CMMC Level 1 vs Level 2: Which One Does Your Contract Require?
The CMMC level you need isn't a choice. It's set by the data your systems touch and the clause buried in your contract. If your systems only handle Federal Contract Information (FCI) — basic, non-public contract information — you need CMMC Level 1: 15 safeguards from Federal Acquisition Regulation (FAR) clause 52.204-21, a self-assessment you renew every year, no outside auditor. If your systems handle Controlled Unclassified Information (CUI) — sensitive information the government requires you to protect — you need CMMC Level 2: all 110 requirements in NIST SP 800-171 Revision 2, verified every three years either by your own self-assessment or by a Certified Third-Party Assessment Organization (C3PAO). Your solicitation tells you which.
Here's the catch most pages miss: there are really three answersin front of you, not two — Level 1 (Self), Level 2 (Self), and Level 2 (C3PAO). Pick the wrong one and you either lose a contract you were qualified for or spend six figures you didn't have to.
What we actually verified for this guide. We read the controlling rule text in the electronic Code of Federal Regulations — 32 CFR Part 170, sections 170.14 through 170.24. We confirmed the phase dates against the DoD Chief Information Officer's official CMMC program page. We pulled the cost figures from DoD's Regulatory Impact Analysis in the Federal Register. We checked the assessor ecosystem against the Cyber AB's March 2026 Town Hall data. Where a number was widely repeated but wrong — like “Level 1 has 17 practices” — we traced it back to the rule and corrected it. Full source list at the bottom, with verification dates.
In short: CMMC Level 1 and Level 2 cover different information types and carry different assessment obligations, so the level you need is set by your contract — specifically whether you handle FCI or CUI — not by choice. Which level and provider category fit your situation depends on those details; use Find My CMMC Path to confirm before requesting quotes.
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
CMMC Level 1 vs Level 2 at a Glance
Quick answer: CMMC Level 1 protects FCI with 15 self-assessed safeguards renewed annually and no outside auditor. CMMC Level 2 protects CUI with the 110 requirements in NIST SP 800-171 Revision 2, verified every three years by either a self-assessment or a C3PAO depending on the contract. The decisive differences are the type of data, the requirement count (15 versus 110), who performs the assessment, and whether you can defer a gap with a plan of action (Level 1 cannot; Level 2 can, under strict limits).
| Factor | CMMC Level 1 (Foundational) | CMMC Level 2 (Advanced) |
|---|---|---|
| What triggers it | You process, store, or transmit FCI only | You process, store, or transmit CUI |
| Requirement count | 15 safeguards (FAR 52.204-21(b)(1)) | 110 requirements (NIST SP 800-171 Rev. 2), across 14 families |
| Assessment objectives | 59 (NIST SP 800-171A) | ~320 (NIST SP 800-171A) |
| Who assesses you | You do (self-assessment) | You do or a C3PAO — set by the contract |
| How often | Every year | Full assessment every 3 years + an annual affirmation |
| POA&M permitted? | Not allowed — all 15 must be met | Allowed for some requirements only; 180-day closeout |
| Conditional status? | No — pass or fail | Yes — Conditional, then Final within 180 days |
| System of record | SPRS | SPRS (self) / eMASS → SPRS (C3PAO) |
| Cloud handling CUI | No FedRAMP requirement | FedRAMP Moderate (or equivalent) for any cloud touching CUI |
| Best for | FCI-only DoD work — roughly 63% of the defense industrial base | Any contract or flow-down involving CUI |
| Contract clause | FAR 52.204-21; DFARS 252.204-7019/7020 | DFARS 252.204-7021; 32 CFR Part 170 |
| First move | Confirm you have no CUI in scope | Confirm CUI scope, then confirm Self vs C3PAO |
Two abbreviations to lock in now. SPRS is the Supplier Performance Risk System — DoD's official database where your CMMC status and affirmation live, and the system a contracting officer checks before award. A C3PAO is a Certified Third-Party Assessment Organization — a company authorized by the Cyber AB to perform official Level 2 assessments.
The Real Difference: FCI vs CUI (and Why So Many Contractors Guess Wrong)
Quick answer: The single fact that decides whether you need CMMC Level 1 or Level 2 is the type of government information your systems handle. FCI is non-public information provided by or generated for the government under a contract; CUI is information that laws, regulations, or government-wide policy require you to safeguard. FCI-only work points to Level 1. The presence of CUI points to Level 2.
Most people anchor on the wrong thing. They look at company size, contract dollar value, or how “important” they feel in the supply chain. None of that sets your level. The data does.
