CMMC Level 1 vs Level 2: Which Do You Need?
The most common question from defense contractors entering the CMMC process: "Do I need Level 1 or Level 2?" The answer depends entirely on what type of government information you handle — specifically, whether your contracts involve Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Get this wrong and you're either over-investing in compliance or at risk of contract loss.
| Factor | CMMC Level 1 | CMMC Level 2 |
|---|---|---|
| Triggers when you handle | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) |
| Requirements | 17 practices (FAR 52.204-21) | 110 requirements (NIST SP 800-171 Rev 2) |
| Assessment method | Annual self-attestation | Self-assessment or C3PAO (every 3 years) |
| SPRS score required | Yes | Yes |
| SSP required | Recommended | Required |
| POA&M required | If gaps exist | Required for any gap |
| Third-party auditor | Not required | Required for critical programs |
| Typical cost range | $1K–$8K | $5K–$200K+ |
FCI vs CUI: The Key Distinction
The entire CMMC level determination hinges on one question: are you handling FCI, CUI, or both? Understanding the difference is non-negotiable.
Federal Contract Information (FCI)
FCI is information provided by or generated for the government under a contract. It includes any information that is not intended for public release. Examples:
- Contract statements of work and deliverables
- Government-furnished equipment specifications
- Procurement-sensitive pricing and schedule data
- Internal government communications shared under the contract
Almost every DoW contractor handles FCI. If your company has any DoW contract, you are almost certainly handling FCI and must comply with CMMC Level 1 at minimum.
Controlled Unclassified Information (CUI)
CUI is a specific US government-designated information category. It's sensitive but not classified. It requires specific safeguards and dissemination controls under the National Archives CUI Program. Examples:
- Technical drawings, engineering specifications, and design data
- Export-controlled technical data (ITAR/EAR)
- Proprietary information the government has obtained under license
- Defense acquisition program information
- Privacy data (personnel records, health information in certain contexts)
- Vulnerability and threat information
If your contract involves technical work on defense systems — design, engineering, manufacturing, testing, logistics — you are almost certainly handling CUI and need CMMC Level 2.
CMMC Level 1 — Foundational: What's Actually Required
Level 1 is built on the 17 practices from FAR 52.204-21. These represent basic cyber hygiene — the minimum floor for any organization that touches federal data. The 17 requirements span 6 domains:
| Domain | Requirements at Level 1 |
|---|---|
| Access Control (AC) | Limit system access to authorized users and the functions they need to perform their duties |
| Identification & Authentication (IA) | Identify and authenticate users, processes, and devices before system access |
| Media Protection (MP) | Sanitize or destroy information system media before disposal or reuse |
| Physical Protection (PE) | Limit physical access to systems to authorized individuals |
| System & Comms Protection (SC) | Monitor, control, and protect data at external boundaries and key internal boundaries |
| System & Info Integrity (SI) | Identify, report, and correct information and system flaws promptly; protect against malicious code |
Level 1 Assessment: Annual Self-Attestation
CMMC Level 1 does not require a third-party assessment. A senior company official (C-suite level) must annually attest that all 17 practices are implemented. The attestation is submitted via the Supplier Performance Risk System (SPRS) at piee.eb.mil.
Who Is Level 1 Typically Right For?
- Service contractors (professional services, IT services, logistics coordination)
- Suppliers providing commercial off-the-shelf (COTS) products
- Staffing firms supporting DoW programs
- Companies with minimal technical involvement in defense system design or engineering
CMMC Level 2 — Advanced: What's Actually Required
Level 2 is the major compliance challenge for most defense contractors. It requires full implementation of all 110 security requirements from NIST SP 800-171 Rev 2 across 14 practice domains.
The 110 requirements are not arbitrary — they're derived from decades of federal information security practice and specifically address the threat landscape faced by defense contractors handling sensitive technical data.
