For many defense contractors, one of the biggest questions surrounding CMMC is straightforward: how do we determine which level applies to our organization?
It is an important question because the required CMMC level directly affects an organization’s ability to bid on, win, and maintain Department of War contracts. For many companies, the answer arrives much later than it should.
Many contractors already operate inside the Defense Industrial Base without fully understanding where they fall within the CMMC framework. Some organizations assume they only need basic cybersecurity protection when they are handling Controlled Unclassified Information. Others believe CMMC applies only to prime contractors and fail to recognize that subcontractors are frequently subject to the same cybersecurity expectations through contractual flow-down requirements under 32 CFR § 170.23.
As cybersecurity requirements continue to expand across the defense supply chain, organizations increasingly need to understand not only whether CMMC applies to them but also what level of assessment readiness may ultimately be required.
The Department of War Determines the Required CMMC Level
Organizations do not choose their own CMMC level. The Department of War determines the required level based on the sensitivity of the information involved, the cybersecurity risk associated with the contract, and whether the contractor will process, store, or transmit Federal Contract Information or Controlled Unclassified Information on contractor systems.
The required CMMC level and assessment type are specified in solicitations through two primary DFARS provisions. DFARS 252.204-7025 specifies the required CMMC level for the acquisition. DFARS 252.204-7021 is the contract clause that makes CMMC compliance a binding requirement for contract performance. Both provisions will also appear in subcontracts through flow-down requirements when the work involves FCI or CUI.
Depending on the contract, organizations may be required to complete a Level 1 Self-Assessment, a Level 2 Self-Assessment, a Level 2 Certification Assessment performed by a Certified Third-Party Assessment Organization, or a Level 3 Certification Assessment conducted by DCMA DIBCAC.
This means organizations cannot simply select whichever level is easiest or least expensive. The contractual requirement ultimately determines the assessment obligation under 32 CFR Part 170.
For many contractors, this creates a significant challenge because cybersecurity readiness takes substantially longer to build than most organizations initially expect. Companies frequently underestimate the amount of remediation, documentation, technical implementation, operational alignment, evidence collection, and governance preparation required before an assessment can be successfully completed. By the time a contract formally requires compliance, many organizations are already behind schedule.
Understanding the Different CMMC Levels
The CMMC framework establishes different levels of cybersecurity requirements based on the type and sensitivity of the information being protected. As the sensitivity of the information increases, the associated security expectations become more demanding. The full structure of all three levels is described at DoW CIO — CMMC About.
Level 1
Level 1 is intended for contractors that process, store, or transmit only Federal Contract Information. FCI refers to information provided by or generated for the government under a contract that is not intended for public release, as defined at DFARS 204.7501.
This level focuses on foundational safeguarding requirements aligned with FAR 52.204-21 and requires an annual self-assessment under 32 CFR § 170.15. The requirements address core security practices such as access control, password management, malware protection, software updates, and basic physical security protections. Assessment results must be submitted to SPRS and affirmed by a senior company official.
For some organizations, Level 1 may be sufficient if they provide commercial products or services to the government without interacting with controlled technical data or sensitive program information. However, organizations sometimes assume they only handle FCI when CUI has already entered their environment through engineering collaboration, customer exchanges, supplier relationships, shared platforms, inherited systems, or expanding operational responsibilities.
Level 2
Level 2 applies to organizations that process, store, or transmit Controlled Unclassified Information. This is where a substantial portion of the Defense Industrial Base is expected to fall as CMMC implementation expands throughout defense contracts and supply chain relationships.
Level 2 requires the implementation of all 110 security requirements in NIST SP 800-171 Revision 2. These requirements span multiple cybersecurity domains, including access control, audit logging, incident response, multifactor authentication, vulnerability management, encryption, configuration management, risk assessment, personnel security, and system monitoring. The complete structure of the Level 2 assessment is described in the DoW CIO CMMC Assessment Guide Level 2.
Depending on contractual requirements, Level 2 may require either a self-assessment under 32 CFR § 170.16 or a formal certification assessment performed by a C3PAO under 32 CFR § 170.17.
Examples of CUI that may be present in contractor environments include technical drawings, engineering specifications, export-controlled information, manufacturing process data, testing documentation, maintenance procedures, operational program information, and controlled research data. The full CUI Registry maintained by the National Archives identifies every category of CUI that may appear in defense contract environments.