FCIis the floor. Per FAR 52.204-21, it's information not intended for public release that the government provides to you, or that you generate for the government, under a contract to deliver a product or service. Think non-public purchase order details, internal contract correspondence, delivery schedules that aren't published. If that's all you touch, Level 1 is your world.
CUIis the line that changes everything. It's a defined category of sensitive — but unclassified — information that the government requires you to protect under law, regulation, or government-wide policy. In defense work it shows up as CUI-marked technical drawings, controlled technical information, engineering specifications, export-controlled technical data, and certain security or operational information. If CUI lands in your environment, Level 1 is not enough, full stop.
At Level 1, only the information systems that store, process, or transmit FCI are in scope. Level 2 scoping is broader and more formal, which is part of why the jump from one level to the other is bigger than the requirement count alone suggests.
The trap that costs the most money
Assuming you have “no CUI” when you actually do. CUI is not always neatly labeled, and a prime may flow it to you inside drawings or specs without a flashing sign. When it's ambiguous, you ask the contracting officer or your prime, in writing, and you keep the answer. We give you the exact email to send in the next section.
Which CMMC Level Do You Need — Level 1 or Level 2?
Quick answer:You likely need Level 1 if your DoD work involves FCI and no CUI. You likely need Level 2 if your contract, subcontract, technical data, or a prime's flow-down involves CUI — but the solicitation or flow-down determines whether that Level 2 is self-assessed or C3PAO-assessed.
Run this in order. It's the same logic a good readiness advisor walks you through on day one.
- Does the solicitation or subcontract already name a CMMC status? If it says Level 1 (Self), Level 2 (Self), or Level 2 (C3PAO), that's your answer — you're done guessing.
- Do you process, store, or transmit FCI? Almost certainly yes if you do any DoD work.
- Do you process, store, or transmit CUI?This is the swing question. If yes, you're in Level 2 territory.
- Is a prime flowing down CUI or a required CMMC status to you? If a prime sends you CUI, the obligation follows the data to you.
- If Level 2, does the clause say Self or C3PAO? Don't assume “Level 2” means “third party.” It often doesn't — yet.
When the answer is unclear, send this
“Please confirm whether this solicitation/subcontract requires CMMC Level 1 (Self), Level 2 (Self), or Level 2 (C3PAO) for the systems we will use, and confirm whether any information we will receive or generate under this effort is designated as CUI. We want to scope our compliance correctly before we incur cost.”
If you only handle FCI and your contract names Level 1, hear this plainly: you do not need a six-figure Level 2 program, you do not need a C3PAO, and you should not let anyone sell you one. Your path is a Level 1 self-assessment you can largely run in-house. Read the Level 1 requirements section below, grab the readiness checklist, and you're most of the way there.
Still mapping your situation?
Tell us your data type, contract clause, level, scope, and timeline and we'll match you with source-checked CMMC provider options — readiness, secure-cloud/enclave, software, or assessment — that fit where you actually are. No pressure, no obligation.
Find My CMMC Path →CMMC Level 2 Self vs C3PAO: Which Level 2 Path Applies?
Quick answer:CMMC Level 2 has two assessment paths — Level 2 (Self), a self-assessment posted to SPRS, and Level 2 (C3PAO), an assessment performed by a Certified Third-Party Assessment Organization and recorded in eMASS. Both verify the same 110 NIST SP 800-171 Revision 2 requirements; the difference is who verifies and where it's recorded. The DoD program office or requiring activity decides which path a contract requires, and the solicitation specifies it (DFARS 252.204-7025). You do not get to pick the easier path.
Level 2 (Self) is your organization assessing itself against all 110 requirements, calculating a score, posting it to SPRS, and having a senior official affirm compliance. Full self-assessment every three years, affirmation every year.
Level 2 (C3PAO) is the same 110 requirements, but a Cyber AB-authorized C3PAO performs the assessment, issues a Certificate of CMMC Status, and the results flow through the CMMC instance of eMASS into SPRS. Reassessment every three years, affirmation every year.
During Phase 1(November 10, 2025 through November 9, 2026), DoD's own implementation focuses primarily on Level 1 and Level 2 self-assessments. Phase 2, beginning November 10, 2026, is when mandatory Level 2 C3PAO certification becomes standard for applicable contracts. But the actual clause in your contract always controls — and DoD can require a C3PAO for a sensitive Level 2 contract even during Phase 1.
| Level 2 (Self) | Level 2 (C3PAO) | |
|---|---|---|
| Who performs it | Your organization | Authorized C3PAO |
| Requirements assessed | 110 (NIST SP 800-171 Rev. 2) | 110 (NIST SP 800-171 Rev. 2) |
| Recorded in | SPRS | eMASS → SPRS, plus a Certificate of CMMC Status |
| Frequency | Every 3 years + annual affirmation | Every 3 years + annual affirmation |
| Evidence handling | You hash and retain artifacts (6 yrs) | You hash and retain artifacts (6 yrs); C3PAO uploads hashes to eMASS |
| When it dominates | Phase 1; non-prioritized Level 2 work | Phase 2 onward; prioritized/sensitive CUI |
One rule that protects you and surprises people: your readiness help and your formal assessment should stay separate. The CMMC ecosystem has strict conflict-of-interest rules about a firm both advising you on compliance and then assessing you for the same scope. Confirm independence and conflict-of-interest handling before you sign either engagement.
