Do I need CMMC Level 2 or Level 3?

Almost certainly Level 2. Level 2 protects Controlled Unclassified Information with the 110 NIST 800-171 Rev 2 controls and is what the vast majority of CUI-handling defense contractors need. Level 3 adds NIST 800-172 enhancements for programs facing advanced persistent threats and is assessed by DIBCAC rather than a C3PAO — it applies only to a narrow set of programs, and the contract designates it explicitly. If your contract doesn't specifically require Level 3, you need Level 2.

What is the difference between CMMC Level 2 and Level 3?

Level 2 is the 110 NIST SP 800-171 Rev 2 controls, assessed by a commercial C3PAO every three years. Level 3 is Level 2 plus a selected subset of NIST SP 800-172 enhanced controls — aimed at advanced persistent threats — assessed by DIBCAC (the government's Defense Contract Management Agency assessment center). Level 3 is operationally heavier and reserved for programs whose threat model justifies it.

Who assesses CMMC Level 3?

DIBCAC — the Defense Industrial Base Cybersecurity Assessment Center, part of the Defense Contract Management Agency. This is a government-led assessment, unlike Level 2 which is assessed by commercial C3PAOs accredited by the Cyber AB. The DIBCAC assessment is reserved for the narrow set of CMMC Level 3 contracts and other DoD-designated programs.

Can I skip Level 2 and go straight to Level 3?

No. Level 3 is built on the Level 2 baseline — the 110 NIST 800-171 controls are the foundation, and the NIST 800-172 enhancements layer on top. Even contractors who know they need Level 3 implement Level 2 first to a genuine 110/110, then scope the 800-172 enhancement delta as a second phase. There is no path that skips the Level 2 foundation.

Is CMMC Level 3 worth pursuing for competitive advantage?

Generally no. Level 3 is not a marketing differentiator you opt into — it applies to specific programs whose contracts designate it, and the 800-172 enhancements carry real ongoing operational cost. Pursuing it speculatively means absorbing that cost without a contract requiring it. The better investment is building Level 2 to a genuine 110/110, which positions you cleanly if a Level 3 requirement ever arrives.

← Compare · DEFENSE · CUI

CMMC Level 2 vs Level 3: who needs which, and what the jump actually costs

CMMC has three levels. Level 1 is basic FCI hygiene. The real distinction for CUI-handling contractors is Level 2 versus Level 3: 110 NIST 800-171 controls assessed by a C3PAO, versus that plus a subset of NIST 800-172 enhanced controls assessed by DIBCAC for the narrow set of programs facing advanced persistent threats.

The short answer

Most CUI-handling contractors need Level 2, not Level 3. Level 3 applies to a narrow set of programs where the adversary threat model justifies the enhanced 800-172 control set — and the contract tells you so. Do not pursue Level 3 on speculation; build Level 2 well.

CMMC Level 2

You handle Controlled Unclassified Information on standard DoD contracts. Level 2 — the 110 NIST 800-171 Rev 2 controls, C3PAO-assessed — is what the vast majority of the Defense Industrial Base needs.

CMMC Level 3

Your contract explicitly requires Level 3 because the program faces advanced persistent threats. Level 3 adds selected NIST 800-172 enhancements on top of Level 2 and is assessed by DIBCAC, not a commercial C3PAO.

Side by side

Dimension

CMMC Level 2

CMMC Level 3

Protects

Controlled Unclassified Information (CUI)

CUI against advanced persistent threats

Control basis

110 controls from NIST SP 800-171 Rev 2

Level 2 + a subset of NIST SP 800-172 enhancements

Assessed by

C3PAO (commercial, Cyber AB-accredited)

DIBCAC (government — Defense Contract Management Agency)

Who needs it

Majority of the ~76,600 CUI-handling DIB contractors

Narrow set of programs with advanced-threat models

Passing bar

Perfect 110/110, narrow POA&M flexibility

Level 2 baseline + 800-172 enhancements met

Assessment cadence

Every three years by a C3PAO

Government-led DIBCAC assessment

Typical preparation

6-9 months from a sound IT baseline

Level 2 first, then the 800-172 enhancement delta

When it applies

DFARS 7021 flowdown with CUI

Contract explicitly designates Level 3

The honest answer: you probably need Level 2

The most useful thing we tell contractors asking "Level 2 or Level 3?" is that the question usually answers itself. Level 3 is not a tier you opt into for extra assurance — it applies to a narrow set of programs where the adversary threat model justifies the enhanced control set, and the contract designates it explicitly.

The vast majority of the roughly 76,600 organizations that need CMMC certification need Level 2 — the 110 NIST SP 800-171 Rev 2 controls across 14 families, assessed by a C3PAO. If your DFARS 252.204-7021 flowdown involves CUI and the contract does not specifically call for Level 3, Level 2 is your target.

