CMMC 2.0 has clarified some of the confusion, but many organizations still misunderstand the levels. Understanding each level makes sure you implement cybersecurity controls correctly across your organization.

• Level 1: Implements basic controls to safeguard Federal Contract Information (FCI) with self-assessments done annually.

• Level 2: Protects Controlled Unclassified Information (CUI) with self-assessments during the phased rollout, with select contracts requiring third-party assessments conducted by a certified CMMC Third Party Assessor Organization (C3PAO). 

• Level 3: Is required when the DoD determines that advanced protection is necessary due to the nature of the work or the risk to national security.

One mistake people often make is assuming that every small contractor automatically falls under Level 1, or that every contract below a certain dollar amount is Level 1. This is not correct. Level 1 is the starting floor for everybody, but the level of CMMC you need to achieve is based solely on whether you process CUI or not. It doesn’t matter if you’re a company making $1 million a year or a billion. If you process CUI, you need Level 2. If your company is a large contractor but only works with FCI, you may only need Level 1.

Unlike Level 1's annual self-assessments, Level 2 requires self-attestation during the phased rollout, unless your specific contracts require a formal assessment by a C3PAO. Level 2 compliance means your organization has implemented all 110 security controls from NIST SP 800-171 to protect CUI, documented your policies and procedures, and completed either a self-attestation or a formal C3PAO assessment, depending on your contract requirements.

Ask these questions when scoping your environment:

What data are you working with?

• Do you store, process, or transmit CUI? If yes, you need at least Level 2 controls.

• Do you handle FCI? FCI alone may only require Level 1 controls, but adding CUI increases requirements.

Which systems touch DoD data?

Document all systems that store, process, or transmit CUI, including third-party vendors. Servers, workstations, laptops, and cloud environments—all systems that “touch” CUI are in scope.

Do third-party vendors access that data?

If subcontractors handle CUI on your behalf, you’re responsible for their compliance.  You are required to flow down the appropriate clauses for the level of information you need to share with these subcontractors, and to validate their compliance yourself.

Don’t make this mistake: Organizations often under-scope their environments, only to discover missing systems or users during the assessment.

Once you list all systems and users that handle CUI, begin your CMMC self-assessment.

Step 1: Review your data

Categorize your data clearly as FCI or CUI.

Step 2: Inventory systems and users

Document every system, endpoint, and user that processes FCI or CUI. Include vendors who may indirectly access this data.

Step 3: Perform a gap analysis

Compare your current security practices to the required controls for your desired CMMC level.

For example, Level 2 requires organizations to enable multi-factor authentication (MFA), implement access control policies, and maintain an incident response plan.

Step 4: Document everything

Document policies, procedures, and technical controls so that assessors can verify your compliance.

Completing these steps gives you a clear view of the CMMC assessment process and highlights where your organization already meets requirements and where it needs improvement.

Knowing your required level is only half the battle. Follow these steps to achieve compliance:

• Implement missing controls: Address any gaps, whether through improved endpoint protection, identity and access management, or logging and monitoring. Tools like Huntress Managed Endpoint Detection and Response (EDR) and Identity Threat Detection and Response (ITDR) protect your endpoints and identities and support CMMC requirements.

• Validate your environment: Perform tabletop exercises or internal assessments to confirm that all controls work as intended. 

• Hunt for weaknesses: Use a third-party assessor for formal assessments (required for Level 2). They validate that your processes meet CMMC standards.

• Guides: Learn how to perform a CMMC self-assessment (Level 1,Level 2,Level 3) and take practical steps to improve your security posture.

• PDFs: Download the officialDoD model overview and implementation policy.

• Tools: Use security tools like SIEM for centralized logging, ITDR for identity monitoring, and EDR for endpoint protection.

If you’re ready to get started, follow these steps

1. Conduct a data classification assessment to determine if you process, store, or transmit FCI or CUI.

2. Perform a control gap analysis to measure your existing security posture against your desired CMMC level.

3. Implement Huntress Managed EDR and ITDR to support CMMC compliance requirements.

Get a Huntress demo to see how our Managed EDR and ITDR platform can help you begin your CMMC journey with confidence, and provide the assessor-ready documentation you need to demonstrate compliance