Know CUI is in scope but not assessment-ready?
Compare readiness provider categories — RPOs, CMMC-focused MSPs/MSSPs, and enclave specialists who get you ready — before you schedule a C3PAO. Getting assessment-ready first is what keeps a C3PAO engagement from turning into an expensive failed audit.
Self-Assessment vs C3PAO: the full decision guide →What Are the CMMC Level 1 Requirements?
Quick answer:CMMC Level 1 is built on the 15 basic safeguarding requirements in FAR 52.204-21(b)(1)(i) through (xv). It is an annual self-assessment with an annual affirmation in SPRS, no POA&M is permitted, and the result is binary — every requirement must be fully met. The 15 requirements span six areas: access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity.
CMMC Level 1 doesn't invent new security rules. It points to the 15 safeguards every federal contractor handling FCI has technically owed since FAR 52.204-21 took effect. Here they are in plain English.
| FAR 52.204-21(b)(1) safeguard | What it means in practice | Evidence you'd show |
|---|---|---|
| (i) Limit system access to authorized users | Only approved people, processes, and devices reach FCI systems | User list, access policy |
| (ii) Limit access to permitted functions | Users can only do what their role allows | Role/permission settings |
| (iii) Verify and control external connections | Manage and validate connections to outside systems | Firewall/VPN config, diagrams |
| (iv) Control publicly posted information | Keep FCI off public-facing systems | Public-release/review process |
| (v) Identify users | Every user and device is uniquely identified | Account inventory |
| (vi) Authenticate users | Verify identities before granting access (passwords, MFA) | Identity/authentication policy |
| (vii) Sanitize or destroy media | Wipe or destroy media with FCI before reuse/disposal | Disposal/sanitization records |
| (viii) Limit physical access | Control who physically reaches systems | Badge/visitor logs |
| (ix) Escort visitors, keep physical audit logs, manage access devices | Visitors are escorted and logged; keys/badges are controlled | Visitor log, key/badge inventory |
| (x) Monitor and protect communications at boundaries | Watch and defend the network's edges | Boundary monitoring configs |
| (xi) Separate public systems | Isolate publicly accessible components from internal networks | Network diagram showing segmentation |
| (xii) Identify and fix flaws | Patch known vulnerabilities promptly | Patch reports |
| (xiii) Protect against malicious code | Run anti-malware where it counts | EDR/AV console |
| (xiv) Update malware protection | Keep those protections current | Update logs |
| (xv) Scan files and the system | Scan downloads in real time and the system periodically | Security tool logs |
Notice safeguard (ix) does three jobs in one line — escorting visitors, keeping physical audit logs, and managing access devices. That explains the “15 vs 17” confusion we settle in the next section.
How you prove Level 1: you self-assess against all 15 requirements (measured across 59 assessment objectives in NIST SP 800-171A), achieve MET on every one, post the result to SPRS, and have a senior official affirm 100% compliance — then repeat annually (32 CFR §170.15, §170.22). What Level 1 does not require: no C3PAO, no 110-requirement program, no NIST 800-171 score, no POA&M.
And don't underestimate it. A senior official's affirmation is a formal attestation to the government. The Department of Justice's Civil Cyber-Fraud Initiative, launched in 2021, has used the False Claims Act against contractors that misrepresented their cybersecurity compliance. A careless “MET” you can't back up with evidence is real legal exposure. Keep your evidence — the rule expects you to retain assessment artifacts for six years.
What Are the CMMC Level 2 Requirements?
Quick answer: CMMC Level 2 requires full implementation of all 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families and measured across roughly 320 assessment objectives in NIST SP 800-171A. It demands a defined CUI scope, a System Security Plan, an evidence set, a calculated score, and either a self-assessment or a C3PAO assessment depending on the required CMMC status.