Contractors subject to DFARS 252.204-7012 are already required to implement NIST SP 800-171 security requirements and maintain assessment results within SPRS. CMMC expands on these existing obligations by introducing verification mechanisms through self-assessments and third-party certification assessments.
Organizations using cloud services to process or store CUI should verify whether those providers meet the FedRAMP Moderate baseline required under DFARS 252.204-7012, or hold a DoW-issued authorization equivalent.
Level 3
Level 3 is designed for organizations supporting higher-priority defense programs facing elevated cybersecurity threats, specifically Advanced Persistent Threats associated with nation-state actors.
Level 3 builds upon Level 2 and incorporates selected enhanced security requirements derived from NIST SP 800-172. Under 32 CFR § 170.18, organizations pursuing Level 3 must first achieve a Final Level 2 (C3PAO) certification before undergoing a Level 3 assessment performed by DCMA DIBCAC.
While fewer contractors are expected to require Level 3, the associated security expectations are significantly more demanding. Level 3 environments are expected to address sophisticated threat activity through enhanced monitoring, detection, response, and security management capabilities assessed against all 320 Level 2 assessment objectives plus the additional Level 3 requirements.
What Exactly Is Controlled Unclassified Information?
One of the largest areas of confusion surrounding CMMC is CUI itself.
CUI is not classified information. Executive Order 13556 established the CUI program to standardize the executive branch’s handling of unclassified information that requires safeguarding under law, regulation, or government-wide policy. The National Archives CUI Registry maintains the authoritative list of all CUI categories and their associated handling requirements.
Many contractors incorrectly assume they do not handle CUI because the information is not always clearly labeled or because they never interact with classified systems. In practice, CUI frequently enters contractor environments through subcontracting relationships, customer portals, engineering collaboration, cloud environments, shared file systems, inherited operational processes, or third-party service arrangements.
This misunderstanding is one of the primary reasons many organizations fail to recognize their CMMC obligations until much later in the contracting lifecycle, often not until a prime contractor requests an SPRS score or compliance documentation.
Why Many Contractors Misunderstand Their Requirements
One of the most common misconceptions within the Defense Industrial Base is the belief that only prime contractors must address CMMC requirements. That assumption is incorrect.
Under 32 CFR § 170.23, CMMC requirements flow down to subcontractors based on the type of information they handle, not their position in the supply chain or their contract value. If a subcontract requires processing, storing, or transmitting FCI or CUI, the CMMC requirement attaches at the applicable level. A third-tier manufacturer receiving controlled technical drawings has the same Level 2 obligation as a first-tier systems integrator handling the same category of information.
Prime contractors are already enforcing this independently. They are requesting SPRS scores, reviewing supplier security documentation, evaluating assessment readiness, and restricting access to sensitive information from suppliers who cannot demonstrate cybersecurity readiness. For many organizations, this prime-driven pressure is arriving long before a formal government assessment requirement appears in a solicitation.
The importance of Documentation and System Security Plans
CMMC readiness is not based solely on technical controls. Organizations must also demonstrate documented implementation, operational consistency, policies, procedures, evidence collection, governance practices, and repeatable security processes throughout the assessment scope.
For Level 2 environments, organizations are required to maintain a System Security Plan describing how security requirements are implemented across the environment. Under NIST SP 800-171 Revision 2, organizations must develop, document, and periodically update SSPs that describe system boundaries, operating environments, implemented security requirements, and system relationships.
During assessments conducted under the DoW CIO CMMC Assessment Guide Level 2, C3PAO assessors review not only the existence of security controls, but also the organization’s ability to demonstrate through examination, interview, and test methods that those controls are correctly implemented, operating as intended, and producing the desired security outcome across all 320 assessment objectives.
Organizations that delay documentation efforts often discover that technical implementation alone is not sufficient for successful assessment preparation.
Not sure where your organization stands with CMMC, ITAR, or federal cybersecurity requirements? The fastest way to get clarity is to talk with an expert. Book a call with our team to review your current environment, identify compliance risks, and determine the steps required to move forward. A short conversation can help you avoid costly mistakes and focus on what matters for contract eligibility and security.
SCHEDULE YOUR FREE CONSULTATION!
