What Level of CMMC Do You Need

CMMC cybersecurity maturity levels

If you work with the U.S. Department of Defense (DoD), CMMC is no longer optional.

The big question most contractors are asking is:

“What CMMC level do we actually need?”

Let’s break it down simply.

What Is CMMC?

CMMC stands for Cybersecurity Maturity Model Certification.

It is the DoD’s program to make sure contractors protect sensitive government data like:

  • Federal Contract Information (FCI)

  • Controlled Unclassified Information (CUI)

Before CMMC, companies mostly self-attested. Now, cybersecurity is verified and enforced through contracts.

When Was CMMC Fully Implemented?

November 10, 2025

From that date forward:

  • New DoD contracts began including CMMC requirements

  • Compliance became a condition of contract award

  • Requirements flow down to subcontractors

CMMC is rolling out in phases, but primes can require compliance immediately.

What Level of CMMC Do You Need?

Your level depends on what data you handle and what your contract requires.

The 3 CMMC Levels

  • Level 1 – You handle FCI only

  • Level 2 – You handle CUI

  • Level 3 – You support critical national security programs

Most companies fall into Level 1 or Level 2.

What Happened to NIST SP 800-171?

Short answer: It didn’t go away.

What changed:

  • NIST SP 800-171 is now enforced through CMMC Level 2

  • New contracts usually say “CMMC Level 2 required,” not just “800-171”

What didn’t change:

  • The 110 NIST controls still apply

  • They are now validated, not just promised

CMMC didn’t replace NIST 800-171 — it made it enforceable.

How Many Companies Are Affected?

DoD estimates (released September 2025):

CMMC Level

Assessment Type

% of DIB

Est. Companies

Level 1

Self-Assessment

62%

~209,500

Level 2

Self-Assessment

2%

~6,700

Level 2

Third-Party Certified

35%

~118,000

Level 3

Government Assessed

1%

~3,400

  • Most contractors will be Level 1 or Level 2

  • Many Level 2 contractors will need third-party certification

How to Tell Your CMMC Level From Your Contract

Here is a quick mapping of common contract clauses to likely CMMC levels:

Clause in Contract

What It Means

Likely Level

FAR 52.204-21

FCI only

Level 1

DFARS 252.204-7012

CUI involved

Level 2

DFARS 7019 / 7020

NIST 800-171 validation

Level 2 (Self)

DFARS 7021

CMMC required

Level stated

DFARS 7025

Level specified

Level stated

If these clauses apply to your prime, they usually flow down to you.

Key Things Every Contractor Should Know

Flow-down requirements are real
If your prime needs CMMC, you probably do too.

Certification takes longer than expected
Most companies underestimate:

  • Documentation

  • Evidence

  • Technical cleanup

Waiting until CMMC is in the contract is often too late.

“Self-assessment” does not mean “easy”
Self-assessments still:

  • Require full control implementation

  • Must be posted in SPRS

  • Can be audited by the DoD

  • Carry legal risk if misrepresented

Final Thoughts

CMMC is now a gatekeeper to DoD revenue.

The contractors who win will:

  • Know their level early

  • Prepare before it’s required

  • Treat cybersecurity as a business requirement, not a checkbox

Want the Short Version?

I’ve published a condensed version of this breakdown on my LinkedIn.

And for practical updates and compliance guidance, read our featured articles in AdRem’s The Cyberside Brief, where we regularly cover CMMC and other compliance-related topics.

Need Help Figuring This Out?

Sherpa helps defense contractors understand their CMMC level, prepare the right way, and avoid costly mistakes.

If you’re unsure where you fall, or how to get there, contact us to schedule your free Compliance Assessment.

We’ll help you navigate the CMMC journey with clarity and confidence.

Instant access to the full walkthrough of how Sherpa’s Secure Enclave cuts compliance costs, reduces scope, and gets you audit-ready — without blowing up your IT.

Copyright 2026 Sherpa CMMC Enclave.
All rights reserved.

Instant access to the full walkthrough of how Sherpa’s Secure Enclave cuts compliance costs, reduces scope, and gets you audit-ready — without blowing up your IT.

Copyright 2026 Sherpa CMMC Enclave.
All rights reserved.

Instant access to the full walkthrough of how Sherpa’s Secure Enclave cuts compliance costs, reduces scope, and gets you audit-ready — without blowing up your IT.

Copyright 2026 Sherpa CMMC Enclave.
All rights reserved.

Create a free website with Framer, the website builder loved by startups, designers and agencies.