What is the difference between CMMC Level 1, 2, and 3?

Level 1 (Foundational) covers 17 basic cybersecurity practices for protecting Federal Contract Information (FCI). Level 2 (Advanced) covers all 110 NIST SP 800-171 controls for protecting CUI. Level 3 (Expert) adds 24 additional practices from NIST SP 800-172 for the most sensitive DoD programs.

What is a C3PAO and how do we find one?

A C3PAO is a CMMC Third Party Assessment Organization authorized by the Cyber-AB. They are independent assessors who verify your CMMC Level 2 compliance. You can find authorized C3PAOs at cyberab.org/Certified-Assessor-Organizations.

How long does CMMC certification last?

CMMC Level 2 certifications are valid for 3 years, after which a reassessment is required. Level 1 allows annual self-attestation. Level 3 certifications issued by DCSA follow a similar 3-year cycle.

Can we bid on a CMMC contract before our assessment is complete?

For Level 2, you must have a current CMMC certificate before contract award — not just before proposal submission in most cases. Some solicitations allow conditional award with a path to certification, but this is at the agency's discretion.

Critical RiskDFARSCybersecurity

252.204-7021 — Cybersecurity Maturity Model Certification Requirements

Last updated: 2026-04-09

Researched by the BidStride Research Team

What This Clause Requires

Requires contractor to maintain the CMMC level specified in the solicitation and have a current certification on record in SPRS. CMMC Level 2 requires a third-party assessment by a C3PAO.

Official Regulation Text

See 48 CFR 252.204-7021 for the full regulatory text. This clause implements CMMC 2.0 and requires contractors to achieve and maintain the cybersecurity maturity level (1, 2, or 3) specified in the contract. Certification status must be current and posted in SPRS.
Source: eCFR, 48 CFR 252.204-7021

Compliance Checklist

Achieve and maintain the CMMC level specified in the contract (1, 2, or 3)
CMMC Level 2: obtain certification from a DoD-approved C3PAO
CMMC Level 3: obtain certification from DCSA
Post CMMC certification status to SPRS
Maintain CMMC certification for duration of contract
Flow down appropriate CMMC level to all subcontractors handling CUI

Flow-Down to Subcontractors

Flow-down required

This clause must be included in subcontracts with all subcontractors at all tiers where the subcontractor will perform work covered by this clause. Typically appears in contract Sections H, I, L, M.

Frequently Asked Questions

BidStride automatically scans your RFPs for 252.204-7021

Stop hunting through solicitations manually. BidStride identifies every FAR and DFARS clause in your RFP, flags risk level, and surfaces compliance requirements before you submit your bid.

This summary is for informational purposes only and reflects the BidStride Research Team's plain-English interpretation of the regulation. It is not legal advice and does not constitute an attorney-client relationship. Always consult the official Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS) text and qualified legal counsel for compliance decisions.