CMMC Level 1 vs Level 2: Which Do You Need?

The most common question: “Do I need Level 1 or Level 2?” The answer depends on the data you handle.

The short answer

• Level 1 — You handle Federal Contract Information (FCI) only. Self-attestation. 17 practices. No third-party assessment.
• Level 2 — You handle Controlled Unclassified Information (CUI). Requires third-party assessment by a C3PAO. 110 practices mapped to NIST SP 800-171.

FCI vs. CUI

FCI is contract operational info (schedules, invoices). CUI covers technical drawings, engineering specs, test data, and anything the DoD marks as controlled. If a foreign adversary benefits from seeing it, assume it’s CUI. The National Archives CUI Registry has the full list of what qualifies.

Level 1 details

• 17 practices based on FAR 52.204-21
• Annual self-attestation; submit your score to SPRS
• Often achievable in weeks if basic IT hygiene exists

Level 2 details

• 110 practices aligned to NIST SP 800-171
• Third-party assessment by a Cyber AB-authorized C3PAO — see What is a C3PAO? for a full explanation of how to select one
• Certification valid for 3 years; evidence required
• Assessment cost: $30k–$150k depending on company size and assessor; remediation is separate and often the larger cost
• Timeline: 6–18 months depending on your SPRS starting score

For a full cost breakdown by company size and starting posture, see the CMMC cost guide.

Level 1 vs. Level 2: side-by-side comparison

Factor	CMMC Level 1	CMMC Level 2
Data type	FCI (Federal Contract Information)	CUI (Controlled Unclassified Information)
Required practices	17 (FAR 52.204-21)	110 (NIST SP 800-171)
Assessment method	Annual self-attestation	Third-party C3PAO assessment
Score submission	SPRS	SPRS (after C3PAO assessment)
Certification validity	Annual re-attestation	3 years
Typical assessment cost	$5K–$25K/year (internal + external)	$30K–$500K+ total
Typical timeline	2–8 weeks	6–18 months
Who this fits	Small manufacturers with invoices and schedules, no technical drawings	Manufacturers with specs, designs, engineering data, test results

What about Level 3?

CMMC Level 3 exists for contractors working on the DoD’s most sensitive programs — roughly 2% of the defense industrial base. It requires 110+ additional practices beyond Level 2 and a government-led assessment. If Level 3 applies to you, your program office will tell you explicitly. For nearly every defense contractor reading this, the real decision is Level 1 vs. Level 2.

How to decide

1. Check your contract for DFARS clauses 252.204-7012, 7019, 7020, and 7021.
2. Ask your prime whether CUI flows down to you.
3. List the data you touch — technical drawings, specs, test results. If yes, treat as CUI.
4. When unsure, assume Level 2 until proven otherwise.

A common mistake for subcontractors

Many manufacturers think they only handle FCI because they “just make parts.” The moment you receive controlled drawings, engineering specifications, or test data from a prime, you are handling CUI — and that means Level 2. This misclassification is the most common and most costly mistake in the defense supply chain.

If you receive work through a prime contractor, check whether their subcontract includes a CMMC flow-down clause. Many subs have unknowingly been operating under Level 2 requirements for years. See the full breakdown in CMMC for Subcontractors.

Frequently asked questions

Can I start with Level 1 and upgrade to Level 2 later?

Yes. Many contractors begin with Level 1 self-attestation to establish a baseline SPRS score and start building compliance documentation, then pursue Level 2 certification when their contract requires it. The practices overlap — Level 1 work is not wasted, but Level 2 requires significantly more documentation and a C3PAO assessment.

How do I know if I handle CUI?

Look at the data you receive from your customer or prime: technical drawings, engineering specifications, test data, anything marked with a CUI header or footer, or any information the government has designated as controlled. The National Archives CUI Registry has the authoritative list of what qualifies. When in doubt, ask your contracting officer.

What happens if I need Level 2 but only completed Level 1?

Your contract will specify which level is required. If your contract requires Level 2 and you only have a self-attestation on file, you are non-compliant and risk losing the contract at renewal. DoD is actively enforcing this through DFARS clauses 252.204-7020 and 7021.

Is Level 1 self-assessment legally sufficient for DoD contracts?

For contracts requiring only Level 1, yes — an annual self-attestation submitted to SPRS is legally sufficient. The CEO or equivalent must sign the attestation, which creates legal accountability for the accuracy of the score. For Level 2 contracts, self-attestation is not sufficient; a C3PAO assessment is required.

How long is a CMMC Level 2 certification valid?

Three years from the date of the C3PAO assessment. After three years, you must undergo a full re-assessment to maintain certification. Annual affirmations (confirming no change to your security posture) are required in years 2 and 3.

What is the difference between self-attestation and a C3PAO assessment?

Self-attestation means your company evaluates its own compliance and submits the score to SPRS. A C3PAO assessment means an independent, government-authorized third-party assessor reviews your controls, tests your implementations, and issues a formal certification. Level 1 uses self-attestation. Level 2 requires the C3PAO route.

Next step

Unsure which level applies? A 15-minute scoping call can prevent months of rework. Check your CMMC readiness in 3 minutes →

Want to understand the full certification timeline? See Your CMMC Certification Timeline.

Need the full compliance checklist before you talk to a vendor? Download the CMMC Readiness Checklist →