The 14 Domains of CMMC Level 2
AC — Access Control
22 requirements · Who can access what, and how
AT — Awareness & Training
3 requirements · Security awareness for all staff
AU — Audit & Accountability
9 requirements · Log and review system activity
CM — Config Management
9 requirements · Control hardware and software configs
IA — Identification & Auth
11 requirements · MFA, password controls, identities
IR — Incident Response
3 requirements · Detect, respond, and recover from incidents
MA — Maintenance
6 requirements · Secure maintenance of systems
MP — Media Protection
9 requirements · Protect and sanitize media
PE — Physical Protection
6 requirements · Physical access controls
PS — Personnel Security
2 requirements · Screen and terminate access appropriately
RA — Risk Assessment
3 requirements · Assess and remediate risk periodically
CA — Security Assessment
4 requirements · Evaluate and monitor security controls
SC — System & Comms Protect
16 requirements · Network segmentation, encryption, boundary defense
SI — System & Info Integrity
7 requirements · Patch management, malware protection, alerting
Level 2 Assessment: Self-Assessment vs. C3PAO
CMMC Level 2 has two assessment pathways:
- Self-assessment (annual)— allowed for DoW contracts the DoW has designated as "not critical." Same process as Level 1 but with a senior official attesting to all 110 requirements and SPRS score.
- C3PAO third-party assessment (every 3 years)— required for contracts the DoW designates as "critical." A CyberAB accredited C3PAO conducts an independent audit of your systems, policies, and evidence. You either pass, pass with conditions (POA&M), or fail.
Who Is Level 2 Typically Required For?
- Systems integrators working on defense platforms (aircraft, ships, ground vehicles, weapons)
- Engineering and design contractors handling technical specifications or drawings
- IT contractors with access to DoW networks or systems
- Research and development contractors (SBIR/STTR awardees often)
- Manufacturing suppliers with design data on defense components
- Any contractor with DFARS 252.204-7012 in their contract
How to Determine Which Level You Need: 5 Questions
1. Does your contract include DFARS clause 252.204-7012?
If yes → you are required to comply with NIST SP 800-171 → CMMC Level 2.
2. Do you receive documents marked CUI, FOUO, or with export control markings (ITAR/EAR)?
If yes → you are handling CUI → CMMC Level 2.
3. Does your work involve technical data, engineering drawings, or design specifications for defense systems?
If yes → almost certainly CUI → CMMC Level 2.
4. Is your involvement limited to services (staffing, consulting, non-technical support) with no access to technical defense data?
Possibly Level 1 only — but confirm with your Contracting Officer.
5. Does your contract only reference FAR 52.204-21 (not DFARS 252.204-7012)?
Likely Level 1 only — but this is contract-specific. Always confirm.
Can You Need Both Level 1 and Level 2?
Yes — and many mid-size defense contractors operate in exactly this situation. You might have:
- One contract that only handles FCI (Level 1 required)
- Another contract with DFARS 252.204-7012 and CUI access (Level 2 required)
The practical reality: if any part of your business handles CUI, your cybersecurity posture must meet Level 2 requirements for those systems. Most companies choose to achieve Level 2 across their entire environment rather than maintaining separate CUI and non-CUI enclaves — the administrative complexity of isolation often exceeds the compliance cost.
This is a scoping decision that should be made with qualified CMMC consulting help. Dragonfli Group specializes in scoping strategies that minimize compliance burden while maintaining full defensibility.
The Cost and Effort Difference
Level 1 and Level 2 are not just different in requirements — they are categorically different in implementation effort:
| Effort Area | Level 1 | Level 2 |
|---|---|---|
| Policy documentation | 6–10 basic policies | 18+ comprehensive policies |
| Technical controls | Basic — antivirus, passwords, physical access | Advanced — MFA, SIEM, network segmentation, encryption, EDR |
| Time to comply (starting fresh) | 4–8 weeks | 3–18 months depending on gaps |
| Typical consulting cost | $1,000–$8,000 | $5,000–$75,000+ |
| C3PAO assessment cost | Not required | $30,000–$200,000+ |
| Annual maintenance | Low | Medium to High |
NOT SURE WHICH LEVEL YOU NEED?
Find Out in 10 Minutes — Free
The Dragonfli Group Pulse Check assesses your five highest-risk CMMC domains and shows you where you stand. No credit card required.
Start Free Pulse Check →