Get Demo

CMMC Level 1 vs Level 2: Which Do You Need?

See how CyberSilo helps you win and keep DoD contracts for US organizations. Practical guidance on cmmc level 1 vs level 2 with expert support.

📅 Published: June 2026 🔐 Cybersecurity • CMMC • USA ⏱️ 1,900 words

For US organizations seeking Department of Defense (DoD) contracts, the difference between CMMC Level 1 and CMMC Level 2 is the difference between basic self-assessment and rigorous third-party audit: Level 1 requires safeguarding Federal Contract Information (FCI) through 15 basic security practices, while Level 2 requires protecting Controlled Unclassified Information (CUI) through 110 NIST SP 800-171 controls verified by a Certified Third-Party Assessment Organization (C3PAO). Your required level depends entirely on whether your DoD contract involves CUI — if it does, Level 2 is mandatory for contract award.

What Is CMMC Level 1?

CMMC Level 1 is the foundational tier of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, administered by the DoD. It applies to contractors who handle Federal Contract Information (FCI) — information not intended for public release that is generated or provided by the government under a contract. Level 1 requires implementation of 15 basic security practices drawn from FAR clause 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).

These practices cover six domains: access control, awareness and training, audit and accountability, configuration management, incident response, and media protection. For example, contractors must limit information system access to authorized users, conduct security awareness training, and track system activity. The critical distinction is self-assessment: Level 1 requires an annual self-assessment and an affirmation in the Supplier Performance Risk System (SPRS), but no third-party audit is required.

Level 1 is designed for organizations that do not handle CUI but still process, store, or transmit FCI. According to the DoD CMMC 2.0 final rule published in October 2024, Level 1 certification will be required for all contracts involving FCI, even if no CUI is present. Organizations currently self-attesting under FAR 52.204-21 will need to formalize this process under CMMC Level 1.

What Is CMMC Level 2?

CMMC Level 2 is the core certification tier for organizations that process, store, or transmit Controlled Unclassified Information (CUI). CUI includes a wide range of data types — from technical drawings and scientific data to export-controlled information and proprietary business data — that require safeguarding under laws, regulations, and government-wide policies.

Level 2 requires implementation of all 110 security controls from NIST SP 800-171 Rev 2, organized into 14 families: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Unlike Level 1, Level 2 demands a third-party assessment by a C3PAO accredited by the CMMC Accreditation Body (Cyber AB).

The DoD estimates that approximately 70,000 contractors within the Defense Industrial Base (DIB) will require Level 2 certification. The assessment is valid for three years, with annual affirmations required in SPRS. Organizations already compliant with NIST SP 800-171 — as required under DFARS clause 252.204-7012 — are not automatically CMMC Level 2 certified; they must still undergo a C3PAO assessment once the CMMC program is fully operational.

Key Takeaways: CMMC Level 1 vs Level 2

  • Data type: Level 1 protects FCI; Level 2 protects CUI.
  • Controls: Level 1 requires 15 practices; Level 2 requires all 110 NIST SP 800-171 controls.
  • Assessment: Level 1 is self-assessment; Level 2 requires a C3PAO third-party audit.
  • Cost range: Level 1 costs $3,000–$10,000 typically; Level 2 costs $50,000–$200,000+ depending on system complexity.
  • Validity: Both require annual affirmation; Level 2 certification is valid for three years.
  • Deadline: CMMC requirements begin appearing in DoD solicitations starting Q4 2025, with full flow-down by Q4 2026.

Key Differences: Detailed Comparison

The table below provides a direct comparison across the critical dimensions that matter most to organizations choosing between CMMC Level 1 and Level 2.

