CMMC: Understanding what changed, who needs which level, and how to prepare efficiently

The Department of Defense’s updated Cybersecurity Maturity Model Certification (CMMC) requirements officially went into effect on November 10, 2025, introducing a clearer and more enforceable approach to protecting sensitive government information.

For technology companies, the challenge isn’t just compliance; it’s understanding whether CMMC applies at all, and if so, what level is actually required. Many organizations assume CMMC only affects direct DoD contractors, only to discover later that requirements can flow down through customers, partners, and supply chains.

This blog breaks down CMMC Level 1 and Level 2, explains how they differ, and outlines what companies should realistically expect when preparing.

Why CMMC Exists and Why It’s Showing Up More Often

The DoD relies heavily on commercial entities to support defense operations. That work often involves handling sensitive information outside of government-controlled environments.

CMMC establishes a consistent cybersecurity baseline to protect that information and ensures organizations can demonstrate compliance.

CMMC may apply if your organization:

  • Works directly with the Department of Defense
  • Supports customers or partners that do DoD work
  • Handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)
  • Provides SaaS, IT, engineering, or managed services used in regulated environments

Even companies without direct DoD contracts are increasingly encountering CMMC requirements during customer onboarding, renewals, or security reviews.

Equally important, CMMC isn’t only a reactive requirement. Many companies are approaching CMMC proactively as a way to:

  • Reduce friction during contract bids and renewals
  • Shorten security review cycles with DoD contractors
  • Demonstrate maturity to partners and customers
  • Be ready when opportunity arises rather than scrambling later

CMMC Level 1 vs. Level 2: What’s the Difference?

While CMMC includes multiple levels, most companies fall into Level 1 or Level 2.

CMMC Level 1: Foundational (FCI)

Level 1 focuses on baseline cybersecurity hygiene, including access control, authentication, physical security, basic incident response, and device and media protection.

Who it applies to: Organizations that handle Federal Contract Information (FCI) but do not handle CUI.

What it requires:

  • 17 basic security practices derived from FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)
  •  Annual self-assessment
  •  Annual executive affirmation

** Where teams often struggle: Not with controls themselves, but with documentation and evidence: proving controls exist and are consistently followed.

CMMC Level 2: Advanced (CUI)

Level 2 requires mature, repeatable security practices, not just tools or intentions.

Who it applies to: Organizations that receive, store, process, or transmit Controlled Unclassified Information (CUI).

What it requires: 

  • 110 controls aligned with NIST SP 800-171
  • Formal policies and procedures
  • System Security Plans (SSPs) – Evidence of control implementation
  • A self-assessment against all 320 control objectives or voluntary third-party assessment

**Where teams often struggle: Unclear scoping of CUI environments, incomplete documentation, gaps in multifactor authentication, logging, encryption, or configuration management, overengineering controls beyond what’s required

How to Determine Which Level You Need

A simple rule of thumb:

Scenario Likely Level
Handles FCI only Level 1
Handles CUI Level 2
Maintains sensitive DoD systems Level 3 (rare)

Unfortunately, many organizations don’t realize they handle CUI until it surfaces through customer or prospective client questionnaires, contract renewals, integrations, support access, or supplier flow-down requirements.

That’s why scoping – understanding where sensitive data lives and who touches it – is the most critical first step.

What Preparation Typically Looks Like

For most companies, CMMC readiness follows a predictable path:

  1. Applicability determination
  2. Environment scoping and boundary definition
  3. Gap assessment against required controls
  4. Targeted remediation
  5. Documentation and evidence collection
  6. Assessment readiness

Organizations that approach CMMC methodically tend to avoid last-minute surprises and unnecessary rework. When they approach CMMC proactively, they often gain meaningful advantages. Preparation completed ahead of demand helps teams:

  • Respond faster to RFPs and security questionnaires
  • Avoid last-minute compliance work that slows sales cycles
  • Reduce operational disruption by planning remediation on their timeline
  • Signal readiness and credibility to prospective customers

Final Thoughts

Increasingly, organizations are treating CMMC readiness as a business enablement decision, not just a compliance obligation. Being prepared ahead of demand can remove friction from future opportunities and position teams to move faster when contracts or partnerships emerge.

If CMMC ever comes up for your organization, having a clear, plain-English reference can save time, confusion, and unnecessary effort.

How Advantage Partners Helps

As a CMMC Registered Provider Organization (RPO), Advantage Partners helps technology companies:

  • Determine whether CMMC applies

  • Identify the correct level

  • Define assessment scope

  • Close gaps efficiently

  • Prepare documentation and evidence

  • Get assessment-ready without overengineering

Our approach focuses on clarity, efficiency, and right-sized guidance – helping teams do what’s required for compliance.

Learn more about our CMMC service.