Scoping Matters More Than Most Organizations Realize
One of the most misunderstood aspects of CMMC is assessment scoping.
Not every system inside a company automatically falls within the assessment scope. Under 32 CFR § 170.19 and the DoW CIO CMMC Scoping Guide Level 2, assessments focus specifically on the contractor systems and assets that process, store, transmit, or protect FCI or CUI. Assets are categorized as CUI Assets, Security Protection Assets, Contractor Risk-Managed Assets, Specialized Assets, or Out-of-Scope Assets, each with different assessment requirements.
This distinction matters because proper scoping can significantly affect assessment complexity, remediation effort, implementation costs, operational overhead, and long-term compliance maintenance. Many organizations reduce assessment complexity by limiting where CUI is processed, stored, or transmitted through proper network segmentation and enclave design.
Poorly planned environments often create unnecessary compliance exposure by allowing sensitive information to spread across systems that were never intended to fall within scope. For many organizations, scoping becomes one of the most strategically important components of CMMC preparation.
Common Mistakes Contractors Make
Many organizations delay CMMC preparation because they assume they are too small to be subject to the requirements, believe subcontractors are exempt under 32 CFR § 170.23, underestimate the presence of CUI in their environment, or assume compliance can be achieved quickly once required.
One of the most common issues is discovering that CUI has existed within the environment for years without proper segmentation, documentation, or security controls aligned to NIST SP 800-171. Another frequent problem is relying entirely on external IT providers without understanding whether those providers qualify as External Service Providers within the CMMC Assessment Scope under the CMMC Scoping Guide Level 2 and whether their security posture has been evaluated accordingly.
Organizations also commonly underestimate the amount of internal coordination required between leadership, IT, operations, compliance, engineering, and external service providers during assessment preparation. And they underestimate the legal exposure created by inaccurate SPRS submissions, a risk the Department of Justice has actively pursued through False Claims Act enforcement actions against contractors whose self-reported compliance did not reflect actual implementation.
Waiting Until the Contract Appears Is a Major Mistake
One of the most dangerous assumptions contractors make is believing they can wait until a contract formally requires CMMC before beginning preparation.
In practice, that approach frequently fails. The Phase 2 enforcement date of November 10, 2026, means that contracts issued on or after that date will require Level 2 C3PAO certification for most CUI-handling work. C3PAO wait times as of early 2026 are already running three to six months for new clients and climbing. Organizations beginning remediation today that have not already engaged a C3PAO are already outside the realistic window to achieve certification before the Phase 2 deadline without significant risk.
Cybersecurity readiness takes time to build properly. Organizations may need to redesign infrastructure, implement multifactor authentication, improve logging and monitoring, establish incident response processes, segment networks, create policies and procedures, improve vendor management practices, remediate vulnerabilities, and develop sustainable governance processes aligned to the CMMC Assessment Guide Level 2. These efforts rarely happen quickly. Organizations that begin preparation early typically experience smoother remediation efforts, lower implementation costs, reduced operational disruption, and stronger assessment readiness.
Final Thoughts
CMMC is no longer a future concept for the defense industrial base. It is already reshaping how contractors, subcontractors, suppliers, and service providers operate throughout the defense supply chain. Phase 1 has been active since November 10, 2025, requiring self-assessment submissions to SPRS as a condition of contract eligibility. Phase 2 arrives on November 10, 2026.
The organizations most likely to succeed long term will not treat CMMC as a temporary compliance exercise. They will build sustainable security practices that support operational resilience, customer trust, contractual eligibility, and long-term participation within the defense ecosystem.
Understanding your likely CMMC requirement early allows your organization to reduce business risk, prepare strategically, avoid rushed remediation, strengthen customer confidence, and remain competitive for future contract opportunities.
If your organization supports defense contracts and is unsure how CMMC timelines, SPRS requirements, or assessment readiness apply to you, now is the time to get clarity.
About Brea Networks
Brea Networks is a cybersecurity and compliance-focused IT partner dedicated to supporting Defense Industrial Base (DIB) contractors. We help organizations understand and implement the security requirements outlined in FAR 52.204-21, DFARS 252.204-7012, and the CMMC framework. From Level 1 self-assessments to Level 2 readiness and certification preparation, our team works alongside contractors to strengthen system security, define scope, prepare documentation, and build sustainable compliance programs that protect FCI and CUI.