Level 2 is a different animal. Not 110 versus 15 as a number — 110 versus 15 as a program. You're documenting and proving an institutionalized security posture, not checking off basic hygiene.
| NIST SP 800-171 Rev. 2 family | Requirements | What it governs |
|---|---|---|
| Access Control (AC) | 22 | Who can reach CUI systems and what they can do |
| Awareness and Training (AT) | 3 | Security training for people who handle CUI |
| Audit and Accountability (AU) | 9 | Logging, monitoring, and audit trails |
| Configuration Management (CM) | 9 | Secure baseline configs and change control |
| Identification and Authentication (IA) | 11 | Identity, authentication, and MFA |
| Incident Response (IR) | 3 | Preparing for, reporting, and handling incidents |
| Maintenance (MA) | 6 | Controlled system maintenance |
| Media Protection (MP) | 9 | Protecting and sanitizing media holding CUI |
| Personnel Security (PS) | 2 | Screening and personnel actions |
| Physical Protection (PE) | 6 | Physical access controls |
| Risk Assessment (RA) | 3 | Vulnerability scanning and risk processes |
| Security Assessment (CA) | 4 | SSP, assessment, POA&M, continuous monitoring |
| System and Communications Protection (SC) | 16 | Boundary defense, encryption, comms protection |
| System and Information Integrity (SI) | 7 | Flaw remediation, malware defense, alerts |
| Total | 110 |
Three things to know before you scope a Level 2 program:
- A System Security Plan (SSP) isn't optional, and “we do that” isn't evidence. Level 2 requires documented policies and an SSP, and assessors score what you can prove. Without one, an assessor can't even complete the assessment. A control that's performed but undocumented fails.
- Cloud + CUI = FedRAMP. If you use a cloud service that processes, stores, or transmits CUI on a Level 2 effort — Self or C3PAO — that cloud offering must be FedRAMP Authorized at the Moderate baseline, or meet FedRAMP Moderate equivalency under DoD policy (32 CFR §170.16 and §170.17). This catches a lot of contractors who assumed their commercial cloud tenant was fine.
- Rev. 2, not Rev. 3 — and this matters.NIST has published Revision 3 of SP 800-171, and vendors will market “Rev. 3 readiness.” For CMMC today, the controlling standard is Revision 2— it's the version incorporated by reference in 32 CFR Part 170. Unless and until DoD amends the rule, Level 2 maps to Rev. 2. Be skeptical of anyone telling you Rev. 3 is required for CMMC right now.
Does CMMC Level 2 Include Level 1? (And the “15 vs 17” Myth, Settled)
Quick answer:Yes — for the same CMMC Assessment Scope, achieving Level 2 (Self) or Level 2 (C3PAO) satisfies the Level 1 (Self) requirements (32 CFR §170.16). The important qualifier is “same scope”: a Level 2 enclave does not automatically cover FCI systems outside that assessed boundary. Separately, CMMC Level 1 has 15 requirements, not 17— the “17” is a count of the NIST requirements those 15 map to.
The Final Rule states that achieving Level 2 for a given scope also satisfies Level 1 for that same CMMC Assessment Scope (32 CFR §170.16). The catch is in those last four words. If your Level 2 effort covers a CUI enclave but you still run FCI on systems outside it, those outside systems aren't automatically handled.
Now the myth. You've probably seen pages say CMMC Level 1 has “17 practices.” It's wrong, and here's the precise truth:
- CMMC Level 1 is 15 requirements. Per 32 CFR §170.14(c)(2), the Level 1 requirements are the 15 set out in FAR 52.204-21(b)(1)(i) through (xv). The Final Rule is blunt: the contractor must comply with all 15 requirements, and all must be met in full with no exceptions.
- Those 15 map to 17 NIST requirements. Per Table 2 to 32 CFR §170.15(c)(1)(ii), the 15 FAR safeguards map to 17 of the NIST SP 800-171 Rev. 2 requirements. One FAR safeguard — safeguard (ix) — splits into three NIST requirements; the other 14 align one-to-one. 14 + 3 = 17.
- Assessed across 59 objectives. In NIST SP 800-171A (Table 1 to §170.15), those 15 requirements are measured across 59 discrete assessment objectives.
So “17” isn't fiction — it's just answering a different question. Level 1 itself is 15 requirements. The “17” is how those 15 land on the NIST framework. If a source says “Level 1 has 17 practices” without that explanation, it's repeating a CMMC 1.0-era number it never updated.
POA&M, Conditional Status, SPRS, and Affirmations: What's Different Between Level 1 and Level 2
Quick answer:Level 1 permits no POA&M — every requirement must be fully met or you fail, and there is no conditional status. Level 2 allows a limited Plan of Action and Milestones: you can reach Conditional status with a score of at least 88 out of 110 (the 0.8 threshold), but only 47 of the 110 requirements are eligible to sit on a POA&M, and you have 180 days to close it and reach Final status. Both levels require an SPRS submission and an annual affirmation from a senior Affirming Official.
