СŷÊÓƵ

With the growing threat to government data, businesses working with the Department of Defense (DoD) must meet СŷÊÓƵ compliance standards. But how do you know which of the three СŷÊÓƵ levels applies to your business? This guide will help you determine which level of СŷÊÓƵ certification your business needs to achieve.

Whether you're a small business just getting started with government contracts or a larger organization managing sensitive data, understanding the СŷÊÓƵ compliance levels is the first step toward staying secure and eligible to win contracts.

What is СŷÊÓƵ? (A Quick Overview)

СŷÊÓƵ stands for Cybersecurity Maturity Model Certification. It was developed by the Department of Defense to strengthen the protection of sensitive information across the defense industrial base. The goal is to make sure that companies doing business with the DoD follow specific cybersecurity practices based on the type of data they access.

The first version of СŷÊÓƵ had five levels, but the updated model, known as СŷÊÓƵ 2.0, now includes three levels. These levels are easier to understand and better aligned with existing standards, especially NIST 800-171.

If you're new to the process, our Understanding СŷÊÓƵ: Why It Matters for Your Business – In Non-Technical Terms guide offers a beginner-friendly explanation.

What is a Level 1 СŷÊÓƵ? СŷÊÓƵ Level 1 is for businesses working with Federal Contract Information (FCI) and requires basic cybersecurity measures, including 17 practices aimed at protecting the confidentiality of that data.

СŷÊÓƵ Levels Explained: The 3 Levels of СŷÊÓƵ Compliance

There are three official СŷÊÓƵ levels in the updated framework, and each level builds on the one before it. These levels are designed to match the cybersecurity needs of businesses based on the type of government data they handle.

Understanding the СŷÊÓƵ compliance levels is essential if you're bidding on DoD contracts. Each level has a different set of requirements, and your business must meet the one that's appropriate for your contract.

For smaller organizations, it may help to explore Managed IT Services for small businesses to get a sense of what's needed to support compliance at any level.

СŷÊÓƵ Level 1: Basic Cyber Hygiene

СŷÊÓƵ level 1 requirements are designed for companies that work with Federal Contract Information (FCI)—this is information provided by or generated for the government that isn’t intended for public release.

To meet Level 1, your business must implement 17 basic security practices. These include:

• Using antivirus software
• Updating passwords regularly
• Controlling who can access your systems
• Limiting physical access to computers
• Protecting information shared by email or other communication tools

Assessments at this level are typically self-conducted and must be done annually.

What is Level 1 СŷÊÓƵ compliance? Level 1 focuses on basic cybersecurity hygiene with 17 required practices that protect Federal Contract Information (FCI). It’s ideal for businesses handling less sensitive government data.

If you're looking for СŷÊÓƵ for small business solutions, Level 1 is often a good starting point. Our Fully Managed IT Services can support these foundational needs.

СŷÊÓƵ Level 2: Advanced Cybersecurity Measures

The next step up is СŷÊÓƵ Level 2, which applies to businesses that handle Controlled Unclassified Information (CUI). CUI includes sensitive data related to national security that is not classified.

СŷÊÓƵ level 2 requirements include 110 security practices based on NIST SP 800-171. These practices cover:

• Advanced access control
• Employee cybersecurity training
• Incident response plans
• Risk management procedures
• Continuous monitoring for threats

Depending on your contract, you may need either a self-assessment or a third-party assessment by an accredited organization.

What are the СŷÊÓƵ level 2 requirements? Level 2 includes 110 cybersecurity practices and is focused on businesses that handle sensitive information, such as Controlled Unclassified Information (CUI). It requires stronger security controls, including access control and continuous monitoring.

Our СŷÊÓƵ compliance page outlines how our services align with NIST standards and help you navigate Level 2.

СŷÊÓƵ Level 3: Expert-Level Security

СŷÊÓƵ Level 3 is the most advanced level and is intended for businesses that manage the most sensitive government information. This includes data related to national security or critical infrastructure.

At this level, companies must meet all practices in NIST SP 800-172. These include:

• Continuous system monitoring
• Proactive threat hunting
• Strict incident response and recovery plans
• Advanced data protection strategies

What is Level 3 СŷÊÓƵ compliance? Level 3 applies to businesses handling the most sensitive government data and requires advanced cybersecurity practices with continuous monitoring, as well as compliance with NIST 800-172 standards.

Companies pursuing Level 3 should consider leveraging external partners for Fully Managed IT to maintain high-level security around the clock.

Which СŷÊÓƵ Level Do I Need?

The right level for your business depends on the type of data you manage and the nature of your DoD contracts. If you're only handling FCI, Level 1 is likely enough. If you’re working with CUI, then Level 2 or Level 3 will be required.

Which СŷÊÓƵ level do I need? Your business needs a specific СŷÊÓƵ level based on the type of data you handle (FCI vs. CUI) and the contracts you hold. If you handle sensitive government data, you will need a higher СŷÊÓƵ level (Level 2 or Level 3).

Our Managed IT Services for small businesses are designed to scale with your compliance needs, whether you're just getting started or aiming for Level 3.

If you're unsure, conducting a pre-assessment can help you understand where you currently stand and what steps you need to take to become compliant.

Let СŷÊÓƵ Help You Stay Compliant

СŷÊÓƵ compliance is more than a checklist, it’s a vital part of securing your organization and staying eligible for Department of Defense contracts. At СŷÊÓƵ, we specialize in helping businesses understand, meet, and maintain the right СŷÊÓƵ compliance levels for their needs.

For many small and mid-sized organizations, especially those just entering the defense space, Level 1 may be enough. But as your business grows—or your contracts become more complex—you’ll need to meet more advanced cybersecurity requirements. Whether it’s supporting your team with foundational practices or preparing you for the rigorous demands of СŷÊÓƵ level 3 requirements, we’re here to help.

Our experience with СŷÊÓƵ for small business clients means we understand how to align technical strategy with compliance goals—without disrupting your operations.

Ready to move forward? Book a Call with СŷÊÓƵ today and let’s start your СŷÊÓƵ journey together.