CMMC: Understanding Maturity Levels

By Heather Bennett

October 17, 2022

In keeping with our CMMC theme, we are going to delve into a topic that has seen some change. There are many articles on this topic online. Sadly my most recent google search revealed that the old inaccurate information is quite prevalent. Hopefully this will alleviate some confusion and get everyone on the same page.

If you have spent any time trying to figure out where you belong in the CMMC ecosystem, you have more than likely heard the term CMMC Maturity Level. This is not an “act your age, not your shoe size” thing. This is the level at which your company will be assessed against the CMMC standards.

CMMC Maturity Levels: Then and Now

The original goal of the CMMC was to safeguard sensitive information. CMMC 2.0 was introduces in November of 2022 with some significant changes. Most notably was the change in Maturity levels. This change was facilitated to minimize barriers to compliance with DoD requirements while still ensuring accountability for companies to implement cybersecurity.

The first version of CMMC had 5 Maturity levels ranging from Basic to Advanced. The assessment requirements for this model were confusing and impractical for most small businesses operating as contractors or subcontractors. After much consideration, the levels were simplified and better defined. CMMC 2.0 was born.

CMMC 2.0 has only three maturity levels which are Foundational, Advanced, and Expert. However, the reduction in levels is not that only notable change. The change in assessment requirements was also huge change that was much needed for small businesses. This change made it easier for compliant small businesses to meet the CMMC requirements. Why is that the case?

How Mature Are You?

Level 3

As mentioned previously, CMMC 1.0 included five maturity levels including a level 4 and a level 5 Maturity Level. These two levels were defined by the type of CUI and FCI they protected with levels 4 and 5 earmarked for protecting the most sensitive CUI data types. CMMC version 2.0 combines these two levels into what we now know as CMMC 2.0 Maturity Level 3.

CMMC 2.0 Maturity Level 3 is still intended to protect the same sensitive CUI but with a simplified approach. But Additionally, CMMC 2.0 Maturity Level 3 will now require the DIB contractor to have a government-led assessment.

Level 2

What was once known as CMMC 1.0 Maturity Level 3 and Level 2, has now become CMMC 2.0 Maturity Level 2. Level 2 handles CUI and FCI of a less sensitive nature. With 110 practices, this level is required to have an assessment every three years by a C3PAO, and an annual self-assessment for some programs.

Level 1

The new CMMC 2.0 Maturity Level 1 retains much of the same parameters as the previous CMMC 1.0 Maturity Level 1.  CMMC 2.0 Maturity Level 1 remains at 17 practices to be assessed. The big change here is that these companies will be able to perform an annual self-assessment. This drastically reduces the cost for small businesses that handle only FCI. This new approach also allows them to demonstrate that they are protecting the FCI without incurring the cost of a third-party assessment.

Upcoming Blog

We will discuss some need-to-know acronyms in the next article. This article will help you learn the language of CMMC.

Be sure to subscribe to our blog and check out our new podcast for more in depth discussion of all things cybersecurity.

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!

Until then, be safe and stay secure!

About Us

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published


Contact Information

Social Networks


Provincia Government Solutions is a SBA certified Small  Business cybersecurity assurance firm and a CMMC Certified Third Party Assessment Organization (C3PAO).  We were the first organization to become a  C3PAO in the Middle Tennessee (Nashville) area and provide a full range of services including CMMC consulting and certification assessments. Our assessment team is trained in CMMC and other government assessment disciplines and we are experienced working with organizations of all sizes. Please reach out with any cybersecurity or CMMC related inquiries. We look forward to speaking with you!