Home β€Ί CMMC FAQs β€Ί CMMC Model
CMMC Model β€” Official DoD FAQ

How Will My Organization Know What CMMC Level Is Required for a Contract?

πŸ’Ό
Unsure which CMMC level applies to your contracts? Jun Cyber can help you determine your requirements.
Schedule Free Consultation
Official DoD Answer
Source Source: DoD CIO CMMC FAQs v5 (B-Q1)

Once CMMC is implemented contractually, the Department will specify the required CMMC level in the solicitation and the resulting contract.

In-Depth Analysis

Understanding CMMC Level Requirements

The CMMC level required for your organization is determined by the type of information you handle under the contract, not by your organization's size or preference.

How Levels Are Determined

  • Level 1 (Foundational): Required when your contract involves Federal Contract Information (FCI) only. Covers 15 basic safeguarding requirements from FAR 52.204-21. Self-assessment only.
  • Level 2 (Advanced): Required when your contract involves Controlled Unclassified Information (CUI). Covers all 110 NIST SP 800-171 Rev 2 requirements. May require self-assessment or C3PAO assessment depending on program criticality.
  • Level 3 (Expert): Required for the most sensitive CUI programs identified by the DoD. Adds 24 requirements from NIST SP 800-172 on top of Level 2. Assessed by DIBCAC.

Where to Find This Information

The required CMMC level will be explicitly stated in:

  • The solicitation (RFP/RFI)
  • The resulting contract (Section H or similar)
  • DFARS clause 252.204-7021

If you're unsure what level your current contracts require, review the DFARS clauses in your existing contracts. If they include 252.204-7012 and you handle CUI, you'll likely need CMMC Level 2. If you only handle FCI under FAR 52.204-21, Level 1 applies.

Pro tip: Don't guess β€” ask your Contracting Officer for clarification on the specific CMMC requirements for your contract.

Have More Questions?

ChatCMMC can answer detailed questions about CMMC compliance, NIST 800-171 controls, assessment preparation, and more β€” powered by official DoD documentation.

Ask ChatCMMC β†’

Get Your Free CMMC Readiness Assessment

Find out where your organization stands and what steps you need to take. Jun Cyber's CMMC experts are here to help.

By submitting, you agree to be contacted by Jun Cyber. No spam, ever.

Related Questions

You Might Also Want to Know

CMMC Model

What Is the Difference Between Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)?

β†’ CMMC Model

What Is the Relationship Between NIST SP 800-171 and CMMC?

β†’ CMMC Model

Will CMMC Requirements Flow Down to Subcontractors?

β†’
Jun Cyber

Ready to Start Your CMMC Journey?

Jun Cyber helps defense contractors navigate CMMC compliance with confidence. From gap assessments to certification readiness β€” we've got you covered.

πŸ“… Schedule a Consultation Learn About CMMC Select β†’