CMMCSync

CMMC 2.0, Level 1 vs Level 2, and what DFARS 7012 actually requires.

The short version: if you touch DoD contracts, CMMC certification is now contractual. Here's how to tell which level you need, what SPRS scoring means, and where to start this week.

By Hemant Bundele, Founder, HanumanLabs — DIB contractor and CMMC practitioner.

Last updated: April 2026

On this page

What is CMMC?

CMMC 2.0 — the Cybersecurity Maturity Model Certification — is the DoD's way of proving that every company in its supply chain actually implements the cybersecurity controls it's been promising in DFARS clauses for a decade.

If your company processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on a DoD contract, CMMC applies to you. That includes primes, subs, and most subcontractors three or four tiers deep. If you've ever received a DFARS 252.204-7012 flowdown, you're in scope.

The level you need depends on what information you handle. FCI only → Level 1. CUI → Level 2.

CMMC is now finalized and entering implementation.

The 32 CFR Part 170 final rule took effect December 16, 2024, establishing the program. The DFARS companion rule (48 CFR) is phasing CMMC requirements into contracts starting in 2025 via DFARS 252.204-7021. While not all contracts include CMMC yet, adoption is increasing — contractors handling CUI under DFARS 252.204-7012 should expect a growing number of solicitations to require CMMC compliance, and primes are increasingly pushing readiness expectations down to subcontractors.

Level 1 vs Level 2

Short version:

Handle FCI only? → Level 1 (15 practices, self-assess). Handle CUI? → Level 2 (110 controls, SPRS scored, C3PAO audit if the contract requires). Not sure? Book a 15-min call →

Level 1

FCI Protection

  • 15 security practices (FAR 52.204-21)
  • Self-assessment only — no third-party audit
  • Pass/fail — no SPRS score required
  • For contractors who handle FCI only

Based on CMMC Assessment Guide Level 1 v2.13

Level 2

CUI Protection

  • 110 security controls (NIST SP 800-171 Rev 2)
  • Self-assessment or C3PAO audit, depending on your contract
  • SPRS score from -203 to 110, reported to DoD
  • For contractors who handle CUI

Based on CMMC Assessment Guide Level 2 v2.13

Not sure which level applies to you? Book a 15-min call →

Where CMMC fits in the regulatory landscape

Three rules come up over and over in CMMC conversations. Here's what each one actually does.

FAR 52.204-21

Basic safeguarding of FCI. 15 requirements. This is the floor — every DoD contractor has been bound by it since 2016. CMMC Level 1 certifies against it.

DFARS 252.204-7012

The CUI clause. Requires NIST SP 800-171 compliance (110 controls) and 72-hour cyber incident reporting. CMMC Level 2 certifies against it.

32 CFR Part 170 (CMMC Final Rule)

The program rule. Turns CMMC from a suggestion into a contract requirement. Effective December 16, 2024; being written into new contracts now.

Want to see your live SPRS score? Request an invite →

CMMC questions, answered.

What level do I need?

FCI only → Level 1. CUI → Level 2. If you’re not sure whether you handle CUI, the DFARS clauses in your contract will tell you.

What is an SPRS score?

A number between -203 and 110 that summarizes your Level 2 compliance posture. DoD uses it as a supply-chain risk signal. You self-report it in SPRS.dod.mil for L2 self-assessment, or it’s captured from your C3PAO audit.

Do I need a C3PAO?

Only if your contract calls for Level 2 C3PAO assessment (the higher-risk CUI track). Many Level 2 contractors can self-assess. Read your contract clauses.

What happens if I don’t comply?

You won’t win or keep DoD contracts that require the CMMC level in scope. It’s a gate, not a fine.

When do I need to be certified?

Phased rollout started with new contracts in 2025. Most subs are seeing flowdowns now with 30–90 day response windows.

Can I start with a spreadsheet?

You can start. You can’t finish. The CMMC assessment requires linked evidence, implementation statements per control, a SPRS calculation, and an SSP. A spreadsheet breaks the moment one person who knows it leaves.

How long does getting audit-ready take?

With a tool like CMMCSync: 30–90 days for most small contractors. With spreadsheets and a consultant: 4–12 months and $50K–$150K.

Not sure which level you need?

Book a free 15-minute call. Bring your contract or DFARS clauses — we'll read them with you and tell you exactly what applies.

Book a 15-Min CallTalk to the Founder Instead

2-minute application. We reply within 24 hours. Cancel anytime.