Blog > Blog

CMMC 2.0 Certification: How To Determine Your CMMC Level

As you're probably aware, since September 2020, a new cybersecurity certification has been enforced by the US Department of Defense (DoD). This certification called CMMC (Cybersecurity Maturity Model Certification) applies to all DoD contractors, subcontractors and suppliers, regardless of industry or location (USA, Canada or anywhere else).

One of the key steps in the CMMC 2.0 certification process is to identify which CMMC level you require.

Here's how to do it:

1 - Determine what type of information you have access to as part of your business relationship with DoD

Start by determining what types of information you collect, create or share as part of your contracts with DoD, whether directly or via partners.

  • Federal Contract Information (FCI): the basic information contained in U.S. federal and DoD contracts.
  • Controlled Unclassified Information (CUI): although not confidential, access to this information may have an impact on US national security. Examples of CUI: architectures or diagrams needed to manufacture a military device, etc.

Note that DoD can provide you with CUI, but you can also produce CUI for DoD

2 - Determine your CMMC level

Most organizations will have to comply with CMMC levels 1 and 2. Level 3 is reserved for a very specific category.

  • If you only use FCI, you must comply with CMMC Level 1.
  • If you use or produce CUI, you must comply with CMMC Level 2. Note that there are 2 categories of CMMC Level 2: those requiring an assessment by a CMMC-authorized third party (C3PAO), and those for which self-assessment is sufficient.
  • If your partners require you to comply with NIST 800-171, you must become CMMC Level 2 certified.
  • The required CMMC level could also be specified in DoD contracts.


Please note that it is your responsibility to identify the correct CMMC level and ensure that it is respected. If not, you may not be allowed to bid on DoD tenders if you don't have the required CMMC certification level.

3 - Evaluate your readiness for CMMC 2.0 or NIST 800-171 compliance

We've created a form to help you assess your level of readiness for CMMC 2.0 or NIST 800-171 compliance.

How StreamScan can help you with your CMMC compliance process

Streamscan is a CMMC Registered Provider Organization (RPO) and is officially authorized to assist organizations in their CMMC process.

Our cybersecurity experts are available to assist you in your CMMC compliance process.

For more details on our CMMC service, visit this link.

Contact one of our experts or call us at +1 877-208-9040 to discuss your CMMC compliance.

CTA Newsletter