Level 1: no safety net.A POA&M — a documented plan to fix open gaps — is not permitted at Level 1, ever (32 CFR §170.21(a)(1)). If a requirement isn't met, you don't get to defer it, and you should not affirm Final Level 1 status. Pass or fail.
Level 2: a narrow safety net, with hard limits. Level 2 lets you reach Conditional status with some gaps still open — but the rule (32 CFR §170.21(a)(2)) fences it tightly:
- Your assessment score must be at least 0.8 — a score of 88 or higher out of 110 under the §170.24 scoring methodology, which weights some requirements more heavily than others.
- Only requirements worth 1 point can go on a POA&M. Every 3-point and 5-point requirement must be fully met at assessment.
- Six specific 1-point requirements are barred from a POA&M outright: AC.L2-3.1.20 and AC.L2-3.1.22 (controlling external connections and public-facing systems), CA.L2-3.12.4 (your System Security Plan), and PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5 (physical access controls).
- One narrow exception:CUI encryption (SC.L2-3.13.11), normally a 5-point control, may sit on a POA&M at a cost of 3 points if you're using encryption that simply isn't FIPS-validated yet.
The number to plan around: 63 of the 110 requirements must be fully met on assessment day — only 47 are even eligible for a POA&M. Multifactor authentication is on the must-be-met list (it's a 5-point control). So is a complete SSP. Don't walk into an assessment assuming you can defer your way to a pass.
Then the clock starts: you have 180 daysfrom the Conditional status date to close every POA&M item and complete a closeout assessment that converts you to Final(32 CFR §170.21(b)). Miss the 180 days and your Conditional status expires — and if that happens during a contract's period of performance, standard contractual remedies can follow.
SPRS and affirmations — what actually goes in:
- Level 1 in SPRS: level, status date, assessment scope, CAGE code(s), and a MET/NOT MET result.
- Level 2 in SPRS:level, status date, scope, CAGE code(s), your overall score, and POA&M status if applicable (the C3PAO path routes through eMASS first).
- The Affirming Officialis the senior person responsible for your compliance who has authority to affirm it. They affirm after every assessment — including a POA&M closeout — and annually thereafter (32 CFR §170.22). That annual affirmation is not clerical: let it lapse and your status can lapse with it. DFARS 252.204-7025 also makes a current CMMC status and affirmation a condition of award where a solicitation requires a specific status.
Subcontractors and Flow-Down: What Level Do You (or Your Subs) Need?
Quick answer: CMMC applies through the supply chain wherever a subcontractor processes, stores, or transmits FCI or CUI. A subcontractor handling FCI only can be required to meet Level 1; a subcontractor handling CUI must meet at least Level 2 (Self), and if the prime contract requires Level 2 (C3PAO), the subcontractor needs Level 2 (C3PAO) too; a prime with a Level 3 obligation must require its CUI-handling subcontractors to hold Level 2 (C3PAO). The obligation follows the data (32 CFR §170.23).
If you're a small sub, this is probably why you're here — a prime sent a note that said some version of “be CMMC Level 2 by [date].”Here's how the flow-down logic actually works.
| If the situation is… | The subcontractor must be at least… |
|---|---|
| Sub will handle FCI only | Level 1 (Self) |
| Sub will handle CUI, and the prime requirement is Level 2 (Self) | Level 2 (Self) — minimum |
| Sub will handle CUI, and the prime requirement is Level 2 (C3PAO) | Level 2 (C3PAO) |
| Prime has a Level 3 obligation and the sub handles CUI | Level 2 (C3PAO) |
The principle to remember: if you touch the data, the obligation can follow the data. A prime can require Level 1 of a sub that only handles FCI; the moment CUI flows to you, you're looking at Level 2 — and the assessment type matches the prime's obligation.
Before you spend a dollar reacting to a flow-down, get the specifics in writing. Send this to your prime:
“Please confirm the CMMC status required for our subcontract, whether CUI will be flowed down to us, whether the required status is Level 2 (Self) or Level 2 (C3PAO), and which systems or work packages are expected to process, store, or transmit that information.”
And know when to push back. If a prime generically demands “Level 2” without flowing any CUI and without a specified CMMC status in the contract, you're entitled to ask for clarification before you build a program you may not need. Calm, professional, in writing. See also: CMMC flow-down requirements explained.
How Much Does CMMC Level 1 vs Level 2 Cost?
