CLUSTER · CMMC
CMMC Level 2 vs Level 3: Which Certification Do You Need?
A plain-English decision framework for DoD contractors and subcontractors navigating CMMC 2.0. Understand the three certification levels, what triggers each one, and how to avoid the most expensive mistake in the Defense Industrial Base: certifying at the wrong level.
QUICK ANSWER
The 50-Word Answer
Level 2 applies if you handle Controlled Unclassified Information (CUI) under a DoD contract — 110 NIST 800-171 controls, assessed every three years by a certified C3PAO. Level 3 applies only to roughly the top one percent of contractors handling CUI on programs deemed critical to national security — adds controls from NIST 800-172 and requires a government-led DIBCAC assessment. Most Wisconsin manufacturers are Level 2.
FOUNDATIONS
What CMMC Levels Actually Mean
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense's mechanism for verifying that defense contractors protect sensitive government information. It replaces the self-attestation regime that existed under DFARS 252.204-7012, which allowed contractors to claim compliance without independent verification. The final rule was published in 2025 and phase-in requirements begin appearing in DoD solicitations throughout 2026 and 2027.
CMMC 2.0 defines three levels. Each level applies to a specific category of contract based on the sensitivity of the information flowing to the contractor. Level 1 governs Federal Contract Information (FCI) only — the basic transactional information that any vendor to the federal government handles. Level 2 governs Controlled Unclassified Information (CUI) — the technical data, drawings, specifications, and sensitive but unclassified information that flows to most defense subcontractors. Level 3 governs CUI on programs the DoD deems critical to national security — a much smaller population of contracts, with much more expensive compliance.
The practical question for Wisconsin manufacturers, defense subcontractors, and professional services firms supporting DoD primes is which level their contracts will require and when. The answer lives in the contract itself — specifically in the DFARS clauses incorporated by reference, the CUI markings on technical data packages, and the prime contractor's flow-down language. The sections below translate that contractual language into operational reality.
LEVEL 1
Level 1 (Self-Assessment) Overview
Level 1 is the floor of the CMMC framework. It applies to contractors who receive Federal Contract Information (FCI) but do not handle Controlled Unclassified Information. The control set is the 17 practices from FAR 52.204-21 — basic hygiene items like password management, access control, media sanitization, and physical security of federal information. These are not advanced controls. They are the minimum a reasonable IT department should have in place for any business client.
Level 1 is verified by annual self-assessment, documented through a formal affirmation in the Supplier Performance Risk System (SPRS). The senior executive at the contractor signs off personally, and a false affirmation carries False Claims Act liability — the same liability that attaches to any misrepresentation in a government contract. Self-assessment does not mean informal. It means the government trusts the contractor to evaluate itself honestly, with the personal signature of an accountable officer.
Who is at Level 1? Office-supply vendors, commercial landscapers, non-technical service providers, and professional services firms whose work does not involve receiving technical data from the DoD. If your contracts reference only FAR 52.204-21 and do not include DFARS 252.204-7012, you are Level 1. If DFARS 252.204-7012 is incorporated, you are Level 2 or higher regardless of what the prime initially tells you.
LEVEL 2
Level 2 (C3PAO Assessment) Deep Dive
Level 2 is the working center of gravity of the Defense Industrial Base. It applies to any contractor handling Controlled Unclassified Information — CUI — under a DoD contract. The control set is the complete NIST SP 800-171 Rev 2, which consists of 110 security requirements across 14 families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
The assessment regime is the decisive difference from Level 1. Level 2 compliance is verified by a third-party assessor organization — a C3PAO (Certified Third-Party Assessment Organization) authorized by the Cyber AB — not by self-attestation. The C3PAO tests every applicable control, reviews evidence, interviews personnel, and produces a formal assessment report. The certification is valid for three years before reassessment.
