CMMC Level 1 vs Level 2: Which One Does Your Organization Need?
March 15, 2026 · 10 min read
One of the most common questions we hear from defense contractors is: “Do I need CMMC Level 1 or Level 2?” The answer depends entirely on the type of information you handle — and getting it wrong could mean either wasting resources on unnecessary compliance work or, worse, being ineligible for contracts you thought you could bid on.
The Key Distinction: FCI vs CUI
The entire CMMC framework revolves around two types of information:
Federal Contract Information (FCI)
Information provided by or generated for the government under a federal contract that is not intended for public release.
Examples: Contract terms, delivery schedules, pricing data, performance reports, internal project communications about government work.
→ Requires CMMC Level 1
Controlled Unclassified Information (CUI)
Information the government creates or possesses that requires safeguarding per law, regulation, or government-wide policy — but is not classified.
Examples: Technical drawings, engineering data, test results, export-controlled data, PII, vulnerability assessments, system security plans.
→ Requires CMMC Level 2
Side-by-Side Comparison
| Feature | CMMC Level 1 | CMMC Level 2 |
|---|---|---|
| Information Type | FCI only | CUI (and FCI) |
| Number of Controls | 17 practices | 110 requirements |
| Based On | FAR 52.204-21 | NIST SP 800-171 Rev 2 |
| Assessment Type | Self-assessment (annual) | Self or C3PAO (every 3 years) |
| POA&M Allowed? | No — all 17 must be met | Yes — limited, time-bound |
| SSP Required? | Not explicitly required | Yes — mandatory |
| Typical Timeline | 1-3 months | 6-18 months |
| Estimated Cost | $5K – $30K | $50K – $500K+ |
How to Determine Your Required Level
Follow these steps to identify your CMMC requirement:
Review Your Contract Language
Look for DFARS clauses. DFARS 252.204-7012 indicates you handle CUI (Level 2). DFARS 252.204-7021 specifies the exact CMMC level required. FAR 52.204-21 alone typically means Level 1.
Check for CUI Markings
Do you receive documents, emails, or data marked as CUI, FOUO, ITAR, or with CUI category designations? If yes, you almost certainly need Level 2.
Talk to Your Prime Contractor
If you’re a subcontractor, your prime will flow down CMMC requirements. Ask them directly what level is needed for the data you’ll access.
When In Doubt, Plan for Level 2
If there’s any ambiguity about whether you handle CUI, it’s safer to prepare for Level 2. The additional investment protects you from future contract requirements and demonstrates a strong security posture to primes.
Common Misconceptions
Myth: “We’re too small to need Level 2.” — Reality: Size doesn’t matter. A 5-person subcontractor handling CUI needs Level 2 just like a 5,000-person prime.
Myth: “Level 1 is just good enough.” — Reality: Level 1 only covers FCI. If your contract involves CUI in any way, Level 1 compliance is insufficient.
Myth: “We can get certified later when contracts require it.” — Reality: CMMC Level 2 implementation takes 6-18 months. By the time a contract requires it, it’s too late to start.
Start With Level 1, Build Toward Level 2
If you’re new to CMMC, Level 1 is a great starting point even if you ultimately need Level 2. The 17 Level 1 practices are a subset of the 110 Level 2 requirements, so achieving Level 1 gives you a solid foundation. From there, you can systematically work through the remaining 93 requirements with a clear gap analysis and implementation plan.
Get Our Free CMMC Level Assessment Checklist
Download a free checklist to determine which CMMC level your organization needs.