Click here to open the CMMC Guide & Checklist.

The CMMC Guide & Compliance Checklist 2025 Edition walks you through the three levels of CMMC certification and provides guidance on what to do next and where you can find preparation help, no matter where you are on your journey.

If you’d like to schedule a time to speak with our cybersecurity experts, click here.

About the CMMC Program from the Department of Defense

The CMMC program is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with defense contractors and subcontractors across the defense industrial base (DIB) by enforcing the use of certain cybersecurity processes and tools.

The three levels of CMMC certification are:

Level 1: Foundational Cyber Hygiene

Contractors and subcontractors handling only FCI data (no CUI data) will require a Level 1 certification, which includes 15 practices and a self-attestation of compliance.

Level 2: Advanced Cyber Hygiene

Our team expects the award of many future DoD contracts to require CMMC Level 2 certification. Level 2 includes 110 practices aligned with the NIST SP 800-171 framework. Many contract awards at Level 2 are expected to require a formal third-party assessment by a CMMC Third-Party Assessor Organization (C3PAO). Select programs will allow for self-attestation at Level 2.

Level 3: Expert Cyber Hygiene

Contracts that include the sharing of particularly vital CUI will require level 3 certification, “Expert Cyber Hygiene.” Level 3 builds on Level 2, consisting of 134 requirements – 110 from NIST SP 800-171 and 24 from NIST SP 800-172. We expect a small fraction of contracts to require compliance with this level.

The Department of Defense (DoD) estimates that companies will need at least six months to prepare for formal assessments and certification. Certification requirements extend beyond implementing security practices and include documenting the regular completion of certain practices over a period of months.