--- title: "What is Needed for CMMC 2.0 Level 1 Compliance?" date: 2024-12-04 12:26:53 description: "Use Carbide's free evaluation tool to understand the CMMC 2.0 Level 1 requirements and ensure they are implemented across your systems." keywords: "CMMC 2.0 Level 1" categories: [The Datanomix Blog] tags: [Carbide, CMMC 2.0, Cyber Security, DoD, G-Code, Technology Partner] --- The [Cybersecurity Maturity Model Certification](https://datanomix.io/2024/09/23/how-manufacturers-can-get-secure-and-avoid-government-risk-with-cmmc-compliance/) (CMMC) was created by the U.S. Department of Defense (DoD) to protect sensitive information in the Defense Industrial Base (DIB). Its goal is to ensure contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) meet specific cybersecurity standards. If you aren’t familiar with CMMC, check out our blog,** **[**_How Manufacturers Can Get Secure and Avoid Government Risk with CMMC 2.0 Compliance_**](https://datanomix.io/2024/09/23/how-manufacturers-can-get-secure-and-avoid-government-risk-with-cmmc-compliance/), to learn what it is and why you’ll have to do it. The original CMMC framework included five levels of compliance, each with increasing cybersecurity requirements. However, CMMC 2.0 (introduced in 2021 and [finalized in October 2024](https://datanomix.io/2024/10/22/the-cmmc-rule-is-final-posted-by-the-dod/)) simplifies this framework by reducing the levels to three (Foundational, Advanced, and Expert) and aligning closely with established standards like NIST SP 800-171 and NIST SP 800-172.  **Level 1 (Foundational)** [Self-assessment](https://carbidesecure.com/cmmc-level-1-questionnaire/) with 15 practices focused on basic cyber hygiene. **Level 2 (Advanced)** Alignment with 110 controls from NIST SP 800-171, requiring third-party assessments for most organizations. **Level 3 (Expert)** Based on NIST SP 800-172, requiring government-led assessments. To ensure you’re on the easiest path to success, check out our on-demand webinar, [**_How to Streamline Your CMMC 2.0 Compliance_**](https://hub.datanomix.io/cmmc-webinar). [](https://6402824.fs1.hubspotusercontent-na1.net/hubfs/6402824/CMMC/15CMMC_Level1Requirments_Checklist.pdf) ### The CMMC 2.0 Implementation Timeline—Key Dates to Know The [CMMC 2.0 implementation is being rolled out in phases](https://datanomix.io/2024/10/22/the-cmmc-rule-is-final-posted-by-the-dod/), giving manufacturers time to prepare. Here are the major milestones: - **Prepare for Phase 1 Assessment: January 2025** Get ready, [self-assessments](https://carbidesecure.com/cmmc-level-1-questionnaire/) will become mandatory for all organizations handling FCI or CUI data. Contractors will need to demonstrate compliance with basic cyber hygiene practices or NIST SP 800-171 controls. [Download a checklist of CMMC 2.0 Level 1 requirements.](https://6402824.fs1.hubspotusercontent-na1.net/hubfs/6402824/CMMC/15CMMC_Level1Requirments_Checklist.pdf) - **Phase 1 Implementation Begins: November 10, 2025** New DoD solicitations/contract awards can start requiring CMMC clauses. Self‑assessments (for Level 1 and Level 2) become required in applicable contracts; in some cases, Level 2 third‑party assessments may be inserted at DoD’s discretion. [Learn more about the 48‑CFR rule here.](https://www.nationaldefensemagazine.org/articles/2025/9/9/cmmc-phase-1-to-begin-nov-10?utm_source=chatgpt.com) - **Phase 2 Begins: November 10, 2026** Approximately one year after Phase 1 starts, Phase 2 begins. Level 2 requires third-party assessments (C3PAO) in more contracts, as per DoD discretion, and is becoming more standardized. - **Phase 3 Full CMMC 2.0 Compliance: November 10, 2027** Higher requirements come in (Level 3 assessments, perhaps for contracts with very sensitive data). Also, more existing contracts or options may need to comply. - **Phase 4: November 10, 2028** Full implementation across the Defense Industrial Base for solicitations/contracts that require it. At this point, CMMC requirements will be widespread as a condition of contract, including for most new solicitations. This phased approach provides contractors a clear roadmap for achieving compliance while minimizing disruptions. ### FREE Self-Assessment Tool **DoD contracts issued after** **December 16, 2024**, will include updated cybersecurity clauses reflecting the new CMMC 2.0 Level 1 structure and their respective requirements. To complete a CMMC 2.0 Level 1 self-assessment*, manufacturers should: 1. **Understand the CMMC 2.0 Level 1 Requirements** [Review the 15 requirements](https://6402824.fs1.hubspotusercontent-na1.net/hubfs/6402824/CMMC/15CMMC_Level1Requirments_Checklist.pdf) and ensure they are implemented across your systems. 2. **Prepare Your Documentation** [Maintain clear records](https://carbidesecure.com/frameworks/cmmc-compliance/) of how your company addresses each practice. 3. **Conduct the Assessment** Use tools like [Carbide’s CMMC 2.0 Level 1 Assessment Questionnaire](https://carbidesecure.com/cmmc-level-1-questionnaire/) to evaluate your compliance. 4. **Submit Your Results **Enter your assessment results in the [Supplier Performance Risk System](https://www.sprs.csd.disa.mil/) (SPRS). If you’re preparing for CMMC 2.0 Level 1 compliance, [Carbide has a free self-assessment tool](https://carbidesecure.com/cmmc-level-1-questionnaire/) to help you navigate the process. This tool provides step-by-step guidance and generates a report identifying gaps that must be addressed to meet the Level 1 requirements. [START YOUR FREE ASSESSMENT](https://carbidesecure.com/cmmc-level-1-questionnaire/) _*For more guidance, consult resources such as the [DoD’s CMMC documentation and self-assessment guides](https://dodcio.defense.gov/cmmc/Resources-Documentation/)._ #### INTRODUCING ## Advanced G-Code Management & DNC Platform The ultimate platform for traceability, compliance, and control so you make it right every time. [Learn More](https://datanomix.io/datanomix-g-code-cloud/) [](https://datanomix.io/datanomix-g-code-cloud/)