Preparation for a Level 2 assessment is a 12-to-18-month engineering project for a typical mid-market manufacturer that has never been through formal 800-171. Scope-definition alone routinely takes 60 to 90 days: what systems store or process CUI, what networks carry it, which employees have access, and where the enclave boundaries are drawn. Enclave strategy — creating an isolated environment that hosts CUI while keeping the rest of the business out of scope — is the single most consequential architectural decision in the entire program. Most Wisconsin manufacturers who fail their first assessment failed it because they did not draw clean scope.
Cost expectations. A typical Wisconsin manufacturer with 50 to 200 employees and one CUI enclave should budget $125,000 to $350,000 for the implementation work, plus $35,000 to $85,000 for the C3PAO assessment itself. Larger operations, multi-site scope, or unclean starting postures push this materially higher. These are real numbers, not hypothetical — they track with what Armorstack has observed across the Midwest manufacturing sector in 2025 and 2026.
LEVEL 3
Level 3 (Government-Led Assessment) Deep Dive
Level 3 is the narrow top of the pyramid. It applies to contractors handling CUI on programs the DoD has designated as critical to national security — weapons systems of strategic importance, intelligence-adjacent contracts, and programs where a compromise could produce material harm to military operations. By design, this is a small population: roughly the top one percent of the Defense Industrial Base by contract count, though a much larger share by dollar value.
The control set adds requirements from NIST SP 800-172, which extends 800-171 with enhanced controls against advanced persistent threats. These are not incremental items — they are qualitatively different controls, addressing threat hunting, deception technology, enhanced authentication assurance, and continuous adversary emulation. The cost of implementing 800-172 controls on top of a competent 800-171 baseline routinely runs into seven figures over the first 18 months.
The assessment is led by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a government team, not a commercial C3PAO. Assessment duration and depth are both materially greater than Level 2. Contractors at Level 3 typically operate dedicated CUI enclaves with hardware-enforced isolation, 24×7 SOC monitoring with government-shared threat intelligence, and documented cyber threat hunting programs. If your prime contractor has not explicitly told you that Level 3 applies to your subcontract, it does not.
DECISION PATH
How to Know Which Level Applies to You
The authoritative answer is in your contract, not in CMMC documentation. Pull any active or prospective DoD subcontract and read the Section I (Contract Clauses) list. Four pieces of language drive the decision.
FAR 52.204-21 only, no DFARS 252.204-7012. You are Level 1. Self-assessment, annual SPRS affirmation, 17 basic controls. Most professional services firms serving DoD land here.
DFARS 252.204-7012 present, no specific Level 3 flow-down. You are Level 2. 110 NIST 800-171 controls, C3PAO assessment every three years. Most defense manufacturers and technology subcontractors land here. This is the majority of the Defense Industrial Base.
DFARS 252.204-7012 plus explicit Level 3 language in the solicitation or prime contract. You are Level 3. 800-171 plus selected 800-172 enhancements, DIBCAC government-led assessment. If this applies, the prime will make it explicit — you will not stumble into Level 3 by accident.
The CUI marking test. Look at the technical data packages, drawings, statements of work, and correspondence you receive from the prime. If any of it carries a CUI marking (“CUI,” “CUI//SP-PROP,” “CUI//SP-EXPT,” “CUI//SP-ITAR,” and so on), you handle CUI and you need Level 2 at minimum — even if the prime has not yet updated its flow-downs. Markings trump flow-down language.
TIMELINE & COST
What to Budget by Level
| Factor | Level 1 | Level 2 | Level 3 |
|---|---|---|---|
| Control count | 17 | 110 (NIST 800-171) | 110 + selected 800-172 |
| Assessment type | Self-assessment | C3PAO third-party | DIBCAC government-led |
| Cycle | Annual affirmation | 3-year certification | 3-year certification |
| Implementation time | 30–90 days | 9–18 months | 18–30 months |
| Implementation cost (SMB) | $10K–$35K | $125K–$350K | $600K–$2M+ |
| Assessment cost | $0 (self) | $35K–$85K | Government-led (indirect cost) |
| Ongoing annual cost | $15K–$40K | $60K–$180K | $250K–$700K+ |
AVOID THESE
Common Mistakes Contractors Make
1. Assuming Level 1 because nobody has said otherwise. If DFARS 252.204-7012 is in your contract, you are not Level 1 — regardless of what your contracting officer has said casually. Go find the contract language.
