Home / Guides / CMMC Level 1 vs Level 2

CMMC Level 1 vs Level 2: Which Does Your Contract Require?

Focus: cmmc level 1 vs level 2 Veteran-run · practitioner guide Updated Jul 2026 ~8 min read
The short answer

Level 1 applies when you only handle Federal Contract Information (FCI): it's the 15 basic safeguarding requirements from FAR 52.204-21, met with an annual self-assessment. Level 2 applies when you handle Controlled Unclassified Information (CUI): it's all 110 controls in NIST SP 800-171, met by either a self-assessment or a third-party C3PAO certification, depending on the contract. The type of data you touch decides your level — not your size, and not your prime's level.

If you're a small shop staring at a solicitation and trying to figure out how deep this goes, start here. The gap between Level 1 and Level 2 is enormous — one is a checklist you can knock out in an afternoon, the other is a documented security program that an assessor grades. Picking the wrong one costs you either wasted money or a lost award. So let's get it right the first time.

I've walked contractors through this call more times than I can count, and the confusion almost always comes from the same place: people think the level is about how big or important their company is. It isn't. CMMC is data-driven. The single question that decides everything is what kind of government information lands on your systems. Answer that honestly and the level answers itself.

The data decides: FCI vs CUI

Every CMMC conversation traces back to two acronyms. Get these straight and the rest is downhill.

Federal Contract Information (FCI) is information provided by or generated for the government under a contract that isn't intended for public release. Think delivery schedules, contract line items, internal emails about the work — sensitive enough that you shouldn't post it publicly, but not the crown jewels. Handling FCI puts you at Level 1.

Controlled Unclassified Information (CUI) is a specific, marked category the government protects under a formal program — technical drawings, specifications, controlled research, certain personnel data. It's the stuff the DoD actively worries about walking out the door to an adversary. Handling CUI puts you at Level 2.

The line between these two is where most small contractors get tripped up, because a single contract can involve both, and because CUI isn't always labeled as helpfully as it should be. If you want the deep version of this distinction — with the markings, the flow-down rules, and the honest gray areas — read CUI vs FCI: What's the Difference and Why It Sets Your CMMC Level. It's the companion piece to this one, and it's worth ten minutes before you commit to a level.

The core rule FCI only → Level 1, self-assessed. Any CUI → Level 2, all 110 controls. If you can't tell which kind of data your contract carries, that's not a detail to gloss over — it's the whole decision, and it's a fair question to put to your contracting officer in writing.

What Level 1 requires

Level 1 is the entry tier, and honestly, most of it is stuff a responsible shop is doing already. It maps to the 15 basic safeguarding requirements in FAR clause 52.204-21 — the baseline hygiene the government expects from anyone touching FCI. These are things like limiting system access to authorized users, controlling who connects to your network, sanitizing media before you toss it, keeping your systems patched, and running basic boundary protection.

Here's what makes Level 1 manageable for a small business:

That doesn't mean you can be sloppy. A false affirmation is a real liability, and "we self-assessed" doesn't mean "we guessed." You still need to actually meet each of the 15 and be able to show it if asked. But compared to Level 2, the lift is small — and for a lot of FCI-only contractors, it's the whole job.

What Level 2 requires

Level 2 is a different animal. The moment CUI enters the picture, you step up to the full 110 security controls of NIST SP 800-171, organized into 14 control families. Every one of those controls applies to every asset inside your assessment boundary. This is the tier the whole CMMC program was really built around, and it's where the cost and the paperwork live.

The 14 families cover the full sweep of a security program:

Level 2 also comes with real documentation obligations. You need a System Security Plan (SSP) that describes how you meet each control, a set of written policies, a POA&M for anything not yet fully in place, and a self-score you submit to SPRS. If you've never built one of these, the guide to writing a CMMC SSP and the breakdown of the Level 2 policies you actually need are the two places to start.

And then there's the assessment itself. Level 2 splits into two flavors:

Which one your contract requires isn't your choice — it's set by the acquisition. The difference between self-assessing and getting a C3PAO audit is big enough that it deserves its own read: C3PAO vs Self-Assessment: Which One Does Your Contract Demand?.

The expensive mistake to avoid Level 2 cost scales with how many machines and people you drag into scope — not with how good your security is. Before you harden your whole company, read the CUI enclave method: scope CUI into a small segmented boundary and you can cut Level 2 cost 40–60%. It's the highest-leverage decision a small shop makes.

How to tell which you need

Here's the practical decision path I walk contractors through. Work it in order.

