CMMC Series Part 2: Ensuring the Right CMMC Level for Your Organization

Modified on: January 4, 2021

In This Article

  • Learn how to determine the right CMMC level for your organization to win your DoD contracts going forward.
  • Learn how to ensure that your subcontractors are also ready for the appropriate CMMC level.


This article was sourced from SecureStrux and Apptega’s October 2020 Webinar, “Preparing for CMMC Certification.”


How can I determine which Level I’ll need to achieve?

Based on the Department of Defense’s (DoD) data, the Defense Industrial Base (DIB) will, for the most part, be made up of contractors and subcontractors who need to meet basic cyber hygiene, or CMMC Level 1 — about 70%. They predict that 25% of contractors and subcontractors will require CMMC Level 3, and around 5% will need Level 4 or 5.

  • Understand your data.

In order to determine which level your organization will need to achieve, the first step is to examine the kind of data you handle and deeply understand where it falls in the CMMC framework. For example, if you handle Federal Contract Information (FCI), you’ll need to meet Level 1 at a minimum. If you handle Controlled Unclassified Information, you’ll need to meet at least Level 3. Organizations that build Weapon systems will likely  require Level 4 or 5.

It helps if you already have a handle on this, but consultants can help immensely if you need guidance. You can also get a general overview of types of information and the protection they require from the first article in our CMMC series.

  • Understand your contracts.

It’s important to examine the contracts you’ll be bidding on and the types of information they’ll require you to handle, especially since the process is going to be done through DoD acquisitions.

  • Refer to your NIST 800-171 assessment.

The CMMC Level Requirements are based on NIST 800-171, which is geared towards organizations that have dealt with Controlled Unclassified Information (CUI). Therefore, referring to the requirements covered by NIST 800-171 should give you an idea of how many controls you may still need to develop. 

However, if your organization’s assessment is not complete or the requirements are not met, you may not be ready for a full CMMC assessment. At this point, it may be in your organization’s best interest to aim for CMMC Level 2 with the intention of reaching Level 3 as quickly as possible.

How Can I Ensure that My Subcontractors Are Ready with the Appropriate CMMC Level?

The DoD hasn’t provided much guidance on this. All the same, it’s an issue facing both prime contractors and subcontractors alike. There aren’t necessarily contracts with required levels sitting on anyone’s desks yet, making discussions between contractors and subcontractors even more daunting.

What we do know is that there is somewhat of a flow-down from prime contractors to their subcontractors. For example, a contractor may be at Level 4 CMMC, but half of their subcontractors may require Level 3 CMMC and the other half, which are suppliers in some form, may require Level 1 CMMC. It’s important to understand what kind of information is being dealt with, at which levels, and what is being passed back and forth.

  • Query the DoD contracting office.

When trying to renew or win back a contract, there will be plenty of communication between your organization and the Government contracting office. Keep in mind that rule changes can happen along the way (and under the radar).

Keep your contracting officers under appropriate pressure to give your organization guidance as you work with your subcontractors. The decision you come to should be based on as much knowledge as possible.

  • Don’t aim too high, and don’t pressure subcontractors to aim too high.

Resources, time, and cost become exponentially higher from one level to the next once Level 3 CMMC and above is required. While it may seem like a small jump, the cybersecurity maturity requires significantly more infrastructure between levels 3 and 4, and between 4 and 5. While you want to avoid going too low, it’s also important to steer clear of the trap of “being proactive” by aiming too high. 

Aiming too high can put unnecessary strain on smaller businesses. Keep in mind that if a subcontractor only ressells commercial off-the-shelf (COTS), then they may not need the CMMC at all.

  • Hire consultants to help you.

If you need CMMC Level 3 or above, your needs are more complicated than contractors and subcontractors who need CMMC Level 1. Even if you’re confident that you know what you need, a contractor can help you plan and execute your assessment preparation phase from the top down.

  • Have effective conversations with your subcontractors about CMMC.

Instead of making a general inquiry about their status and confidence in their CMMC preparation, ask good questions to get more accurate answers.

For example, instead of asking, “Are you compliant with NIST 800-171?” Ask, “Which controls of NIST 800-171 are in your Plan of Action and Milestones (POA&M) and which are currently in place?”

Do you still have questions about the various CMMC levels and how to determine which you and your subcontractors should aim for? You can read more on our CMMC services page, or schedule a one-on-one meeting with a CMMC subject matter expert. 

For a more proactive solution to address your questions and streamline CMMC preparation, there are options like the Assured Defense Package, designed by SecureStrux to help simplify the process.