2. Treating the whole enterprise as the CUI enclave. The single most expensive mistake in the Defense Industrial Base is failing to scope. Pulling 800-171 controls across 300 workstations when only 25 engineers touch CUI costs ten times more than isolating a proper enclave. Scope work first. Enclave first. Controls second.
3. Hiring a C3PAO before you are ready. Assessment slots are tight and non-refundable. Engaging a C3PAO before a competent readiness review is how contractors burn $75,000 on a failed assessment and then wait six months for a reassessment slot. Readiness review first, C3PAO second.
4. Misreading POA&M rules. Not every failed control can be POA&M'd. Certain “MUST” controls are assessment-killers. If you fail them, you fail the assessment, full stop. Know which controls are POA&M-eligible before you assume you can limp across the finish line.
5. Underestimating shared responsibility with cloud providers. Microsoft 365 GCC High covers some 800-171 controls; Commercial Microsoft 365 does not. Your FedRAMP Moderate cloud platform covers some controls; your own configuration of it covers others. Build a Customer Responsibility Matrix before you assume the cloud vendor handles something. They rarely do.
6. Ignoring subcontractor flow-down. If you are a prime or higher-tier sub passing CUI to your own subs, you are responsible for flowing DFARS 252.204-7012 and the appropriate CMMC level. A sub that fails their assessment becomes your compliance failure. Build sub management into your program from day one.
FREQUENTLY ASKED
CMMC Level 2 vs Level 3: Q&A
Is CMMC Level 2 the same as NIST 800-171?
Level 2 implements all 110 NIST SP 800-171 Rev 2 controls, assessed by a C3PAO against the CMMC Level 2 Assessment Guide. The control set is identical to NIST 800-171, but CMMC adds formal third-party assessment, a scoring methodology, and a three-year certification cycle that self-attestation under DFARS 7012 never required.
How do I know if I handle CUI?
Check your contract for DFARS 252.204-7012 and for markings like “CUI,” “Controlled Unclassified Information,” or category labels such as CUI//SP-PROP or CUI//SP-EXPT. If you receive technical data packages, drawings, specifications, or export-controlled information from a DoD prime, you almost certainly handle CUI — which pushes you to Level 2 at minimum.
Can I self-assess at Level 2 instead of hiring a C3PAO?
Only a narrow subset of Level 2 contracts allow self-assessment (“Level 2 self”). The DoD is phasing this out. Any contract with a CUI requirement of strategic value — weapons systems, critical infrastructure, controlled technical data — requires a C3PAO assessment. Assume C3PAO unless the contract explicitly says otherwise.
How long does a Level 2 C3PAO assessment take?
The on-site or remote assessment takes three to ten business days depending on scope. The total engagement — from kickoff through Readiness Review, evidence collection, assessment, and final report — runs 90 to 180 days. Plan for six months of calendar time from engaging a C3PAO to having a certification in hand.
What happens if we fail the C3PAO assessment?
Failed controls can be remediated on a 180-day Plan of Action and Milestones (POA&M) for certain non-critical controls. Critical controls (the “MUST” controls) cannot be POA&M'd — if you fail them, you fail the assessment and must remediate before reassessment. Budget for a contingency reassessment.
Do I need Level 3 if I handle the most sensitive CUI?
Level 3 applies to roughly the top one percent of the Defense Industrial Base — prime contractors and subcontractors handling CUI on programs the DoD deems critical to national security. If you are asking the question, you probably need Level 2. Your prime will tell you explicitly if Level 3 applies.
Not sure which CMMC level applies to your DoD contracts?
Armorstack runs a 60-minute CMMC Level-Assessment Triage for Wisconsin defense contractors — we review your actual contract language, identify your level, and scope the remediation roadmap. No sales pitch, no obligation.