With federal cybersecurity enforcement now fully underway, organizations that fail to meet the latest standards risk losing existing government contracts and being disqualified from future opportunities. Staying compliant is. a critical requirement for protecting your revenue, your reputation, and your eligibility to compete in the defense supply chain.

To help you stay ahead, we’ve provided a clear, streamlined guide outlining which CMMC level aligns with your contracts and the essential steps you must follow at each stage to remain fully compliant.

This level applies to companies that work with Federal Contract Information (FCI) under DoD that is not public but does not affect national security.

Common examples: construction companies, commercial suppliers, logistics, project management providers, staffing subcontractors, etc.

• Requirements: 15 foundational cybersecurity measures based on the FAR 52.204-21 guidelines.
  Assessment: Companies must complete a self-review each year and enter their compliance results in the Supplier Performance Risk System (SPRS). Must affirm after each assessment.
• Security Expectation: Focuses on essential cybersecurity practices listed in the FAR 52.204-21 such as limiting access, running anti malware tools, update malicious code protection, and controlling who can enter physical workspaces.

This level is for any company that handles Controlled Unclassified Information (CUI).

Common examples: aerospace and defense manufacturers, blueprints, technical drawings, ITAR-regulated data, etc.

• Requirements: 110 security protocols based on NIST SP 800 171 R3 by DFARS 252.204-7012.
• Assessment (C3PAO): C3PAO assessment every three years, results entered into CMMC eMASS, and a certification status that stays valid for three years from the official date defined in 32 CFR § 170.4.
• Assessment (Self): OSA assessment every three years, results entered into SPRS, and a certification status that stays valid for three years from the official date defined in § 170.4.
• Security Expectation: Emphasizes well defined security policies, the use of multi factor authentication, strong data encryption methods, mature incident response processes, and other advanced safeguards.

This level is the most critical level containing protocols of the highest complexity and confidentiality. 

Common examples: cutting-edge technology, major weapons systems

• Requirements: 110 NIST SP 800-171 R3 required by DFARS clause 252.204-7012 and 24 selected from NIST SP 800-172 Feb2021, as detailed in table 1 to 32 CFR § 170.14(c)(4)
• Assessment: Must have a level 2 C3PAO certification for the same scope, maintain and complete a DIBCAC assessment certification status every three years from the official date defined in 32 CFR § 170.4, and record results in SPRS.
• Security Expectation: Involves advanced defensive capabilities such as active threat hunting, sophisticated system surveillance, and measures designed to counter nation state–level cyber espionage.

LeeShanok Network Solutions gives your business clear guidance, strong protection, and a direct path to CMMC 2.0 success. Our team reviews your environment, builds needed policies and strengthens your security controls with a hands on approach that keeps your work moving.

We track your systems every day, respond to risks, and keep your documentation aligned with NIST 800 171 standards so audits stay smooth and predictable (NIST, 2024). Our goal centers on helping you stay secure, compliant, and ready for new federal requirements. Contact your dedicated account manager to review your compliance.