Dimension
CMMC Level 1
CMMC Level 2
Data protected
FCI only
CUI + FCI
Number of controls
15 practices (FAR 52.204-21)
110 controls (NIST SP 800-171)
Assessment type
Annual self-assessment + SPRS affirmation
C3PAO third-party assessment every 3 years
Typical implementation time
2–4 weeks
6–18 months
Estimated cost (assessment + remediation)
$3,000–$10,000
$50,000–$200,000+
Scoping complexity
Single security boundary
CUI assets, security protection assets, contractor risk managed assets
Required documentation
Basic policies and procedures
System Security Plan (SSP), POA&M, incident response plan, contingency plan, configuration management plan, and 10+ additional documents
Penalty for non-compliance
Contract ineligibility; potential False Claims Act liability
Contract ineligibility; potential False Claims Act liability; suspension/debarment; CUI spillage reporting

How to Determine Which Level Applies to Your Organization

The determining factor is whether your DoD contract involves Controlled Unclassified Information (CUI). The DoD has published a CUI Registry identifying 125+ categories of CUI across 20 groups, including controlled technical information (CTI), critical infrastructure data, export-controlled information (EAR/ITAR), and defense-related proprietary data.

Here is a practical decision framework:

Organizations that contract exclusively with DoD components that do not generate or share CUI — for example, certain administrative or facilities contracts — may qualify for Level 1. However, err on the side of caution: the DoD's CMMC final rule specifies that the burden of proof falls on the contractor to demonstrate that they do not handle CUI.

Implementation Pathways for Each Level

Implementing CMMC Level 1

Level 1 implementation is straightforward but requires disciplined execution. Begin by scoping your covered contractor information system (CCIS) — the system that processes, stores, or transmits FCI. This system must be clearly delineated from any corporate or personal systems. Implement the 15 practices from FAR 52.204-21, which cover multifactor authentication (where feasible), access logging, media sanitization, and basic incident response procedures.

Document your policies and procedures in a simple security plan. Conduct an annual self-assessment using the CMMC Level 1 self-assessment guide, and affirm the results in SPRS. Most organizations can complete Level 1 implementation in 2–4 weeks with focused effort — making it achievable even for small businesses with limited cybersecurity resources.

Implementing CMMC Level 2

Level 2 implementation is a substantial enterprise effort. The 110 NIST SP 800-171 controls span 14 control families, many of which require significant technical investment. Start by conducting a gap analysis against the full control set. Common gaps for first-time implementers include:

Create a System Security Plan (SSP) that documents your CUI environment, including all assets (CUI assets, security protection assets, and contractor risk managed assets). Develop a Plan of Action and Milestones (POA&M) for any controls not fully implemented at the time of assessment — the POA&M must have a completion date not exceeding 180 days from the assessment period. Engage a C3PAO for the formal assessment, which typically involves 2–5 days of on-site or remote evaluation.

Most medium-sized contractors report 6–18 months for full Level 2 implementation. CyberSilo Compliance Standards Automation can accelerate this timeline by automating evidence collection, control mapping, and SSP generation, reducing implementation time by up to 40% based on client benchmarks.

Important compliance note: The DoD CMMC 2.0 final rule (effective March 2025) introduces a phased rollout. Level 2 (with C3PAO assessment) will appear in select solicitations starting Q4 2025, with full flow-down to all applicable contracts by Q4 2026. Organizations should begin scoping and gap analysis now, even if their current contracts do not yet mandate CMMC certification. Non-compliance at the time of award will result in contract ineligibility. Additionally, the False Claims Act continues to apply — knowingly making false certifications about compliance in SPRS can lead to substantial financial penalties and mandatory debarment.

Determine Your CMMC Level With Expert Guidance

Unsure whether your organization handles CUI or needs Level 2 assessment? CyberSilo's compliance specialists can conduct a preliminary scoping assessment and gap analysis to clarify your requirement and build your implementation roadmap. Start with a no-obligation discovery call.

Cost and Impact Analysis

The financial commitment differs dramatically between the two levels. Level 1 implementation typically costs $3,000–$10,000 for a small business, encompassing documentation, policy creation, and annual self-assessment labor. Level 2 implementation costs range from $50,000 (for a well-prepared small business with a well-defined CUI environment) to $200,000+ (for a mid-sized contractor with distributed systems, legacy infrastructure, and complex CUI flows).

