Free Risk Register
Contact Us Free Risk Register

How to Determine Your CMMC Level: A Straightforward Guide

  • 25 Sep 2025
  • CMMC
  • SnapGRC Team

Navigating the Cybersecurity Maturity Model Certification (CMMC) framework can feel daunting, especially when you’re trying to pinpoint exactly which level your organisation needs to achieve.

How to Determine Your CMMC Level: A Straightforward Guide

With the Department of Defence (DoD) making CMMC a contractual necessity, guessing your level is not an option. It requires a clear, strategic assessment.

At SnapGRC, we specialise in simplifying governance, risk, and compliance. In this guide, we’ll walk you through the key questions to ask in order to determine your correct CMMC level with confidence.

Understanding the CMMC Framework

First, a quick refresher. The CMMC model is designed to protect sensitive defence information within the supply chain. It consists of three maturity levels, each building upon the last:

CMMC Level 1: Foundational – Basic cyber hygiene practices.

CMMC Level 2: Advanced – Intermediate cyber hygiene practices, aligned with the security requirements specified in NIST SP 800-171.

CMMC Level 3: Expert – Good cyber hygiene practices, based on a subset of the NIST SP 800-172 requirements.

Your goal is to match your organisation’s activities with the correct level. The process hinges on the type of information you handle.

The Two Key Questions to Determine Your CMMC Level

Forget complex charts. You can start with two fundamental questions.

Question 1: Do You Handle Federal Contract Information (FCI)?

What is FCI? This is information not intended for public release that is provided by or generated for the government under a contract. Examples include project plans, cost data, and administrative information.

If your answer is YES: Your organisation must meet CMMC Level 1 requirements. This is the baseline for all contractors who handle FCI.

Question 2: Do You Handle Controlled Unclassified Information (CUI)?

This is the critical question for most defence contractors. CUI is information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. Examples include technical drawings, engineering data, and operational procedures.

If your answer is NO: If you do not handle CUI and only handle FCI (from Question 1), then CMMC Level 1 remains your target.

If your answer is YES: This is where you need to dig deeper. Handling CUI means you must aim for at least CMMC Level 2. This level encompasses all 110 security practices from NIST SP 800-171.

But what about Level 3?
CMMC Level 3 is reserved for organisations that handle CUI and are part of critical programmes or technologies that are high-value targets for advanced persistent threats (APTs). The DoD will specify in the contract if Level 3 is required. It involves enhancing your Level 2 practices to reduce the risk from APTs.

A Practical Step-by-Step Approach

Review Your Contracts: Scrutinise your current and future DoD contracts. Look for clauses mentioning FCI, CUI, DFARS 252.204-7012, or specific data handling requirements. The contract is your primary guide.

Conduct a Data Inventory: Work with your project and technical teams to identify where FCI and CUI flow within your organisation. What systems store, process, or transmit this sensitive data? You cannot protect what you do not know.

Perform a Gap Analysis: This is the most crucial step. Compare your current security posture against the practices required for the CMMC level you have identified. For Level 2, this means assessing your compliance with all 110 controls of NIST SP 800-171.

Seek Expert Advice: When in doubt, consult with a Certified CMMC Professional (CCP) or a Registered Practitioner (RP). They can provide an objective assessment of your situation.

How SnapGRC Simplifies the Process

Manually tracking compliance across hundreds of controls is a monumental task. That’s where SnapGRC comes in. Our platform is built to take the complexity out of CMMC readiness.

Clarity from the Start: Our intuitive dashboard helps you map your data types (FCI/CUI) to the correct CMMC level, providing immediate clarity on your requirements.

Automated Gap Analysis: SnapGRC allows you to import your current controls and automatically measures them against the CMMC framework, highlighting gaps instantly.

Continuous Monitoring: Compliance is not a one-off event. Our platform provides real-time visibility into your security posture, making it easy to maintain compliance and prepare for audits.

Ready to Confidently Determine Your CMMC Level?

Determining your CMMC level is the essential first step on your compliance journey. By understanding the data you handle and systematically assessing your controls, you can move forward with certainty.

Let SnapGRC be your guide. Our powerful, user-friendly platform is designed to help UK defence contractors like you achieve and maintain CMMC compliance efficiently.

Contact us today for a demo and see how we can simplify your path to certification.

Tags:
CMMC quick start

Related Articles

Knowledge Base Image
CMMC Level 1 Compliance Cost: A Budget-Friendly Guide (2025)

If you’re a small business working with the Department of Defense, you’ve probably heard the dreade…

Read More
Knowledge Base Image
The Essential CMMC Compliance Guide for Small Businesses (2025)

For small defense contractors, CMMC compliance isn't optional - it's your ticket to DoD contracts.

Read More
Knowledge Base Image
CMMC Level 1 Compliance Made Simple: A Guide for DoD Contractors

Navigating CMMC compliance doesn’t have to be overwhelming. Our CMMC Quick-Start Series breaks down…

Read More

Copyright © 2025 SnapGRC