Understanding CMMC Levels: Best Practices for Compliance Readiness

At a Glance:

• Main Takeaway: CMMC is reshaping cybersecurity expectations across the defense supply chain, requiring tech companies directly and indirectly connected to the DoD to meet strict compliance standards.
• Business Impact: If your business provides technology, services, or personnel to defense contractors, you may soon need to prove your cybersecurity posture or risk losing out on future opportunities.
• Next Steps: Aprio is here to help. Schedule a consultation today.

The Full Story:

As cybersecurity threats grow more sophisticated, technology companies that support or supply contractors within the defense ecosystem must be prepared to meet strict compliance standards. Whether your business provides software, cloud services, IT infrastructure, or personnel to contractors working with the Department of Defense (DoD), understanding Cybersecurity Maturity Model Certification (CMMC) Program requirements is essential.

CMMC compliance affects the entire supply chain, including tech firms that handle Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI). If your company supports a prime contractor, you may be asked to prove your compliance even if you are several tiers removed from the DoD. With defense contractors relying on thousands of vendors, the ripple effect is undeniable and CMMC compliance may already be on your horizon.

The Three Levels of CMMC Compliance

CMMC 2.0 simplifies the original model into three maturity levels:

• Level 1: Designed for companies that handle FCI but not CUI.
• Level 2: Applies to businesses that process, store, or transmit CUI.
• Level 3: Reserved for the most sensitive DoD programs.

CMMC Level 1

Level 1 focuses on safeguarding FCI through 17 basic cybersecurity practices. It applies to companies that do not handle CUI but still support DoD operations. This level is ideal for tech firms providing commoditized services or products with limited data sensitivity.

• Assessment Type: Annual self-assessment
• Requirements: Full implementation of FAR 52.204-21 controls
• Submission: Results must be uploaded to the Supplier Performance Risk System (SPRS), with an executive affirmation of compliance

No Plans of Action and Milestones (POA&Ms) are allowed at this level. Therefore, every requirement must be fully met before contract eligibility.

CMMC Level 2

Level 2 is required for companies that process, store, or transmit CUI. It aligns with the 110 controls in NIST SP 800-171 Rev. 2 and introduces more robust cybersecurity practices.

• Assessment Type: Either self-assessment or third-party (C3PAO) assessment every 3 years, depending on contract requirements
• Annual Requirements: Affirmation of compliance and SPRS score submission
• POA&Ms: Allowed under specific conditions

Over 80,000 contractors are expected to fall under Level 2, including many tech companies offering cloud, software, or data services.

CMMC Level 3

Level 3 is reserved for organizations working on the most sensitive DoD programs, including those involving national security or critical infrastructure.

• Assessment Type: Government-led assessment by the Defense Contract Management Agency’s DIB Cybersecurity Assessment Center (DIBCAC)
• Requirements: All Level 2 controls plus 24 additional controls from NIST SP 800-172
• Certification: Conditional certification may be granted with approved POA&Ms

Only 1% of contractors will need Level 3, but for those working on national security initiatives and projects, it is nonnegotiable.

Best Practices for CMMC Compliance Readiness

While your company may not be required to comply today, preparing now can give you a competitive edge.

• Use the CMMC Final Rule as Your Baseline: Even if you are not in the defense space, adopting CMMC standards can protect your company, data, and people. Start with Level 1 controls and build from there.
• Build a Strong System Security Plan (SSP): Your SSP should clearly explain how your organization meets each control. A well-documented SSP demonstrates maturity and readiness.
• Operationalize Your Policies: Do not just write policies, implement them. Ensure your team follows documented procedures and that third-party vendors are also compliant.
• Conduct Internal or Third-Party Readiness Assessments: Use the DoD’s CMMC Assessment Guide or engage a trusted third-party to identify gaps. Many companies benefit from third-party readiness assessments to avoid misinterpretation of requirements.
• Engage a C3PAO Early: If your level requires third-party certification, schedule your assessment early. With fewer than 60 authorized C3PAOs and tens of thousands of contractors, demand is high.

The Bottom Line

CMMC compliance is no longer optional for companies within the DoD supply chain. For tech companies that support or supply organizations working with the U.S. Department of Defense, CMMC is becoming a critical benchmark for doing business. Whether you are developing software, managing cloud infrastructure, or supporting defense contractors with IT services, aligning with the right CMMC level ensures your business remains competitive and contract ready.

Start by assessing your current cybersecurity posture, close any compliance gaps, and build a roadmap toward certification. The earlier you begin, the better positioned you will be when the next opportunity arises.

Schedule a general consultation to explore how Aprio can support your needs.