These costs break down into three categories:

However, the cost of non-compliance far exceeds the cost of implementation. Contract loss alone can range from $500,000 to $50 million depending on contract value. Additionally, False Claims Act liability for false certifications can reach treble damages plus penalties of $13,946 per false claim under 31 U.S.C. § 3729.

Choosing the Right Path for Your Organization

For organizations handling FCI only, Level 1 is sufficient — but plan for potential CUI exposure if your contract scope changes or your prime contractor requires Level 2. Organizations that operate under DFARS 252.204-7012 or that handle technical data, engineering drawings, or export-controlled information should target Level 2 immediately.

If you are uncertain whether your data constitutes CUI, the safe approach is to begin Level 2 preparation. The DoD's CUI Registry and CUI Notice (available from the National Archives) can help you classify your data. Many organizations discover that data they considered unclassified FCI actually falls under CUI categories like "Controlled Technical Information" (CTI) or "Export Controlled Information" (ECR/ITAR).

CyberSilo recommends a phased approach: complete a CUI scoping analysis, then run a Level 2 gap assessment. If the gap is under 20% control implementation, full Level 2 certification is achievable within 6 months. For gaps above 50%, consider an 18-month timeline, with Level 1 certification in the interim to maintain contract eligibility while preparing for Level 2.

Get a Compliance Assessment for Your DoD Contracts

Our Compliance Standards Automation solution maps your current controls to CMMC Level 1 and Level 2 requirements, identifies gaps, and provides a prioritized remediation plan. We work with C3PAO partners to ensure your assessment is audit-ready. Contact our team to schedule your no-risk gap analysis.

Our Conclusion & Recommendation

For US organizations in the Defense Industrial Base, the decision between CMMC Level 1 and Level 2 is not optional — it is determined entirely by the data you handle under your DoD contract. Level 1 offers a straightforward, low-cost path for FCI-only contractors, while Level 2 represents a significant but necessary investment for any organization touching CUI. The DoD's phased rollout and the continued threat of False Claims Act penalties make proactive compliance the only viable strategy.

CyberSilo recommends starting with a CUI scoping analysis immediately, even if your current contract does not mandate CMMC. Our Compliance Standards Automation platform reduces the complexity of Level 2 implementation by automating control evidence collection, SSP generation, and POA&M tracking — cutting implementation time by up to 40% for mid-sized contractors. For organizations on the fence, we offer a risk-based assessment that models the cost of compliance against the cost of contract loss, so you can make a data-driven decision.

Ready to Determine Your CMMC Level?

Schedule a free discovery call with our compliance experts to receive a preliminary scoping assessment and implementation timeline tailored to your DoD contracts.

📰 More from CyberSilo

Latest Articles

Stay ahead of evolving cyber threats with our expert insights

Privacy Compliance for US Online Retailers (CCPA & State Laws)
SIEM
Jun 23, 2026 ⏱ 17 min

Privacy Compliance for US Online Retailers (CCPA & State Laws)

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s

Read Article
Holiday Season Cyber Threats for Retailers
SIEM
Jun 23, 2026 ⏱ 10 min

Holiday Season Cyber Threats for Retailers

Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia

Read Article
eCommerce Privacy in Canada: PIPEDA & Law 25
SIEM
Jun 23, 2026 ⏱ 10 min

eCommerce Privacy in Canada: PIPEDA & Law 25

See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.

Read Article
Cybersecurity Compliance for US Schools and Universities
SIEM
Jun 23, 2026 ⏱ 15 min

Cybersecurity Compliance for US Schools and Universities

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi

Read Article
Protecting Student Data: FERPA and COPPA for EdTech
SIEM
Jun 23, 2026 ⏱ 14 min

Protecting Student Data: FERPA and COPPA for EdTech

Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.

Read Article
Ransomware in K-12 and Higher Ed: Defense Strategies
SIEM
Jun 23, 2026 ⏱ 11 min

Ransomware in K-12 and Higher Ed: Defense Strategies

Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy

Read Article
✅ Link copied!