(Our Blog)

CMMC: How to Know Which Level and Controls Applies to You

For many defense contractors, CMMC feels like a maze of rules, numbers, and acronyms. You’ve probably heard of “Level 1,” “Level 2,” and maybe even “Level 3,” but what do those levels and their controls actually mean and how do you know which one applies to your company?

Understanding this distinction is critical, because it determines what data you can handle, what contracts you’re eligible for, and how much cybersecurity effort (and cost) your business really needs.

Let’s break it down clearly.

What CMMC Really Measures

CMMC is used to make sure its contractors protect government information properly. It doesn’t judge how big your company is.

It evaluates how securely you handle two types of government data:

The more sensitive the data, the higher your required CMMC level.

What is a “Control” in CMMC?

A control is a specific cybersecurity requirement your organization must meet to handle government information safely. Think of each control as a rule or safeguard that ensures your systems, employees, and processes are secure.

For example:

Each control helps reduce risks like data breaches, unauthorized access, or loss of critical information. The more sensitive the data your company handles, the more controls you’ll need to follow.

The Three CMMC Levels Explained

The CMMC framework is divided into three levels, each designed for different types of defense contractors and data sensitivity.

Level 1: Foundational (15 Controls)

Who it’s for:

Companies that only handle Federal Contract Information (FCI), basic government data that isn’t public but isn’t classified either.

Goal:

To implement basic cybersecurity hygiene and demonstrate that your organization takes reasonable steps to protect DoW information.

Example controls include:

Limiting system access to authorized users

Updating software and applying security patches

Protecting information during transmission

Physically securing workstations and devices

Training employees on safe practices

Total Controls: 15, based on FAR 52.204-21 requirements.

These are the minimum requirements for most small businesses entering the DoW ecosystem.

Level 2: Advanced (110 Controls)

Who it’s for:

Companies that handle Controlled Unclassified Information (CUI) more sensitive data such as technical drawings, research, or contract performance details.

Goal:

To protect CUI by fully implementing the security controls from NIST SP 800-171 Rev. 2.

Examples of additional controls:

Multi-factor authentication (MFA) for user access

Incident response procedures and reporting

Audit logging and system monitoring

Encryption of stored and transmitted data

Periodic security assessments and reviews

Total Controls: 110, covering 14 domains such as Access Control, Incident Response, Configuration Management, and System Security.

Level 2 compliance requires documentation, evidence, and – in many cases – an external third-party assessment.

Level 3: Expert (130+ Controls)

Who it’s for:

Prime contractors or organizations handling the most sensitive CUI and directly supporting national security programs.

Important to know:

The DoW has not yet broadly mandated Level 3 for all contracts. Level 3 is intended for the most sensitive programs.
Because of that, the full “enforcement schedule” for Level 3 is still rolling out: which contracts will require it and when is still being phased.
While controls and assessment guides are published, many companies are preparing for Level 3

Goal:

To achieve continuous protection through advanced and proactive cybersecurity measures.

Framework:

Based on NIST SP 800-172, which adds roughly 20 extra controls on top of Level 2.

These advanced controls focus on:

Active cyber defense operations

Detecting and responding to sophisticated threats

Continuous monitoring of network activity

Advanced encryption and anomaly detection

Insider threat programs and incident simulation

Total Controls: Around 130–135, depending on implementation

Level 3 requires expert-level infrastructure, ongoing monitoring, and often collaboration with the government’s cybersecurity ecosystem.

How to Identify Your Level

The easiest way to determine your level is to ask two key questions:

Do you ever receive or create information labeled “CUI”?

If yes → Level 2 (or 3 if very sensitive).

If no → Level 1 is sufficient.

Does your contract reference DFARS 252.204-7012 or NIST SP 800-171?

If it does, that means CUI is in scope → Level 2 applies.

When in doubt, the DoW’s rule of thumb is simple: protect what you touch.

If your systems touch CUI, you must secure them under the correct level of CMMC.

Transparent CMMC Pricing That Fits Your Level

At Cyber Security Solutions (CSS), we help contractors meet exactly the level that applies – no upsells, no inflated packages, no jargon.

Our pricing is fully transparent and scales with your team size and compliance scope:

Startup Plan — $200 / month / device (Level 1)

For small businesses handling only FCI. Covers up to 3 devices with managed firewall, VPN, SOC monitoring, encryption, and compliance dashboard.

CSS Enclave Plan — $1,250 / month (Level 1 & 2)

For growing teams (4–10 devices) needing full Level 2 alignment and 24/7 U.S.-based SOC support.

CSS Net Plan — $2,100 / month (Level 2 readiness)

For larger organizations (11–25 devices) needing continuous monitoring, documentation management, and enterprise-level control.

Ready to close your business gap?

Schedule a meeting with an expert

Ready to close your business gaps?

Schedule a call with an expert.

Don’t worry, it’s free!

Author

Kamal Ramesh

Ready to
close your gaps?

Schedule a call with one of our experts. Don’t worry it’s free!

(Our Blog)

CMMC: How to Know Which Level and Controls Applies to You