is typically where alignment with NIST SP 800-171 becomes essential for audit readiness.
What determines your CMMC level?
Your level is determined by your contract and the type of information you handle, which is the foundation of CMMC level applicability determination.
Can you choose your CMMC level?
No. These CMMC requirements are defined by the DoD based on contract obligations.
Do all DIB contractors need CMMC Level 2?
No. Only organizations handling CUI must meet CMMC Level 2 requirements. Others may only need to meet CMMC Level 1 requirements.
What is the difference between Level 2 and Level 3?
CMMC Level 2 requirements align with NIST SP 800-171, while CMMC Level 3 requirements introduce advanced protections for higher-risk environments.
Once you’ve completed your CMMC level applicability determination, the focus shifts to execution.
Meeting CMMC requirements means:
Aligning your systems and controls
Building accurate documentation
Establishing processes for continuous compliance
Preparing for assessment
This is where many organizations slow down, not because the requirements are unclear, but because the work doesn’t always happen in the right sequence.
We often see teams jump straight into documentation or tooling before fully defining scope, ownership, and priorities. That leads to rework, delays, and unnecessary cost.
To solve this, many organizations follow a structured approach like Progressing Pathways Program, a step-by-step model designed to move from initial scoping to audit readiness in a clear, logical progression.
Understanding your CMMC requirements is the first step. Building a program that can sustain them is what sets successful organizations apart.
At RAMPQuest, we help organizations move beyond one-time readiness and build structured, sustainable approaches to DoD cybersecurity compliance. From determining your level to maintaining long-term alignment, we bring clarity to each step so you can move forward with confidence.
If you’re working through your CMMC requirements and want a clearer path forward, we’re here to help you map it out.
Subscribe to our newsletter to get information like this delivered to your inbox.
©2026 RAMPQuest. All rights reserved.
Corporate Headquarters: 9800 Crosspoint Blvd. Indianapolis, IN 46256