Your CMMC level isn't a choice. It's a contractual obligation tied to specific DFARS clauses already in your contract (or your prime's contract). The Cybersecurity Maturity Model Certification (CMMC) program, codified in 32 CFR Part 170 and effective December 16, 2024, formalizes cybersecurity requirements DoD has mandated since 2017. The clauses in your contract decide your level.
This guide maps those clauses to obligations, walks through SPRS scoring, and gives you a five-question diagnostic to determine whether you need CMMC Level 1 or Level 2.
DFARS 252.204-7012 (October 2016 final rule, with full NIST SP 800-171 implementation required by December 31, 2017) required contractors handling Controlled Unclassified Information (CUI) to implement the 110 security requirements in NIST SP 800-171. In November 2020, DFARS 7019 and 7020 added a verification layer requiring a Basic Assessment score in the Supplier Performance Risk System (SPRS). DFARS 7021 introduced the formal CMMC certification requirement.
As of February 1, 2026, DFARS 252.204-7019 has been deleted and DFARS 252.204-7020 has been renumbered to 252.204-7997, with assessment obligations now flowing through CMMC under DFARS 252.204-7021. The historical clauses still appear in many active contracts, but new solicitations point primarily at 7012 and 7021.
On October 15, 2024, DoD published the final CMMC Program rule (32 CFR Part 170), establishing CMMC Levels 1, 2, and 3. The companion acquisition rule (48 CFR, published September 10, 2025) began embedding CMMC requirements into solicitations as of November 10, 2025. Full implementation across the DIB is expected by 2028.
The punchline: NIST 800-171 has been contractually required since 2017. CMMC adds formal third-party verification and a phased enforcement timeline.
Two information categories decide everything.
Federal Contract Information (FCI) is non-public information provided by or generated for the government, project status reports, meeting notes, delivery schedules. FCI triggers Level 1.
Controlled Unclassified Information (CUI) is government-controlled information requiring safeguarding. CUI triggers Level 2. Common CUI categories in DIB workflows:
Controlled Technical Information (CTI): engineering drawings, technical reports, design specs, test data, see the National Archives CUI Registry.
Export-controlled data subject to ITAR or EAR.
DoD critical infrastructure information, network diagrams, vulnerability data, physical security details.
Government point-of-contact lists tagged with CUI markings.
Practical test: a prime's engineering drawing of a weapons subsystem is CUI. A status email about delivery timelines is FCI. CUI is more common than most subcontractors realize because primes don't always mark it clearly. The safer assumption is that CUI is present until you prove otherwise.
Level 2 applies to most DIB contractors with CUI exposure. For prioritized acquisitions, an authorized C3PAO conducts the assessment every three years. Level 3 is reserved for the highest-sensitivity programs (advanced weapons systems, critical research). Most contractors will never need Level 3.
The SPRS score is the quantitative measure DoD uses during source selection. Scoring starts at 110 (full implementation of all 110 NIST SP 800-171 requirements) and can drop into negative territory because the sum of all control weights exceeds 110. Points are deducted by control weight per the NIST SP 800-171 DoD Assessment Methodology:
5-point deductions apply to controls whose absence could allow significant exploitation of the network or exfiltration of CUI (roughly 15 controls covering access control fundamentals, audit logging, and encryption).
3-point deductions apply to controls with a specific but limited security impact (roughly 25 controls).
1-point deductions cover the remaining controls (roughly 70).
There is no partial credit: any unimplemented control deducts its full weight. You submit your Basic Assessment score to SPRS via the PIEE portal. The score ties to your CAGE code and is visible to contracting officers.
Under CMMC, POA&M rules tightened: 5-point controls cannot appear on a POA&M (one narrow exception covers FIPS-validated cryptography), your score must reach 88 or higher to receive even Conditional Level 2 status, and all POA&M items must close within 180 days or your conditional status expires.
The practical insight: a missing or stale SPRS score is worse than a low one. Contracting officers can see whether a score exists and when it was last updated. No score often means no consideration.
Work through these questions in order. Each one narrows the answer.
If your company has no direct or indirect contractual relationship with DoD, CMMC does not apply. "Indirect" includes being a subcontractor to a prime who holds a DoD contract. CMMC requirements flow down through the supply chain.
If 7012 is present, the contract involves CUI, and you are likely subject to Level 2. DFARS 7012 has been the standard CUI-safeguarding clause since 2016 and is the strongest single indicator of a Level 2 obligation.
