For US organizations seeking Department of Defense (DoD) contracts, the difference between CMMC Level 1 and CMMC Level 2 is the difference between basic self-assessment and rigorous third-party audit: Level 1 requires safeguarding Federal Contract Information (FCI) through 15 basic security practices, while Level 2 requires protecting Controlled Unclassified Information (CUI) through 110 NIST SP 800-171 controls verified by a Certified Third-Party Assessment Organization (C3PAO). Your required level depends entirely on whether your DoD contract involves CUI — if it does, Level 2 is mandatory for contract award.
What Is CMMC Level 1?
CMMC Level 1 is the foundational tier of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, administered by the DoD. It applies to contractors who handle Federal Contract Information (FCI) — information not intended for public release that is generated or provided by the government under a contract. Level 1 requires implementation of 15 basic security practices drawn from FAR clause 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).
These practices cover six domains: access control, awareness and training, audit and accountability, configuration management, incident response, and media protection. For example, contractors must limit information system access to authorized users, conduct security awareness training, and track system activity. The critical distinction is self-assessment: Level 1 requires an annual self-assessment and an affirmation in the Supplier Performance Risk System (SPRS), but no third-party audit is required.
Level 1 is designed for organizations that do not handle CUI but still process, store, or transmit FCI. According to the DoD CMMC 2.0 final rule published in October 2024, Level 1 certification will be required for all contracts involving FCI, even if no CUI is present. Organizations currently self-attesting under FAR 52.204-21 will need to formalize this process under CMMC Level 1.
What Is CMMC Level 2?
CMMC Level 2 is the core certification tier for organizations that process, store, or transmit Controlled Unclassified Information (CUI). CUI includes a wide range of data types — from technical drawings and scientific data to export-controlled information and proprietary business data — that require safeguarding under laws, regulations, and government-wide policies.
Level 2 requires implementation of all 110 security controls from NIST SP 800-171 Rev 2, organized into 14 families: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Unlike Level 1, Level 2 demands a third-party assessment by a C3PAO accredited by the CMMC Accreditation Body (Cyber AB).
The DoD estimates that approximately 70,000 contractors within the Defense Industrial Base (DIB) will require Level 2 certification. The assessment is valid for three years, with annual affirmations required in SPRS. Organizations already compliant with NIST SP 800-171 — as required under DFARS clause 252.204-7012 — are not automatically CMMC Level 2 certified; they must still undergo a C3PAO assessment once the CMMC program is fully operational.
Key Takeaways: CMMC Level 1 vs Level 2
- Data type: Level 1 protects FCI; Level 2 protects CUI.
- Controls: Level 1 requires 15 practices; Level 2 requires all 110 NIST SP 800-171 controls.
- Assessment: Level 1 is self-assessment; Level 2 requires a C3PAO third-party audit.
- Cost range: Level 1 costs $3,000–$10,000 typically; Level 2 costs $50,000–$200,000+ depending on system complexity.
- Validity: Both require annual affirmation; Level 2 certification is valid for three years.
- Deadline: CMMC requirements begin appearing in DoD solicitations starting Q4 2025, with full flow-down by Q4 2026.
Key Differences: Detailed Comparison
The table below provides a direct comparison across the critical dimensions that matter most to organizations choosing between CMMC Level 1 and Level 2.
How to Determine Which Level Applies to Your Organization
The determining factor is whether your DoD contract involves Controlled Unclassified Information (CUI). The DoD has published a CUI Registry identifying 125+ categories of CUI across 20 groups, including controlled technical information (CTI), critical infrastructure data, export-controlled information (EAR/ITAR), and defense-related proprietary data.
Here is a practical decision framework:
- Review your contract's DD Form 254 (Contract Security Classification Specification). This form identifies both classified and unclassified security requirements. If CUI handling is specified, Level 2 is required.
