Essex Junction, VT  |  Montebello, NY 802-335-2662 dkoran@davidkoran.com
DK
David Koran& Associates
Home  /  CMMC Level 1 vs Level 2
CMMC Level Comparison

CMMC Level 1 vs Level 2:
A Clear Comparison of Requirements

The level of CMMC certification your organization needs is determined by the type of information in your contracts, not by company size, revenue, or preference. This page breaks down the differences so you can identify which level applies and what it requires.

Side-by-Side Comparison

Level 1 Level 2
Information Type Federal Contract Information (FCI) Controlled Unclassified Information (CUI)
Security Requirements 15 basic safeguarding practices from FAR 52.204-21 110 security requirements from NIST SP 800-171 Rev 2
Assessment Method Annual self-attestation Third-party assessment by a certified C3PAO (triennial)
Documentation Basic compliance affirmation System Security Plan (SSP), Plan of Action and Milestones (POA&M), policies, procedures, and evidence artifacts
SPRS Score Not applicable Required, posted to SPRS, score range of -203 to 110
Typical Cost Minimal for most organizations $50,000 to $250,000+ for preparation, plus C3PAO assessment fee
Timeline to Achieve Weeks to a few months 12 to 18 months for most organizations
Enforcement Start Phase 1 (Nov 2025) Phase 2 (Nov 10, 2026)
Applies When Contract includes FAR 52.204-21 Contract includes DFARS 252.204-7012 and/or DFARS 252.204-7021

The Determining Factor Is the Information, Not the Company

The most common misconception about CMMC levels is that they correspond to company size or contract value. They do not. The level is determined entirely by whether your contract involves Federal Contract Information or Controlled Unclassified Information. A small machine shop processing CUI needs Level 2 just as a large prime contractor does. A large company handling only FCI needs only Level 1.

The practical question for most defense contractors is whether CUI enters their environment. If you receive technical drawings marked with CUI banners, if your contract includes a DD Form 254, or if DFARS 252.204-7012 appears in your contract clauses, Level 2 is almost certainly what applies.

FCI vs CUI: The Distinction That Drives Everything

Federal Contract Information is information provided by or generated for the government under contract that is not intended for public release. It is a broad category that covers most non-public contract-related information. Controlled Unclassified Information is a more specific, more sensitive category that the government has determined requires safeguarding and dissemination controls. CUI includes technical data, export-controlled information, and dozens of other categories listed in the National Archives CUI Registry.

The distinction matters because it determines not just which CMMC level applies, but the entire scope of your security obligations, documentation requirements, and assessment process. For a deeper analysis of this distinction and its implications for scoping, the CUI classification white papers in the research library address common edge cases.

What Level 2 Actually Requires

Level 2 is not simply Level 1 with additional controls. It represents a fundamentally different security program. The 110 requirements in NIST SP 800-171 span 14 control families covering access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

Each requirement must be documented in a System Security Plan that describes how the control is implemented in your specific environment. The SSP must be supported by policies, procedures, and evidence artifacts that demonstrate operational implementation, not just intent. The CMMC Controls Library provides individual reference cards for all 110 requirements.

Assessment and Certification

Level 1 verification is straightforward: an authorized company representative completes an annual self-attestation affirming that the 15 practices are in place. Level 2 requires an on-site assessment by a C3PAO, a CMMC Third-Party Assessment Organization certified by the CyberAB. The assessment is conducted against all 110 requirements and results in a certification that is valid for three years.

The C3PAO assessment pipeline is finite. The number of certified assessment organizations and qualified assessors is limited, and demand is growing as enforcement milestones approach. Contractors who begin the process early have a meaningful advantage in scheduling their assessment within the enforcement timeline.

Related Resources

The CMMC Decision covers the strategic and executive-level decisions involved in preparing for Level 2 certification. The white paper library includes detailed research on assessment capacity, CUI scope reduction, and the enforcement timeline. For contractors wondering how CMMC requirements apply to small businesses, a dedicated guide addresses the specific challenges facing small manufacturers.

Frequently Asked Questions

What is the difference between CMMC Level 1 and Level 2?
CMMC Level 1 requires 15 basic safeguarding practices from FAR 52.204-21 and covers Federal Contract Information. Level 2 requires all 110 security requirements from NIST SP 800-171 Rev 2 and covers Controlled Unclassified Information. Level 1 is verified by annual self-attestation while Level 2 typically requires a third-party assessment by a C3PAO every three years.
How do I know if I need CMMC Level 1 or Level 2?
The determining factor is the type of information in your contract. If your contract involves only Federal Contract Information, Level 1 applies. If Controlled Unclassified Information is present, marked, or specified in the contract, Level 2 applies. The contract itself and the associated DD Form 254 or CUI marking guide will specify what type of information is involved.
Can a company need both CMMC Level 1 and Level 2?
Yes. A company may hold some contracts that involve only FCI and others that involve CUI. The CMMC level is determined per contract, not per company. However, if any contract requires Level 2, the systems and processes that handle that contract's CUI must meet all 110 requirements. Many contractors achieve Level 2 across their CUI environment and treat Level 1 as automatically satisfied.
How much more does CMMC Level 2 cost than Level 1?
Level 1 compliance is relatively low-cost because it involves 15 basic practices that most organizations already partially satisfy, and verification is through self-attestation. Level 2 is substantially more expensive due to 110 security requirements, the need for formal documentation including a System Security Plan, potential technology and infrastructure investments, and the cost of a C3PAO assessment. For small to mid-sized contractors, Level 2 preparation typically costs between $50,000 and $250,000 depending on scope and current posture.
What is FCI and what is CUI?
Federal Contract Information is information provided by or generated for the government under a contract that is not intended for public release. Controlled Unclassified Information is a more sensitive category that the government has determined requires safeguarding controls. CUI includes technical data, export-controlled information, and other categories specified in the CUI Registry. The distinction between FCI and CUI determines whether Level 1 or Level 2 applies.

Not Sure Which Level Applies to Your Contracts?

A brief conversation to review your contract clauses and determine whether your obligations point to Level 1, Level 2, or both.

Schedule a Consultation →