Quick answer:A CMMC Level 1 self-assessment is inexpensive — DoD's Regulatory Impact Analysis models it at roughly $5,977 per year for a small entity, and industry-reported all-in costs typically run $5,000 to $20,000. Level 2 is far larger: DoD models the assessment-and-affirmation portion at about $37,196 over three years for a self-assessment and about $104,670 over three years for a C3PAO assessment — but those figures exclude the cost of actually implementing the controls. Industry-reported first-year Level 2 spend commonly runs $75,000 to over $300,000, with the assessment fee itself only 20–30% of the total.
| Cost view | Level 1 | Level 2 (Self) | Level 2 (C3PAO) |
|---|---|---|---|
| DoD modeled cost (assessment + affirmation only) | ~$5,977/yr (small entity); ~$4,000 + ~$584 affirmation (other-than-small) | ~$37,196 over 3 years (small entity) | ~$104,670 (small) / ~$117,690 (other) over 3 years |
| What it does NOT include | Remediation if basic safeguards are missing | Implementing the 110 NIST controls | Implementation, tooling, enclave, managed services, scheduling delay |
| Industry-reported all-in | ~$5,000–$20,000 | Folded into program cost below | ~$75,000–$300,000+ first year |
| Main cost driver | Existing IT hygiene | CUI scope + evidence maturity | CUI scope + evidence maturity + assessment readiness |
Here's the part the official numbers don't shout: DoD's RIA deliberately excludes the cost of implementing the Level 1 and Level 2 security requirements. Why? Because the rule assumes you've already been required to meet NIST SP 800-171 since December 31, 2017, under DFARS clause 252.204-7012. So if you've genuinely been compliant since 2017, the modeled figures are close to your reality. If you haven't — and most of the defense industrial base hasn't fully — then your true Level 2 cost is the remediation, and that's where the bigger numbers live. On a C3PAO engagement, the assessment fee is typically only 20–30% of what you actually spend.
There is no honest single price for CMMC Level 2 until your scope is defined. Any provider who quotes you a serious Level 2 number before they've confirmed your CUI boundary, your assessment type, your cloud and external-provider dependencies, and your current evidence maturity is asking you to buy before anyone has defined the actual problem. A defined enclave that isolates CUI to a small boundary can cut scope — and cost — dramatically.
Quote-sanity checklist — require all of these before you sign anything
- The CUI boundary they assessed
- The required CMMC status (Level 2 Self or C3PAO)
- Every artifact and document included
- SSP and POA&M scope
- The cloud/external-service-provider responsibility matrix
- Their assumption about your current readiness
- What's explicitly excluded
Want quotes that actually match your scope?
Tell us your level, assessment path, CUI boundary, and timeline, and we'll help you line up scoped quotes from matched provider categories — so you're comparing apples to apples before you commit.
Get Matched →Which Provider Type Should You Talk to First?
Quick answer:If you're Level 1, you may only need an internal owner plus, optionally, a Registered Practitioner Organization (RPO) or an MSP familiar with FAR 52.204-21. If you're Level 2 but not assessment-ready, start with readiness, scoping, MSP/MSSP, enclave, or GRC software help before engaging a C3PAO for formal assessment. Readiness/remediation and formal assessment should remain separate engagements under CMMC conflict-of-interest rules.
| Provider category | Best for | Not for | What to verify before hiring |
|---|---|---|---|
| RP / RPO (Registered Practitioner / Organization) | Readiness planning, gap interpretation, light validation | Issuing any certification | Cyber AB listing, scope of advice, independence limits |
| MSP / MSSP (Managed / Managed Security Service Provider) | Implementing controls, running your security stack | Performing a formal C3PAO assessment | CUI experience, shared-responsibility split, who owns the tools |
| CUI enclave provider | Shrinking scope by isolating CUI workflows | Enterprise-wide compliance by default | Boundary design, FedRAMP/CSP/ESP responsibilities, evidence exports |
| GRC / evidence software | SSP/POA&M workflow, evidence, ongoing compliance ops | Replacing actual security controls | Data handling, templates, evidence traceability |
| C3PAO | The formal Level 2 (C3PAO) assessment | Readiness or remediation for that same engagement | Current Cyber AB authorization, assessor team, conflict-of-interest handling |
A note on software: no software, by itself, satisfies CMMC. GRC and evidence platforms are a genuine help for managing the work — but they're a supporting layer, not the whole solution. You still have to implement and prove the controls.
