CMMC Level 1 applies to contractors handling only federal contract information (FCI). This includes information provided by or generated for the government under contract that is not intended for public release but does not rise to the level of CUI. Examples include logistics and project management details, personnel lists, and financial records. Level 1 contractors are required to practice basic cyber hygiene by adhering to the 17 security controls from FAR 52.204‑21. These include protecting against malicious code (antivirus), limiting system access, applying security updates, and ensuring employees understand basic cybersecurity risks.

To maintain Level 1 compliance, contractors must self-assess and annually prove that they meet controls. 

Most DoD contractors fall under CMMC Level 2. This tier is for vendors handling controlled unclassified information (CUI), such as technical drawings, engineering specs, and program details that are sensitive but not classified. While CUI doesn’t rise to the level of state secrets, it could still be damaging to national security if leaked. With state-sponsored adversaries increasingly targeting third-party vendors, Level 2 controls are far stricter than Level 1.

Contractors at this level must implement all 110 NIST SP 800‑171 Rev. 2 controls. These include multi-factor authentication (MFA), encryption of CUI at rest and in transit (where applicable), continuous audit logging, incident response plans, secure configuration management, and more. 

Most Level 2 contracts require a formal third-party (C3PAO) assessment of these controls every three years, plus annual attestation of compliance. Read our guide to the CMMC certification process.

Level 3 applies to a small subset of contractors dealing with critical programs. This level handles highly sensitive technical data that could give adversaries a strategic advantage. For example, a prime contractor designing a new stealth coating for long-range bombers would be a high-value target for advanced persistent threats (APTs) like state-sponsored hackers. 

Level 3 builds on Level 2 and adds a subset of enhanced controls derived from NIST SP 800‑172, focused on advanced threat resilience. These include continuous system monitoring, proactive threat hunting, strengthened incident response, supply-chain risk management, and expanded user identity protections. 

Contractors seeking Level 3 certification must undergo government-led audits (by DCMA’s DIBCAC) every three years and also annually affirm compliance with the 24 new controls. 

By November 2028, CMMC is expected to be fully phased into DoD contracting. Given that it takes 12–18 months to achieve CMMC standards from low maturity, starting now is crucial to remaining eligible for DoD contracts. Vendors who earn certification early also stand to gain a competitive advantage in bidding. Over a million contracts impose NIST 800-171 requirements each year, and the rush to be certified is sure to create an assessment logjam leading up to 2028.

Understanding CMMC level requirements as they relate to your security environment and dataflows is also crucial to audit success and to keeping compliance costs in check. Many contractors handle both Level 1 and Level 2 data, and keeping these two types isolated from each other is essential. Level 2 data found on a Level 1 device is a serious violation that can prevent certification until the issue is fully remediated and the environment is properly re-scoped.

On the other hand, treating all data with Level 2 controls is inefficient and expensive. By developing a system security plan (SSP) that accurately classifies assets and defines security boundaries, an organization can uncover any security gaps early, reduce remediation risk, and streamline CMMC certification.

Huntress maps directly to CMMC requirements. Our Managed EDR supports endpoint requirements (e.g., automated malware scanning, patch verification, log collection), while Managed SIEM and ITDR provide centralized log analysis and 24/7 user identity monitoring.