Level 1 applies when you only handle Federal Contract Information (FCI): it's the 15 basic safeguarding requirements from FAR 52.204-21, met with an annual self-assessment. Level 2 applies when you handle Controlled Unclassified Information (CUI): it's all 110 controls in NIST SP 800-171, met by either a self-assessment or a third-party C3PAO certification, depending on the contract. The type of data you touch decides your level — not your size, and not your prime's level.
If you're a small shop staring at a solicitation and trying to figure out how deep this goes, start here. The gap between Level 1 and Level 2 is enormous — one is a checklist you can knock out in an afternoon, the other is a documented security program that an assessor grades. Picking the wrong one costs you either wasted money or a lost award. So let's get it right the first time.
I've walked contractors through this call more times than I can count, and the confusion almost always comes from the same place: people think the level is about how big or important their company is. It isn't. CMMC is data-driven. The single question that decides everything is what kind of government information lands on your systems. Answer that honestly and the level answers itself.
Every CMMC conversation traces back to two acronyms. Get these straight and the rest is downhill.
Federal Contract Information (FCI) is information provided by or generated for the government under a contract that isn't intended for public release. Think delivery schedules, contract line items, internal emails about the work — sensitive enough that you shouldn't post it publicly, but not the crown jewels. Handling FCI puts you at Level 1.
Controlled Unclassified Information (CUI) is a specific, marked category the government protects under a formal program — technical drawings, specifications, controlled research, certain personnel data. It's the stuff the DoD actively worries about walking out the door to an adversary. Handling CUI puts you at Level 2.
The line between these two is where most small contractors get tripped up, because a single contract can involve both, and because CUI isn't always labeled as helpfully as it should be. If you want the deep version of this distinction — with the markings, the flow-down rules, and the honest gray areas — read CUI vs FCI: What's the Difference and Why It Sets Your CMMC Level. It's the companion piece to this one, and it's worth ten minutes before you commit to a level.
Level 1 is the entry tier, and honestly, most of it is stuff a responsible shop is doing already. It maps to the 15 basic safeguarding requirements in FAR clause 52.204-21 — the baseline hygiene the government expects from anyone touching FCI. These are things like limiting system access to authorized users, controlling who connects to your network, sanitizing media before you toss it, keeping your systems patched, and running basic boundary protection.
Here's what makes Level 1 manageable for a small business:
That doesn't mean you can be sloppy. A false affirmation is a real liability, and "we self-assessed" doesn't mean "we guessed." You still need to actually meet each of the 15 and be able to show it if asked. But compared to Level 2, the lift is small — and for a lot of FCI-only contractors, it's the whole job.
Level 2 is a different animal. The moment CUI enters the picture, you step up to the full 110 security controls of NIST SP 800-171, organized into 14 control families. Every one of those controls applies to every asset inside your assessment boundary. This is the tier the whole CMMC program was really built around, and it's where the cost and the paperwork live.
The 14 families cover the full sweep of a security program:
Level 2 also comes with real documentation obligations. You need a System Security Plan (SSP) that describes how you meet each control, a set of written policies, a POA&M for anything not yet fully in place, and a self-score you submit to SPRS. If you've never built one of these, the guide to writing a CMMC SSP and the breakdown of the Level 2 policies you actually need are the two places to start.
And then there's the assessment itself. Level 2 splits into two flavors:
Which one your contract requires isn't your choice — it's set by the acquisition. The difference between self-assessing and getting a C3PAO audit is big enough that it deserves its own read: C3PAO vs Self-Assessment: Which One Does Your Contract Demand?.
Here's the practical decision path I walk contractors through. Work it in order.
The whole comparison in one view:
| CMMC Level 1 | CMMC Level 2 | |
|---|---|---|
| Data type | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) |
| Requirements | 15 basic safeguards (FAR 52.204-21) | All 110 controls in NIST SP 800-171, across 14 families |
| Assessment | Annual self-assessment + affirmation | Self-assessment or C3PAO third-party certification, per contract |
| Documentation | Light — meet and affirm the 15 | Full SSP, policies, POA&M, SPRS score |
| Typical effort | Days to weeks | Months, scoping-dependent |
| Who sets it | The contract and the data — not your size | The contract and the data — not your size |
Timing is the part people underestimate. The CMMC program rolls out in phases, and the date that matters most for Level 2 shops is November 10, 2026 — the start of Phase 2, when Level 2 C3PAO third-party certification becomes a required condition of award on applicable DoD contracts.
Phase 1 is already here. Self-assessment and affirmation language is showing up in solicitations right now. So even if your contract doesn't require a C3PAO audit yet, the requirement to know your score, document your controls, and affirm them is landing today. Waiting until Q4 2026 to start is how a doable project turns into a scramble against an assessor backlog.
The move that saves you is boring and it works: figure out your level now, scope your CUI down as tightly as honesty allows, and get your documentation built before the deadline forces your hand. If you're at Level 2, the single biggest cost lever is scope — so read the honest cost breakdown before anyone quotes you six figures, and get a baseline in about two minutes with the free SPRS score estimator.
Level 2 is won or lost on paperwork: a System Security Plan mapped to all 110 controls, the required policies, a POA&M template, and a per-control SPRS scorer. The CMMC Level 2 DIY Compliance Kit is the whole documented layer, editable, built for a small shop doing this itself — audit-ready preparation, not a substitute for the C3PAO audit.
Level 1 applies when you only handle Federal Contract Information (FCI). It requires the 15 basic safeguarding requirements from FAR 52.204-21 and is met by an annual self-assessment. Level 2 applies when you handle Controlled Unclassified Information (CUI). It requires all 110 security controls in NIST SP 800-171, organized into 14 families, and is met by either a self-assessment or a third-party C3PAO certification depending on the contract.
Read the contract and the data. If the work only involves Federal Contract Information — information provided by or generated for the government that is not intended for public release — you are almost always at Level 1. The moment the contract flows down CUI, or includes DFARS clause 252.204-7012, you are at Level 2. When in doubt, ask your contracting officer in writing which level and which assessment type the award requires.
No. Level 1 is met with an annual self-assessment against the 15 basic safeguarding requirements, submitted with a senior official's affirmation. You do not hire a certified third-party assessor for Level 1. Third-party C3PAO assessment is a Level 2 concept, and even then only for the contracts the DoD prioritizes.
CMMC Level 2 is built on all 110 security requirements in NIST SP 800-171, grouped into 14 control families such as Access Control, Audit and Accountability, and System and Communications Protection. Every one of those 110 controls applies to every asset inside your assessment boundary.
November 10, 2026 marks the start of Phase 2 of the CMMC rollout, when Level 2 third-party C3PAO certification becomes a required condition of award on applicable DoD contracts. Phase 1 self-assessment and affirmation language is already appearing in solicitations now, so the work of scoping and documenting should be underway well before that date.
Yes. Your required level depends on the type of information that flows down to you, not on the prime's level. A prime handling CUI may only pass Federal Contract Information to a subcontractor, in which case that sub is at Level 1. If CUI flows down, the sub is at Level 2. Confirm what data you will actually receive before you assume your level.