  1. Read the contract clauses.Look for DFARS 252.204-7012. If it's flowed down to you, CUI is in play and you're at Level 2. FAR 52.204-21 alone, with no 7012 and no CUI, points to Level 1. The clauses tell you a lot before anyone says a word.
  2. Trace the actual data.Forget the org chart — follow the information. Will the government send you, or will you generate, anything marked CUI? Technical drawings, specs, controlled research? If yes, you're Level 2. If everything you touch is FCI and nothing more, you're Level 1.
  3. Check what flows down to you.If you're a subcontractor, your level depends on what the prime actually passes you — not on the prime's level. A prime at Level 2 may only hand you FCI, which keeps you at Level 1. Confirm what data you'll really receive.
  4. Ask the contracting officer — in writing.When it's genuinely ambiguous, don't guess. Ask which level and which assessment type the award requires, and get the answer in writing. It protects you, and it's a normal question they expect.

Level 1 vs Level 2, side by side

The whole comparison in one view:

CMMC Level 1CMMC Level 2
Data typeFederal Contract Information (FCI)Controlled Unclassified Information (CUI)
Requirements15 basic safeguards (FAR 52.204-21)All 110 controls in NIST SP 800-171, across 14 families
AssessmentAnnual self-assessment + affirmationSelf-assessment or C3PAO third-party certification, per contract
DocumentationLight — meet and affirm the 15Full SSP, policies, POA&M, SPRS score
Typical effortDays to weeksMonths, scoping-dependent
Who sets itThe contract and the data — not your sizeThe contract and the data — not your size

The November 10, 2026 line

Timing is the part people underestimate. The CMMC program rolls out in phases, and the date that matters most for Level 2 shops is November 10, 2026 — the start of Phase 2, when Level 2 C3PAO third-party certification becomes a required condition of award on applicable DoD contracts.

Phase 1 is already here. Self-assessment and affirmation language is showing up in solicitations right now. So even if your contract doesn't require a C3PAO audit yet, the requirement to know your score, document your controls, and affirm them is landing today. Waiting until Q4 2026 to start is how a doable project turns into a scramble against an assessor backlog.

The move that saves you is boring and it works: figure out your level now, scope your CUI down as tightly as honesty allows, and get your documentation built before the deadline forces your hand. If you're at Level 2, the single biggest cost lever is scope — so read the honest cost breakdown before anyone quotes you six figures, and get a baseline in about two minutes with the free SPRS score estimator.

If you landed on Level 2

Knowing your level is step one. This gets you documented.

Level 2 is won or lost on paperwork: a System Security Plan mapped to all 110 controls, the required policies, a POA&M template, and a per-control SPRS scorer. The CMMC Level 2 DIY Compliance Kit is the whole documented layer, editable, built for a small shop doing this itself — audit-ready preparation, not a substitute for the C3PAO audit.

$2,995
one-time · lifetime updates · a fraction of a consultant's retainer
Audit-ready preparation for a fraction of consultant fees — not a substitute for your C3PAO assessment. Not legal advice.

Frequently asked questions

What is the difference between CMMC Level 1 and Level 2?

Level 1 applies when you only handle Federal Contract Information (FCI). It requires the 15 basic safeguarding requirements from FAR 52.204-21 and is met by an annual self-assessment. Level 2 applies when you handle Controlled Unclassified Information (CUI). It requires all 110 security controls in NIST SP 800-171, organized into 14 families, and is met by either a self-assessment or a third-party C3PAO certification depending on the contract.

How do I know which CMMC level my contract requires?

Read the contract and the data. If the work only involves Federal Contract Information — information provided by or generated for the government that is not intended for public release — you are almost always at Level 1. The moment the contract flows down CUI, or includes DFARS clause 252.204-7012, you are at Level 2. When in doubt, ask your contracting officer in writing which level and which assessment type the award requires.

Does CMMC Level 1 require a C3PAO?

No. Level 1 is met with an annual self-assessment against the 15 basic safeguarding requirements, submitted with a senior official's affirmation. You do not hire a certified third-party assessor for Level 1. Third-party C3PAO assessment is a Level 2 concept, and even then only for the contracts the DoD prioritizes.

How many controls are in CMMC Level 2?

CMMC Level 2 is built on all 110 security requirements in NIST SP 800-171, grouped into 14 control families such as Access Control, Audit and Accountability, and System and Communications Protection. Every one of those 110 controls applies to every asset inside your assessment boundary.

What happens on November 10, 2026?

November 10, 2026 marks the start of Phase 2 of the CMMC rollout, when Level 2 third-party C3PAO certification becomes a required condition of award on applicable DoD contracts. Phase 1 self-assessment and affirmation language is already appearing in solicitations now, so the work of scoping and documenting should be underway well before that date.

Can a subcontractor need a different CMMC level than the prime?

Yes. Your required level depends on the type of information that flows down to you, not on the prime's level. A prime handling CUI may only pass Federal Contract Information to a subcontractor, in which case that sub is at Level 1. If CUI flows down, the sub is at Level 2. Confirm what data you will actually receive before you assume your level.