Pursuing Level 3 on speculation is expensive and usually unnecessary. The right move is to build Level 2 to a genuine 110/110, which also positions you cleanly if a future contract does require Level 3.

What Level 3 actually adds

Level 3 is Level 2 plus a selected subset of NIST SP 800-172 controls. NIST 800-172 is the enhanced security requirements publication aimed at protecting CUI against advanced persistent threats — the controls assume a sophisticated, well-resourced adversary rather than opportunistic compromise.

The 800-172 enhancements push into areas like enhanced monitoring and threat hunting, more rigorous access control and isolation, supply-chain protections against sophisticated tampering, and dual-authorization controls for high-impact actions. They are operationally heavier than the 800-171 baseline — more continuous, more analyst-driven, more architecturally demanding.

Critically, Level 3 is assessed by DIBCAC — the Defense Contract Management Agency's assessment center — not by a commercial C3PAO. This is a government-led assessment reserved for the programs that warrant it.

The path: Level 2 first, always

Even contractors who know they need Level 3 build Level 2 first. The 110 NIST 800-171 controls are the foundation; the 800-172 enhancements layer on top. There is no shortcut that skips the Level 2 baseline.

So the practical sequence for a Level 3-bound contractor is: design and implement the Level 2 program to a genuine 110/110, then scope the 800-172 enhancement delta as a second phase. For everyone else — the majority — Level 2 is the destination.

Our [realistic CMMC Level 2 timeline](/insights/cmmc-level-2-timeline-realistic/) covers what the Level 2 engagement looks like month by month, and the [CMMC self-assessment vs C3PAO](/insights/cmmc-self-assessment-vs-c3pao/) piece covers when third-party assessment is required.

Frequently asked

CMMC Level 2 vs Level 3 — common questions.

Do I need CMMC Level 2 or Level 3?: Almost certainly Level 2. Level 2 protects Controlled Unclassified Information with the 110 NIST 800-171 Rev 2 controls and is what the vast majority of CUI-handling defense contractors need. Level 3 adds NIST 800-172 enhancements for programs facing advanced persistent threats and is assessed by DIBCAC rather than a C3PAO — it applies only to a narrow set of programs, and the contract designates it explicitly. If your contract doesn't specifically require Level 3, you need Level 2.
What is the difference between CMMC Level 2 and Level 3?: Level 2 is the 110 NIST SP 800-171 Rev 2 controls, assessed by a commercial C3PAO every three years. Level 3 is Level 2 plus a selected subset of NIST SP 800-172 enhanced controls — aimed at advanced persistent threats — assessed by DIBCAC (the government's Defense Contract Management Agency assessment center). Level 3 is operationally heavier and reserved for programs whose threat model justifies it.
Who assesses CMMC Level 3?: DIBCAC — the Defense Industrial Base Cybersecurity Assessment Center, part of the Defense Contract Management Agency. This is a government-led assessment, unlike Level 2 which is assessed by commercial C3PAOs accredited by the Cyber AB. The DIBCAC assessment is reserved for the narrow set of CMMC Level 3 contracts and other DoD-designated programs.
Can I skip Level 2 and go straight to Level 3?: No. Level 3 is built on the Level 2 baseline — the 110 NIST 800-171 controls are the foundation, and the NIST 800-172 enhancements layer on top. Even contractors who know they need Level 3 implement Level 2 first to a genuine 110/110, then scope the 800-172 enhancement delta as a second phase. There is no path that skips the Level 2 foundation.
Is CMMC Level 3 worth pursuing for competitive advantage?: Generally no. Level 3 is not a marketing differentiator you opt into — it applies to specific programs whose contracts designate it, and the 800-172 enhancements carry real ongoing operational cost. Pursuing it speculatively means absorbing that cost without a contract requiring it. The better investment is building Level 2 to a genuine 110/110, which positions you cleanly if a Level 3 requirement ever arrives.

Go deeper

CMMC · 8 min read

CMMC Level 2 timeline: what 6 to 9 months actually looks like

CMMC · 8 min read

CMMC self-assessment vs C3PAO: which path applies, and when it matters

CMMC · 8 min read

CMMC Level 2: What assessors actually look for — and what they quietly ignore

CMMC · 10 min read

How defense primes actually evaluate CMMC-certified subcontractors — beyond the SPRS score

Framework pages

DEFENSE · CUI

CMMC 2.0

Not sure which fits your situation?

Book a scoping call.

Thirty minutes. We'll walk through your target, your current posture, and which path — or which combination — actually fits. If the answer is "neither yet," we'll say so.

Book a scoping call →