CMMC Level 1 vs Level 2: Which One Does Your Contract Require?
CMMC Level 1 and Level 2 are not options you choose — they are requirements set by the information types your contract involves and the CMMC level the DoD specifies in the solicitation. Level 1 applies to contractors handling Federal Contract Information (FCI) with no Controlled Unclassified Information (CUI). Level 2 applies when the contract involves CUI. Getting the level wrong costs money twice: once for compliance built to the wrong standard, and again when the contracting officer flags the discrepancy at award.
Not sure which level applies to your contract?
Answer 7 questions about your contract clauses, data types, and environment. No CUI, sensitive contract details, or system diagrams.
Find your CMMC path →Level 1 vs Level 2 at a Glance
| Factor | CMMC Level 1 | CMMC Level 2 |
|---|---|---|
| Data type | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) |
| Control set | 15 requirements (FAR 52.204-21) | 110 requirements (NIST SP 800-171 Rev. 2) |
| Assessment type | Annual self-assessment only | Triennial self-assessment or C3PAO (per contract) |
| SPRS posting | Required; annual affirmation | Required; triennial with annual affirmation |
| Third-party assessor | Not required or permitted for CMMC status | C3PAO required when DoD specifies it |
| Contract clause | FAR 52.204-21; DFARS 252.204-7019 or 7020 | DFARS 252.204-7021; 32 CFR Part 170 |
| POA&M permitted | No | Yes, with restrictions (min. 88/110 for Conditional) |
| DoD cost estimate (Year 1) | ~$6,325 | $37,196 (self) to $104,670 (C3PAO) |
| Real market cost | $5,000–$20,000 (readiness + assessment) | $75,000–$300,000+ (readiness + assessment) |
CMMC Level 1 — What It Is and Who Needs It
Level 1 is the baseline layer of the CMMC program. Every DoD prime contractor and subcontractor that receives FCI must meet Level 1 — regardless of whether their contract contains DFARS 252.204-7021. Level 1 implements the 15 basic safeguarding requirements from FAR 52.204-21. These are foundational controls: limiting access to authorized users, protecting information on public systems, sanitizing media before disposal, providing security awareness training, and so on.
The assessment is a self-assessment — meaning the contractor evaluates their own posture against all 15 requirements, then has a senior official affirm the result in the Supplier Performance Risk System (SPRS). No third-party assessor is required or permitted to issue a CMMC Level 1 status. Affirmation is required annually.
Critically: Level 1 has no POA&M provision. All 15 requirements must be fully implemented before the senior official affirms. A Level 1 self-assessment with open deficiencies and an affirmation in SPRS is a potential False Claims Act exposure.
The 15 Level 1 requirements by practice area
| Practice Area | Requirements | What It Covers |
|---|---|---|
| Access Control (AC) | 4 | Limit system access to authorized users and transactions |
| Identification & Authentication (IA) | 2 | Identify users and authenticate before access |
| Media Protection (MP) | 1 | Sanitize media before disposal or reuse |
| Physical Protection (PE) | 2 | Control physical access to systems and CUI |
| System & Comm. Protection (SC) | 2 | Monitor and control external system connections |
| System & Info. Integrity (SI) | 4 | Identify and remediate flaws; provide malware protection |
CMMC Level 2 — What It Is and Who Needs It
Level 2 applies to any contract that involves Controlled Unclassified Information (CUI) as designated under Executive Order 13556 and the CUI Registry. CUI is government-created or government-owned information that requires safeguarding under law, regulation, or government-wide policy. The applicable control set is the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families. Assessment methodology follows NIST SP 800-171A.
Level 2 has two assessment paths, and the contract specifies which one applies — not the contractor:
- Self-assessment path: The contractor assesses their own posture against all 110 requirements using NIST SP 800-171A, posts the SPRS score, and has a senior official affirm annually. A triennial re-assessment is required.
- C3PAO path: A Cyber AB-authorized Certified Third-Party Assessment Organization (C3PAO) conducts the assessment using NIST SP 800-171A. A passing result produces a Certificate of CMMC Status posted by the C3PAO. The certificate is valid for three years, with annual affirmations.
Unlike Level 1, Level 2 allows limited use of Plans of Action & Milestones (POA&Ms). Conditional Level 2 status requires a minimum score of 88 out of 110 and full implementation of all non-POA&M-eligible requirements. Open POA&M items must close within 180 days or Conditional status expires.