- Identify CUI types in your data flows. Even if the DD Form 254 is not explicit, map all data you receive, store, or transmit under the contract. If any data falls under CUI categories, Level 2 applies.
- Check your prime contractor requirements. Prime contractors may flow down CMMC Level 2 requirements to subcontractors even if the prime handles CUI at a higher tier. Do not assume Level 1 applies based solely on the contracting vehicle.
- Assess your current NIST SP 800-171 compliance posture. If you are already operating under DFARS 252.204-7012 (which mandates NIST SP 800-171 compliance for any contract involving CUI), you are likely on the path to Level 2. Self-assess your current control maturity using the NIST SP 800-171 self-assessment score guide (DoD SAP).
Organizations that contract exclusively with DoD components that do not generate or share CUI — for example, certain administrative or facilities contracts — may qualify for Level 1. However, err on the side of caution: the DoD's CMMC final rule specifies that the burden of proof falls on the contractor to demonstrate that they do not handle CUI.
Implementation Pathways for Each Level
Implementing CMMC Level 1
Level 1 implementation is straightforward but requires disciplined execution. Begin by scoping your covered contractor information system (CCIS) — the system that processes, stores, or transmits FCI. This system must be clearly delineated from any corporate or personal systems. Implement the 15 practices from FAR 52.204-21, which cover multifactor authentication (where feasible), access logging, media sanitization, and basic incident response procedures.
Document your policies and procedures in a simple security plan. Conduct an annual self-assessment using the CMMC Level 1 self-assessment guide, and affirm the results in SPRS. Most organizations can complete Level 1 implementation in 2–4 weeks with focused effort — making it achievable even for small businesses with limited cybersecurity resources.
Implementing CMMC Level 2
Level 2 implementation is a substantial enterprise effort. The 110 NIST SP 800-171 controls span 14 control families, many of which require significant technical investment. Start by conducting a gap analysis against the full control set. Common gaps for first-time implementers include:
- Access control (AC): Requirement for multifactor authentication (CUI assets), session lock with pattern hiding, and privileged account management (AC-3, AC-8, AC-11, AC-16).
- Audit and accountability (AU): Centralized audit logging, log retention (minimum 12 months with 18 months available online), and real-time alerting on security events (AU-2, AU-3, AU-12, AU-6).
- Configuration management (CM): Baseline configuration, change control, and automated vulnerability scanning (CM-2, CM-3, CM-8, RA-5).
- System and communications protection (SC): Encryption at rest and in transit, boundary protection, and denial-of-service protection (SC-7, SC-8, SC-12, SC-28).
- System and information integrity (SI): EDR/XDR, file integrity monitoring, and spam protection (SI-3, SI-4, SI-7, SI-11).
Create a System Security Plan (SSP) that documents your CUI environment, including all assets (CUI assets, security protection assets, and contractor risk managed assets). Develop a Plan of Action and Milestones (POA&M) for any controls not fully implemented at the time of assessment — the POA&M must have a completion date not exceeding 180 days from the assessment period. Engage a C3PAO for the formal assessment, which typically involves 2–5 days of on-site or remote evaluation.
Most medium-sized contractors report 6–18 months for full Level 2 implementation. CyberSilo Compliance Standards Automation can accelerate this timeline by automating evidence collection, control mapping, and SSP generation, reducing implementation time by up to 40% based on client benchmarks.
Important compliance note: The DoD CMMC 2.0 final rule (effective March 2025) introduces a phased rollout. Level 2 (with C3PAO assessment) will appear in select solicitations starting Q4 2025, with full flow-down to all applicable contracts by Q4 2026. Organizations should begin scoping and gap analysis now, even if their current contracts do not yet mandate CMMC certification. Non-compliance at the time of award will result in contract ineligibility. Additionally, the False Claims Act continues to apply — knowingly making false certifications about compliance in SPRS can lead to substantial financial penalties and mandatory debarment.
