Level 1
Foundational
Level 1 applies to companies handling Federal Contract Information (FCI). The verification process requires self-attestation results to be uploaded in SPRS for the DoD’s acceptance before certification is granted.
Level 2
Advanced
Level 2 focuses on the protection of CUI derived from NIST SP 800-171 and requires C3PAO assessment. In select circumstances, and organization will be able to self-attest for a Level 2 certification.
Level 3
Expert
Level 3 has not been finalized but it is expected to include Level 2 controls and select controls from NIST SP 800-171. DIB members will be assessed by government auditors.

Click here to return to CMMC page.