Determining your CMMC Level

As we move through 2026, the DoW has already begun to include C3PAO Level 2 assessment clauses in solicitations. If your organization is part of the Defense Industrial Base (DIB), understanding your required CMMC level is the most important first step toward compliance. There are three levels of compliance that are meant to protect distinct levels of sensitive information. 

Level 1: Level 1 is designed to protect Federal Contract Information (FCI); information not intended for public release but provided by the Government. Level 1 has 15 basic safeguarding requirements found in FAR clause 52.204-21. This level requires an annual self-assessment, and all 15 controls must be met. 

Level 2: The primary driver for CMMC Level 2 is the presence of Controlled Unclassified Information (CUI). While Level 1 is intended for companies handling only FCI, Level 2 is mandatory for any organization that processes, stores, or transmits CUI. This includes the 110 controls outlined in NIST 800-171. Instead of self-assessing, OSA’s undergo a third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO), like AXIOTROP. The complete list of authorized C3PAOs can be found on The CyberAB marketplace. However, the number of OSA’s in need of assessment versus the number of C3PAOs is likely to cause some bottlenecking, so OSA’s are urged to start preparing for their assessment soon since we are approaching the November 10^th deadline. 

Level 3: Level 3 focuses on enhanced security logic, including threat hunting and specialized asset security for IoT and Operational Technology (OT). This level is significantly more complex, involving 134 requirements based on NIST SP 800-171 Rev 2 and a specific subset of NIST SP 800-172. Level 3 is reserved for the DIB’s most sensitive programs, where the risk of Advanced Persistent Threats (APTs) is highest. 

With the implementation of DFAR 252.204.7021, contracts now detail the required CMMC Level. If you are receiving recent contracts, you know your CMMC level. However, if you’re not sure, it’s critical you identify your level asap. If you are level 2, you need to begin your CMMC journey ASAP as the process could take many months. 

To determine if the information you are receiving is CUI. 

• Check your contracts. If you have DFARs 252.204.7012 you most likely are receiving CUI. 

• Legacy labels like FOUO, SBU, or OUO (count as CUI if they map to the CUI Registry). 

• Does the information fit a NARA category? 

• Controlled Technical Information (CTI) 

• Export-controlled information 

• Privacy / PII 

• Critical infrastructure data 

• Ask your client contracting officer to clarify. 

When in doubt you should not guess, treat the information as CUI. 

There are many benefits to businesses who achieve their CMMC Level  2 certification. As CMMC requirements begin appearing in contracts, businesses who achieve their certification will continue to be eligible for DoW contracts as well as improve the organization’s cybersecurity maturity posture.  

The bottom line is that organizations need to confirm their required CMMC Level as a first step to ensuring they can participate in upcoming solicitations.  Take time today to determine if you receive CUI and should build a CMMC Level 2 system.  

Schedule your free consultation today.

About AXIOTROP, LLC:    

Ready to start your CMMC journey? Begin by identifying your cybersecurity gaps and building a tailored remediation plan and budget. AXIOTROP’s mission is to make cybersecurity accessible, attainable, and sustainable for small and medium-sized businesses, so they remain competitive and poised for growth. We simplify cybersecurity by working closely with businesses to right-size their program for their needs, resulting in client retention, business expansion, and reduced risk.