CMMC 2.0 generally includes three CMMC levels of certification as follows.

CMMC Level 1, Foundational – Contractors must implement the 17 controls from NIST SP 800-171 enumerated in FAR 52.204-21 and submit an annual self-assessment to the DoD through the Supplier Performance Risk System (SPRS).

CMMC Level 2, Advanced – Contractors must implement the 110 controls in NIST SP 800-171 and submit an annual self-assessment or, if required to handle as yet undefined “critical national security information,” a triennial independent assessment performed by a private entity certified by the DoD as a third-party assessor (a C3PAO).

CMMC Level 3, Expert – Contractors must implement the 110 controls in NIST SP 800-171 and a yet to be determined subset of controls from NIST SP 800-172 before undergoing a triennial government-led assessment.

 

See: https://federalnewsnetwork.com/commentary/2023/05/planning-for-the-uncertain-what-to-watch-and-how-to-prepare-for-cmmc/