If your Level 2 path requires a C3PAO, verify their status yourself
In January 2025, the DoD Office of Inspector General published an audit (Report No. DODIG-2025-056) finding that DoD had not effectively implemented the process for authorizing C3PAOs to perform Level 2 assessments. Reviewing 11 of the 48 C3PAOs authorized as of September 2023, the OIG found two authorized without a signed C3PAO Agreement and Code of Professional Conduct, four without verified quality-control-lead credentials, and all 11 without sufficient confirmation that a certified assessor and certified quality control lead were on the team.
We're not raising this to scare you, and the process has continued to mature since that audit. The practical takeaway is simple: when a C3PAO is required, confirm their current authorization directly in the Cyber AB Marketplace and ask about assessor credentials and conflict-of-interest handling before you rely on the engagement.
See our guide: Which CMMC provider type should you hire first? and Best C3PAOs for CMMC Level 2.
When Does CMMC Actually Hit Your Contracts? The Phase-In Timeline and the Readiness Reality
Quick answer: CMMC is phasing into contracts over four phases. Phase 1 runs November 10, 2025 through November 9, 2026, putting Level 1 and Level 2 self-assessments into applicable solicitations. Phase 2 begins November 10, 2026, making Level 2 C3PAO certification standard for applicable contracts. Phase 3 begins November 10, 2027 and introduces Level 3 (DIBCAC-assessed). Phase 4, full implementation, begins November 10, 2028.
- Phase 1 — Nov. 10, 2025 through Nov. 9, 2026. Where applicable, solicitations require Level 1 or Level 2 self-assessment. C3PAO can be required at DoD's discretion for sensitive contracts.
- Phase 2 — begins Nov. 10, 2026. Where applicable, solicitations require Level 2 certification (C3PAO). For many CUI-handling contractors, this is the date that matters.
- Phase 3 — begins Nov. 10, 2027. Level 2 (C3PAO) broadens, and Level 3 (assessed by DIBCAC — the Defense Industrial Base Cybersecurity Assessment Center) appears for the most sensitive programs.
- Phase 4 — begins Nov. 10, 2028. Full implementation across applicable contracts.
Here's the state of the assessor ecosystem — a snapshot from the Cyber AB's March 2026 Town Hall, which we re-verify quarterly:
- As of the March 2026 Cyber AB Town Hall, roughly 103 C3PAOs were authorized to perform official assessments (up from 98 in February), supported by about 759 certified assessors.
- Industry analysis put the number of organizations with a Level 2 certification at roughly 1,000 to date — around 1% of the defense industrial base expected to need it.
- DoD estimates 8,350 medium and large entities will need Level 2 (C3PAO) as a condition of award (the broader total-Level-2 population, including small businesses, is commonly cited at 80,000-plus).
Do the math, and the urgency isn't a sales tactic — it's arithmetic. Level 2 readiness typically takes 6 to 18 months. Phase 2 lands November 10, 2026. And only about 1% of the companies that will need Level 2 have it. Our editorial read: the binding constraint for most contractors is no longer assessor supply — it's their own readiness. If a contract you intend to bid or renew will require Level 2, the realistic question isn't “when is the deadline” — it's “do I have enough runway.” Often the answer is: start scoping now.
What to Do Next: Your First 72 Hours, 30 Days, and 90 Days
Quick answer:If a contract or prime points you toward Level 2, don't start by buying software or booking an assessment. Start by confirming the required CMMC status, identifying your CUI boundary, documenting your systems and external providers, checking your current NIST SP 800-171 posture, and only then deciding whether you need readiness help, an enclave strategy, or a C3PAO.
First 72 hours
- Save the exact solicitation or flow-down language.
- Identify the required CMMC status (Level 1, Level 2 Self, or Level 2 C3PAO).
- Confirm whether CUI is in scope.
- If it's ambiguous, send the written clarification email to your contracting officer or prime (templates above).
- List the systems that process, store, or transmit FCI/CUI.
- List your cloud and external-service-provider dependencies.
- Pull your current SPRS/NIST 800-171 score, if you have one.
- Assign one internal owner. One.
First 30 days
Define your CUI boundary, draft your SSP, build an evidence inventory, produce a gap list, develop a realistic cost range, and shortlist provider categories — not providers, categories. Use the CMMC readiness checklist to structure this work.
First 90 days
Remediate the highest-risk gaps first, validate your evidence, and prepare either your self-assessment or your readiness plan for the C3PAO path. Build conservative POA&Ms where the rule allows them — and don't leave no-POA&M items or any requirement worth more than 1 point (multifactor authentication among them) for “later,” because those can block your Conditional status.
What We Actually Verified for This Guide
This guide separates three kinds of claims — regulatory facts cited to the controlling rule, current-state facts that are dated and re-verified on a schedule, and editorial judgments framed as our conclusions based on those facts.