Determine Your CMMC Level With Expert Guidance
Unsure whether your organization handles CUI or needs Level 2 assessment? CyberSilo's compliance specialists can conduct a preliminary scoping assessment and gap analysis to clarify your requirement and build your implementation roadmap. Start with a no-obligation discovery call.
Cost and Impact Analysis
The financial commitment differs dramatically between the two levels. Level 1 implementation typically costs $3,000–$10,000 for a small business, encompassing documentation, policy creation, and annual self-assessment labor. Level 2 implementation costs range from $50,000 (for a well-prepared small business with a well-defined CUI environment) to $200,000+ (for a mid-sized contractor with distributed systems, legacy infrastructure, and complex CUI flows).
These costs break down into three categories:
- Technical remediation: Tools for auditing, encryption, endpoint protection, network segmentation, and vulnerability management. Many organizations find they need to invest in SIEM, EDR, PAM, and encryption platforms they previously lacked.
- Professional services: Gap analysis ($10,000–$30,000), SSP development ($15,000–$40,000), and C3PAO assessment fees ($20,000–$60,000 depending on assessment scope and complexity).
- Ongoing operations: Annual affirmation costs, continuous monitoring tools, and personnel time for control maintenance (typically 0.5–1.0 FTE for dedicated security personnel).
However, the cost of non-compliance far exceeds the cost of implementation. Contract loss alone can range from $500,000 to $50 million depending on contract value. Additionally, False Claims Act liability for false certifications can reach treble damages plus penalties of $13,946 per false claim under 31 U.S.C. § 3729.
Choosing the Right Path for Your Organization
For organizations handling FCI only, Level 1 is sufficient — but plan for potential CUI exposure if your contract scope changes or your prime contractor requires Level 2. Organizations that operate under DFARS 252.204-7012 or that handle technical data, engineering drawings, or export-controlled information should target Level 2 immediately.
If you are uncertain whether your data constitutes CUI, the safe approach is to begin Level 2 preparation. The DoD's CUI Registry and CUI Notice (available from the National Archives) can help you classify your data. Many organizations discover that data they considered unclassified FCI actually falls under CUI categories like "Controlled Technical Information" (CTI) or "Export Controlled Information" (ECR/ITAR).
CyberSilo recommends a phased approach: complete a CUI scoping analysis, then run a Level 2 gap assessment. If the gap is under 20% control implementation, full Level 2 certification is achievable within 6 months. For gaps above 50%, consider an 18-month timeline, with Level 1 certification in the interim to maintain contract eligibility while preparing for Level 2.
Get a Compliance Assessment for Your DoD Contracts
Our Compliance Standards Automation solution maps your current controls to CMMC Level 1 and Level 2 requirements, identifies gaps, and provides a prioritized remediation plan. We work with C3PAO partners to ensure your assessment is audit-ready. Contact our team to schedule your no-risk gap analysis.
Our Conclusion & Recommendation
For US organizations in the Defense Industrial Base, the decision between CMMC Level 1 and Level 2 is not optional — it is determined entirely by the data you handle under your DoD contract. Level 1 offers a straightforward, low-cost path for FCI-only contractors, while Level 2 represents a significant but necessary investment for any organization touching CUI. The DoD's phased rollout and the continued threat of False Claims Act penalties make proactive compliance the only viable strategy.
CyberSilo recommends starting with a CUI scoping analysis immediately, even if your current contract does not mandate CMMC. Our Compliance Standards Automation platform reduces the complexity of Level 2 implementation by automating control evidence collection, SSP generation, and POA&M tracking — cutting implementation time by up to 40% for mid-sized contractors. For organizations on the fence, we offer a risk-based assessment that models the cost of compliance against the cost of contract loss, so you can make a data-driven decision.
Ready to Determine Your CMMC Level?
Schedule a free discovery call with our compliance experts to receive a preliminary scoping assessment and implementation timeline tailored to your DoD contracts.