How to read your contract clause
| If your contract contains… | It likely means… | Start with… |
|---|---|---|
| FAR 52.204-21 only | FCI, Level 1 self-assessment | Level 1 gap review; 15-requirement self-assessment |
| DFARS 252.204-7012 | CUI handling; NIST 800-171 obligation (pre-CMMC) | CUI scoping; Level 2 gap assessment |
| DFARS 252.204-7019/7020 | Current SPRS score required; DoD Assessment Methodology | Level 2 gap assessment; SPRS posting |
| DFARS 252.204-7021 (L2 Self) | CMMC Level 2 self-assessment required | Level 2 readiness; self-assessment + SPRS posting |
| DFARS 252.204-7021 (L2 C3PAO) | CMMC Level 2 C3PAO certification required | Level 2 readiness provider first; C3PAO engagement second |
Cost: What Level 1 vs Level 2 Actually Costs
The DoD published cost estimates as part of the 2024 CMMC Final Rule (89 Fed. Reg. 66924). These are government estimates based on modeling — real contractor costs diverge based on starting posture, environment complexity, and provider selection.
| Cost Category | Level 1 (DoD est.) | Level 2 Self (DoD est.) | Level 2 C3PAO (DoD est.) |
|---|---|---|---|
| First-year total | ~$6,325 | ~$37,196 | ~$104,670 |
| Recurring annual | ~$4,100 | ~$7,600 | ~$8,100 |
| Real market low end | $5,000 | $37,000 | $75,000 |
| Real market high end | $20,000 | $150,000+ | $300,000+ |
When Level 2 Catches Contractors Off Guard
The most common mistake we see: a contractor assumes they are Level 1 because their role feels "peripheral" (they make a part, write a subprogram, or manage a facility), then discovers their subcontract agreement has a CUI flow-down. Flow-down of CUI obligations is required under 32 CFR Part 170 — prime contractors must flow CMMC requirements to subcontractors who will process, store, or transmit CUI or provide security protection for CUI.
If a prime sends you drawings, specifications, or technical data designated as CUI and you store or process it on your systems, you likely have a Level 2 obligation regardless of what your contract clause says at its face. The designation follows the data, not just the clause.
Before assuming you're Level 1
- Review your prime's flow-down requirements in the subcontract
- Check whether any drawings, technical specs, or data files are CUI-marked
- Ask your prime whether they consider any shared data to be CUI
- If in doubt, engage a federal-contracts attorney for a clause review
Frequently Asked Questions
How do I know if I need Level 1 or Level 2?
Read your contract and subcontract agreement. If the solicitation or contract clause includes DFARS 252.204-7021 and specifies Level 2, you need Level 2. If your contract involves CUI — data that a federal agency has designated under the CUI Registry — you need Level 2. If you only handle FCI with no CUI, and the contract references FAR 52.204-21 or DFARS 252.204-7019/7020 without specifying Level 2, Level 1 applies. When in doubt, consult your contracting officer or a federal-contracts attorney.
Can a company self-assess at Level 2?
Yes, for certain contracts. CMMC Level 2 allows two paths: self-assessment for contracts where DoD has determined self-assessment is appropriate, and C3PAO third-party assessment for contracts where DoD requires it. The solicitation specifies which path applies. You cannot choose self-assessment on a contract that requires C3PAO certification.
Is Level 1 going away under CMMC Phase 2?
No. CMMC Level 1 remains active under 32 CFR Part 170. Phase 2 (beginning November 10, 2026) expands the requirement for Level 2 C3PAO assessments in applicable solicitations — it does not eliminate Level 1 for FCI-only contracts.
Does handling FCI automatically mean Level 1?
FCI is the minimum threshold for CMMC requirements — all DoD prime contractors and subcontractors receiving FCI must meet at least Level 1. But if the contract also involves CUI, the level rises to at least Level 2. And Level 2 can be specified in a solicitation even for contractors who believe their CUI volume is low.
Know your level — now figure out your path
Once you know you're Level 2, the next decision is self-assessment vs. C3PAO. Learn the cost, timeline, and risk differences before committing.
Self-Assessment vs C3PAO →Sources & Regulatory Citations
Related Guides
- CMMC Level 1 vs Level 2 vs Level 3 — Full Program Overview
- CMMC Level 2 Self-Assessment vs C3PAO: The Decision That Changes Your Cost
- CMMC Level 2 Cost: DoD Estimate vs Real Budget
- CMMC Certification Cost in 2026: Full Breakdown
- FCI vs CUI: The Distinction That Determines Your CMMC Level
- CMMC Gap Assessment: Scope, Cost, and What to Expect
- Best CMMC Consultants for Defense Contractors (2026)
- C3PAO Directory: Authorized CMMC Level 2 Assessors
- CMMC MSPs and MSSPs: How to Choose for Level 2 Readiness
Find your CMMC path before you spend
Answer 7 questions about your contract, data types, and environment. Get a personalized recommendation before any contact info is required.
Find your CMMC path →