CMMC Compliance Levels


CMMC Compliance Requirements


It has become critical for the Department of Defense (DoD) to enforce standardized security requirements within the Defense Industrial Base (DIB) due to evolving methods of cyberattack. To achieve this, all Defense contractors working with the DoD must adhere to security standards that ensure Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are protected.


The Cybersecurity Maturity Model Certification (CMMC) is a security framework with three compliance levels that follow the cybersecurity standards of the National Institute of Standards and Technology (NIST). Carahsoft has created a breakdown of the framework levels to explain the requirements for implementing CMMC security standards to achieve compliance.

Cybersecurity Maturity Levels


The CMMC compliance level is determined at the contract level and by the sensitivity of the information handled by the DoD contractor. Assessments at each level are required to verify that a Defense Industrial Base (DIB) organization complies with the requirements of the relevant maturity level.


CMMC assessments are carried out through one of three methods depending on maturity level:

  • Self-assessment
  • Assessment by a Cyber Accreditation Body (Cyber AB) accredited CMMC Third-Party Assessment Organization (C3PAOs)
  • Government assessment


Discover the compliance standards for CMMC Foundational, Advanced and Expert security levels.

Level 1 Foundational Security:


This is the base, or Foundational level where organizations must perform basic security practices focused on protecting FCI. Level 1 features 17 security practices to ensure basic safeguarding of assets that process, store or transmit FCI. Additionally, an annual self-assessment with certification by company leadership is required at Level 1 to demonstrate compliance with the DoD security standards.

Level 1 Image

Level 2 Image

Level 2 Advanced Security:


This level is for Advanced cybersecurity methods, with DIB organizations engaging in 110 universally accepted best practices aligned with NIST SP 800-171. Providers at Level 2 are broadly protecting CUI, with cybersecurity procedures that are both advanced and sophisticated. Assessment requirements are split into an annual self-assessment with certification by company leadership, and an assessment by a third-party assessment organization every three years. These third-party organizations will be certified by the CMMC-AB and report all assessments to the DoD.

Level 3 Expert Security:


The final CMMC framework level, Expert Level 3, is for in-depth and highly advanced cybersecurity, including all previous requirements from Levels 1 and 2 while going beyond the 110 practices. Maturity Level 3 will likely be based on NIST SP 800-172 and focuses on protection of CUI while reducing risk from Advanced Persistent Threats (APTs). At this level, the government conducts triennial assessments on companies to ensure that all outlined procedures are followed and adhered to. The DoD will continue to expand on Level 3 information and create assessment requirements suitable for critical information.

Level 3 Image

CMMC Certification Process


Carahsoft’s partners are equipped to handle CMMC needs, with coverage for all 14 capability domains across the 3 CMMC maturity levels. Our technology portfolio enables the DoD to adhere to CMMC compliance standards, while safeguarding critical information and infrastructure.