As of November 2025, new solicitations include the CMMC provision. The solicitation specifies the required level and assessment type. If 7021 appears, the contracting officer has already determined your level requirement.
This is the question most subcontractors skip. If you receive technical data, engineering drawings, test results, or export-controlled information from a prime, that data is likely CUI even if not explicitly marked. If you cannot definitively confirm no CUI enters your environment, plan for Level 2.
Weapons systems, advanced research, or IL-6 environments point to Level 3. Your program office will typically notify you, but early preparation matters because government-led assessments have limited scheduling capacity.
Decision summary: FCI only with no CUI exposure → Level 1. Any CUI touches your systems (or you can't prove it doesn't) → Level 2. Critical national security program → Level 3.
Contractors who start at Level 1 and later add a CUI-bearing contract face a costly jump from 17 to 110 practices. This transition is common because subcontractors often start FCI-only and earn CUI work as their role expands.
The biggest scope changes: the Identification and Authentication family adds 13 controls (multi-factor authentication, session lock, remote access management); audit logging becomes mandatory across the AU family; a full incident response capability is required, including 72-hour reporting per DFARS 7012; FIPS-validated encryption of CUI at rest and in transit becomes mandatory; and boundary protection expands across the full SC family.
Three architectural decisions cut the cost of the transition:
Build for NIST 800-171 from day one. The 17 FAR practices are a subset of the 110 NIST requirements. Implementing the full framework upfront makes Level 2 readiness incremental, not a rebuild.
Run a dedicated CUI enclave. Isolating CUI processing bounds your assessment scope and reduces the systems you must bring to full 800-171 compliance.
Choose FedRAMP-authorized tools. The December 2023 DoD memo requires FedRAMP Moderate (or equivalent) for any cloud service processing CUI. Choosing FedRAMP-authorized tools from the start eliminates a costly re-platforming later.
Your security stack should generate Level 2 evidence as a byproduct of daily operations, not as a separate compliance project. Mycroft, an AI security and compliance platform, uses AI agents that continuously map vulnerability scanning, MDR, MDM, and log management to both the 17 FAR-equivalent practices and the full 110 NIST 800-171 requirements. A contractor at Level 1 today gets Level-2-ready evidence collection running in the background. When a CUI-bearing contract arrives, you're closing gaps, not rebuilding.
Cross-mapped controls mean a single remediation can satisfy CMMC, SOC 2, ISO 27001, and HIPAA at once, reducing duplication for contractors serving continuous compliance monitoring. Continuous monitoring flags drift before it becomes an assessment finding. Mycroft does not replace an independent C3PAO, it reduces the time, cost, and risk of getting there.
If your diagnostic confirms Level 2, the next decision is which monitoring model fits your team. See Finding the Right CMMC Monitoring Provider for Level 2 Readiness for the three operating models and a six-question buyer's checklist.
Not sure whether your contract triggers Level 1 or Level 2?
Talk to the Mycroft team about a Level 1 / Level 2 readiness review and walk through your DFARS clauses, data flows, and SPRS scoring with engineers who have done this before.
It depends on your contract. While the DoD allows self-assessments for "non-prioritized" acquisitions, the vast majority of contracts involving Controlled Unclassified Information (CUI) are deemed prioritized. These require a formal assessment by a C3PAO. Always check your specific solicitation to confirm the assessment type required. The CMMC program rule (32 CFR Part 170) defines when each assessment type applies.
A score below 88 disqualifies you from receiving even a Conditional Level 2 status. Because contracting officers review your SPRS score during source selection, a low score can prevent you from winning the contract. The scoring weights are defined in the DoD Assessment Methodology. You must remediate your gaps and raise your score before your assessment begins.
No. Level 1 compliance is handled entirely through an annual self-assessment. You must also have a senior company official submit an annual affirmation of compliance through SPRS. Third-party C3PAO assessments are reserved for Level 2 (prioritized) and Level 3 requirements. The Level 1 self-assessment procedures are outlined in 32 CFR 170.15.
CMMC certifications for Levels 2 and 3 are valid for three years, with annual affirmations of continued compliance submitted through SPRS. Failing to submit these annual affirmations can void your certification status. Level 1 self-assessments must be renewed every year.
Yes, but they are permitted under very specific conditions defined in 32 CFR 170.21. At Level 2, you can only use a Plan of Action and Milestones (POA&M) if:
Your initial SPRS score is at least 88.
The open items are only 1- or 3-point controls (5-point controls must be fully implemented).
All remaining items are closed within 180 days.
The only 5-point exception is for certain FIPS-validated cryptography requirements.
.webp)