---
title: "What is Needed for CMMC 2.0 Level 1 Compliance?"
date: 2024-12-04 12:26:53
description: "Use Carbide's free evaluation tool to understand the CMMC 2.0 Level 1 requirements and ensure they are implemented across your systems."
keywords: "CMMC 2.0 Level 1"
categories: [The Datanomix Blog]
tags: [Carbide, CMMC 2.0, Cyber Security, DoD, G-Code, Technology Partner]
---

The [Cybersecurity Maturity Model Certification](https://datanomix.io/2024/09/23/how-manufacturers-can-get-secure-and-avoid-government-risk-with-cmmc-compliance/) (CMMC) was created by the U.S. Department of Defense (DoD) to protect sensitive information in the Defense Industrial Base (DIB). Its goal is to ensure contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) meet specific cybersecurity standards.

If you aren’t familiar with CMMC, check out our blog,** _[CMMC for Manufacturers: What Phase 2 Means and How to Get Ready](https://datanomix.io/2026/05/01/cmmc-compliance-for-manufacturers/)_**, to learn what it is and why you’ll have to do it.

The original CMMC framework included five levels of compliance, each with increasing cybersecurity requirements. However, CMMC 2.0 (introduced in 2021 and [finalized in October 2024](https://datanomix.io/2024/10/22/the-cmmc-rule-is-final-posted-by-the-dod/)) simplifies this framework by reducing the levels to three (Foundational, Advanced, and Expert) and aligning closely with established standards like NIST SP 800-171 and NIST SP 800-172.

**Level 1 (Foundational)**
[Self-assessment](https://carbidesecure.com/cmmc-level-1-questionnaire/) with 15 practices focused on basic cyber hygiene. 

**Level 2 (Advanced)**
Alignment with 110 controls from NIST SP 800-171, requiring third-party assessments for most organizations.

**Level 3 (Expert)**
Based on NIST SP 800-172, requiring government-led assessments.

To ensure you’re on the easiest path to success, check out our on-demand webinar, **_[How to Streamline Your CMMC 2.0 Compliance](https://datanomix.io/2024/09/17/webinar-how-to-streamline-your-cmmc-2-0-compliance/)_**.

[](https://6402824.fs1.hubspotusercontent-na1.net/hubfs/6402824/CMMC/15CMMC_Level1Requirments_Checklist.pdf)

### The CMMC 2.0 Implementation Timeline—Key Dates to Know

The [CMMC 2.0 implementation is being rolled out in phases](https://datanomix.io/2024/10/22/the-cmmc-rule-is-final-posted-by-the-dod/), giving manufacturers time to prepare. Here are the major milestones:

- **Phase 1 — November 10, 2025 (now in effect):** CMMC clauses began appearing in new DoD solicitations and contract awards. [Self-assessments ](https://carbidesecure.com/cmmc-level-1-questionnaire/)(Level 1 and Level 2) are required as a condition of award for applicable contracts. The DoD has discretion to require third-party (C3PAO) Level 2 certification on prioritized contracts during this phase. [Learn more about the 48-CFR rule here](https://www.nationaldefensemagazine.org/articles/2025/9/9/cmmc-phase-1-to-begin-nov-10). 

- **Phase 2 — November 10, 2026:** Third-party C3PAO-assessed Level 2 becomes the default for contracts involving CUI. Self-assessments stop counting for CUI work. Level 3 assessments become available at DoD’s discretion.

- **Phase 3 — November 10, 2027:** Level 2 (C3PAO) becomes a condition for option exercises on existing contracts, not just new awards. Level 3 (DIBCAC) assessment requirements become mandatory in applicable solicitations.

- **Phase 4 — November 10, 2028:** Full implementation. CMMC requirements apply to all applicable DoD contracts, solicitations, and option periods above the micro-purchase threshold that handle FCI or CUI.

This phased approach provides contractors with a clear roadmap for achieving compliance while minimizing disruptions.

### FREE Self-Assessment Tool

DoD contracts issued after **November 10, 2025,** may include the new CMMC clauses, and most contracts that touch FCI or CUI will eventually. To complete a CMMC 2.0 Level 1 self-assessment*, manufacturers should:

1. **Understand the CMMC 2.0 Level 1 Requirements**
[Review the 15 requirements](https://6402824.fs1.hubspotusercontent-na1.net/hubfs/6402824/CMMC/15CMMC_Level1Requirments_Checklist.pdf) and ensure they are implemented across your systems.

2. **Prepare Your Documentation**
[Maintain clear records](https://carbidesecure.com/frameworks/cmmc-compliance/) of how your company addresses each practice.

3. **Conduct the Assessment**
Use tools like [Carbide’s CMMC 2.0 Level 1 Assessment Questionnaire](https://carbidesecure.com/cmmc-level-1-questionnaire/) to evaluate your compliance.

4. **Submit Your Results
**Enter your assessment results in the [Supplier Performance Risk System](https://www.sprs.csd.disa.mil/) (SPRS).

If you’re preparing for CMMC 2.0 Level 1 compliance, [Carbide has a free self-assessment tool](https://carbidesecure.com/cmmc-level-1-questionnaire/) to help you navigate the process. This tool provides step-by-step guidance and generates a report identifying gaps that must be addressed to meet the Level 1 requirements.

[START YOUR FREE ASSESSMENT](https://carbidesecure.com/cmmc-level-1-questionnaire/)

_*For more guidance, consult resources such as the [DoD’s CMMC documentation and self-assessment guides](https://dodcio.defense.gov/cmmc/Resources-Documentation/)._

#### BUILT FOR CMMC 2.0

## G-Code Cloud + DNC

The G-code piece of your CMMC plan. Traceability, compliance, and control — all in a GovCloud-hosted platform.

[Learn More](https://datanomix.io/datanomix-g-code-cloud/)

[](https://datanomix.io/datanomix-g-code-cloud/)