CMMC levels are put forth by the DoD, and you should begin by determining what CMMC level is required for your organization. CMMC 2.0 consists of three certification levels instead of the original five. Levels two and four of CMMC 1.0 were removed as they were primarily transition levels. The new CMMC levels are based on the protected information a company possesses and range from Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). The higher the level your organization needs to obtain, the more security measures need to be put into place. Each level has a focus, which is outlined below:  

Level 1 (Foundational): Level 1 requires organizations to perform basic cybersecurity hygiene practices; this includes 17 practices. This level applies to organizations that must protect FCI (Federal Contract Information) data. A level 1 certification can be completed through an annual self-assessment. 

Level 2 (Advanced): Level 2 is considered advanced and focuses on organizations that handle CUI (Controlled Unclassified Information) data. This level includes 110 practices that align with NIST SP 800-171. Level 2 certification requires a third-party assessment every three years with some programs requiring an annual self-assessment. 

Level 3 (Expert): Level 3 is qualified as expert and focuses on advanced persistent threats (APTs) and includes 110+ controls based on NIST SP 800-171 and 800-172. This level applies to companies that handle CUI for DoD programs with the highest priority. Level 3 certification requires a government-led assessment every three years.