Primary and authoritative sources we read:
We used practitioner forums and competitor pages only to understand how contractors describe this problem and what trips them up — never as authority for a regulatory, contractual, or assessment claim. Cost ranges labeled “industry-reported” are composites of public industry analyses, not DoD figures. Interpreting a specific contract can require federal-contracts counsel. Provider authorization status changes — verify it live. Our editorial standards, methodology, and corrections policy are published separately.
Frequently Asked Questions: CMMC Level 1 vs Level 2
Is CMMC Level 1 enough if we handle CUI?
No. Level 1 is the FCI/basic-safeguarding level. If CUI is in scope, Level 2 is the relevant level, with the assessment path (Self or C3PAO) set by the solicitation or flow-down.
How many requirements are in CMMC Level 1?
Fifteen. CMMC Level 1 uses the 15 safeguards in FAR 52.204-21(b)(1). Some sources say 17, which is the count of NIST SP 800-171 Rev. 2 requirements those 15 map to — not a count of Level 1 requirements.
How many requirements are in CMMC Level 2?
One hundred and ten, from NIST SP 800-171 Revision 2, across 14 control families.
Does every CMMC Level 2 contractor need a C3PAO?
No. Level 2 can be Level 2 (Self) or Level 2 (C3PAO). The solicitation or flow-down determines which, and the DoD program office or requiring activity makes that call.
Does Level 2 satisfy Level 1?
Yes, for the same CMMC Assessment Scope (32 CFR §170.16). Confirm that the scope covers any FCI systems outside your Level 2 boundary.
Can we self-assess at Level 2?
Yes, when the required status is Level 2 (Self). No, when the solicitation or flow-down requires Level 2 (C3PAO).
Can we use a POA&M at Level 1?
No. A POA&M is not permitted at Level 1 — all 15 requirements must be met.
Can we use a POA&M at Level 2?
Yes, but only for some requirements. You need a score of at least 88 out of 110, only 1-point requirements are eligible (63 of the 110 must be fully met at assessment, including multifactor authentication and your SSP), six specific 1-point requirements are barred outright, and any POA&M must be closed within 180 days.
Is NIST SP 800-171 Rev. 3 required for CMMC Level 2?
Not under the current rule. CMMC Level 2 maps to NIST SP 800-171 Revision 2 unless DoD amends 32 CFR Part 170.
What if our prime demands Level 2 but we don't think we receive CUI?
Ask for written clarification of the required CMMC status, whether CUI is being flowed down, and which systems are in scope — before you spend.
Should we hire a C3PAO first?
Only if you're assessment-ready or specifically need the formal Level 2 (C3PAO) assessment. If you need scoping, remediation, evidence, or implementation, start with readiness/provider-category help — and remember the same firm generally shouldn't both remediate and assess you for the same scope. See: best CMMC providers for small business.
Is CMMC Level 1 going away?
No. Level 1 remains part of the program. Phase 2 expands C3PAO use for applicable Level 2 contracts; it does not eliminate Level 1.
Which provider category fits your situation
- If your contract points to Level 1 (FCI only),the 15 FAR 52.204-21 safeguards and the annual self-assessment are usually a self-serve job — many small suppliers don't need a paid provider to start.
- If your contract points to Level 2 (Self), a Registered Provider Organization (RPO) / Registered Practitioner (RP) or an MSSP (Managed Security Service Provider) can help you scope CUI and implement the 110 NIST SP 800-171 Rev. 2 requirements before you self-attest.
- If your contract points to Level 2 (C3PAO), a Certified Third-Party Assessment Organization (C3PAO) performs the formal assessment — engage one once you're assessment-ready, and remember the same firm generally shouldn't both remediate and assess the same scope.
- You don't need a C3PAO yet ifyou're still unsure whether you receive CUI or only FCI — ask for written clarification of your required CMMC status and scope first.
Related Guides
- CMMC Level 1 vs Level 2 vs Level 3 — Full Program Overview
- CMMC Level 2 Self-Assessment vs C3PAO: The Decision That Changes Your Cost
- CMMC Level 2 Cost: DoD Estimate vs Real Budget
- CMMC Readiness Checklist: Level 1 and Level 2
- Which CMMC Provider Type Should You Hire First?
- Best C3PAOs for CMMC Level 2 Assessments
- Best CMMC Providers for Small Business
- CMMC Flow-Down Requirements: What Subcontractors Must Know
- SPRS Score: What It Is and How to Submit It
Need help deciding what type of CMMC provider you need?
If you now know your data type, your likely path, and what to verify in writing, you've done the hard part. Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options.
Get Matched →Find My CMMC Path
The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.
Find My CMMC Path →