Free Tool
CMMC Level 1 vs Level 2: Which Level Does Your Business Need?
The difference between Level 1 and Level 2 is huge — in cost, time, and effort. This guide walks you through the decision.
How to Determine Your CMMC Level
CMMC 2.0 has three levels, but in practice almost all defense contractors fall into Level 1 or Level 2. The level you need determines how complex and costly your compliance path will be — and the dividing line is a single question: do you handle Controlled Unclassified Information (CUI)?
Level 1 covers companies that handle Federal Contract Information (FCI) but not CUI. It requires 17 cybersecurity practices aligned to FAR 52.204-21 and can be satisfied through annual self-attestation. No third-party assessment required. Typical cost: $5,000–$30,000 for a small business to achieve and maintain.
Level 2 covers companies that handle CUI. It requires 110 security practices aligned to NIST SP 800-171. Most Level 2 companies need a third-party assessment from a CMMC Third Party Assessor Organization (C3PAO). A small subset of Level 2 companies with lower-priority programs may qualify for self-attestation under DoD discretion. Cost: typically $50,000–$300,000+ depending on company size and current security posture.
Level 3 is reserved for companies handling the most sensitive programs and involves government-led assessments. It applies to very few contractors and is beyond scope for most DIB companies. This guide helps you identify which level applies based on your contract type and data handling. If you're not yet sure whether CMMC applies to you at all, start with the quiz first.
The Key Question
What kind of information do you handle?
CMMC level is determined by the type of data in your environment — not your company size or contract value. Click to see if your situation fits.
Ask yourself: do any of these apply?
Do you receive engineering drawings or design specs from the prime?
Do files or documents in your work arrive marked "CUI", "FOUO", or "Controlled"?
Do you make parts or assemblies based on technical data packages?
Does your work involve defense systems, weapons, or export-controlled technology?
Do you only submit invoices, pricing, and delivery status?
Is your role purely administrative — scheduling, billing, logistics?
If still unsure: Ask your prime contracting officer whether the data they send you qualifies as CUI. They are required to identify and mark it. If they haven't, that's a conversation worth having.
You likely need Level 1.
Level 1 is designed for contractors that handle only basic Federal Contract Information. It requires 17 foundational cybersecurity practices — things like antivirus, access controls, and patch management — and an annual self-assessment. No third-party assessor required.
17
Controls
Self
Assessment
Annual
Frequency
$5K–$15K
Year 1 Cost
You likely need Level 2.
Level 2 applies when you handle CUI. It requires 110 security practices drawn from NIST SP 800-171, a formal assessment by a Certified Third-Party Assessment Organization (C3PAO), and recertification every 3 years. This is where most defense contractors land.
110
Controls
C3PAO
Assessment
3 Years
Cycle
$80K–$315K
Year 1 Cost
Side-by-Side Comparison
Level 1 vs Level 2 at a glance
| Factor | Level 1 | Level 2 |
|---|---|---|
| Data type | FCI only | CUI + FCI |
| Controls required | 17 practices | 110 practices (NIST 800-171) |
| Assessment type | Annual self-assessment | C3PAO third-party audit |
| Recertification | Annual | Every 3 years |
| Year 1 cost (typical) | $5,000 – $15,000 | $80,000 – $315,000 |
| Ongoing annual cost | $3,000 – $6,000 | $25,000 – $60,000 |
| Prep timeline | 1–3 months | 6–18 months |
| C3PAO required? | No | Yes |
| SSP (security plan) required? | Basic | Comprehensive (200+ pages) |
| SPRS score required? | Yes (DFARS 7019/7020) | Yes |
Not sure which applies to you?
Take the full readiness assessment. We'll identify your level, scope your environment, and give you a personalized action plan.
Frequently Asked Questions: CMMC Levels
What is CMMC Level 1? +
CMMC Level 1 requires 17 basic cybersecurity practices covering access control, identification and authentication, media protection, physical protection, system communications, and system integrity. Companies self-attest annually. It applies to contractors who handle FCI but not CUI.
What is CMMC Level 2? +
CMMC Level 2 requires 110 security practices aligned to NIST SP 800-171. It applies to companies handling CUI. Most require triennial third-party assessments from a C3PAO, though some lower-priority programs may qualify for self-attestation.
How do I know if my contract involves CUI? +
Your contract should include a DD Form 254 (Contract Security Classification Specification) if CUI is involved. CUI categories include technical data, export-controlled information (ITAR/EAR), privacy data, and operational security information. When in doubt, ask your contracting officer.
Can a company be Level 1 for some contracts and Level 2 for others? +
Yes. CMMC certification is contract-specific. A company may hold a Level 1 self-attestation for one contract and pursue Level 2 certification for a CUI-handling contract. However, many companies standardize on the higher level to simplify compliance management.
What is a C3PAO? +
A CMMC Third Party Assessor Organization (C3PAO) is an organization authorized by the Cyber AB to conduct CMMC Level 2 assessments. They evaluate your implementation of NIST SP 800-171 controls and issue assessment results to the DoD's SPRS system.
Is CMMC Level 3 required for most defense contractors? +
No. Level 3 applies to a small number of contractors supporting the most critical defense programs. It involves DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) government-led assessments and requires meeting additional practices beyond NIST 800-171.
Next Step
Know your level? Check how ready you actually are.
Take the readiness assessment to see where your gaps are before committing to a compliance path.