CMMC Level 1 vs. Level 2: Which One Do You Need?

One of the first questions every DoD contractor asks: do I need Level 1 or Level 2?

The answer matters. Level 1 is manageable for most small businesses. Level 2 is a significantly larger undertaking—more requirements, more documentation, more cost. Getting this wrong in either direction creates problems. Pursue Level 2 when you only need Level 1, and you've wasted time and money. Assume you're Level 1 when you actually need Level 2, and you risk losing contracts.

This guide breaks down the differences and helps you determine which level applies to your business.

The Quick Answer

Level 1 is for contractors who handle Federal Contract Information (FCI)—non-public information related to government contracts.

Level 2 is for contractors who handle Controlled Unclassified Information (CUI)—sensitive information that's specifically marked and requires stronger protection.

Here's a simple test: Have you ever received a document marked "CUI" or "Controlled" from the government or a prime contractor? If no, you're probably Level 1. If yes, you're likely Level 2.

Side-by-Side Comparison

Understanding FCI vs. CUI

The type of information you handle determines your level. Here's how to tell them apart.

Federal Contract Information (FCI)

FCI is any non-public information provided by or generated for the government under a contract. This includes:

• Contract documents and modifications
• Pricing and cost proposals
• Delivery schedules
• Technical specifications (unless marked CUI)
• Emails about contract work
• Meeting notes from government discussions
• Quotes and proposals

If the government gave it to you, or you created it for government work, and it's not meant for public release—it's FCI.

Nearly every DoD contractor handles FCI. If you have any government contract work, you almost certainly have FCI somewhere.

Controlled Unclassified Information (CUI)

CUI is a step up in sensitivity. It's information the government has determined requires safeguarding, and it's specifically marked. You'll see labels like:

• "CUI"
• "Controlled"
• "CUI//SP-CTI" (specific categories)
• Other CUI marking variants

CUI often includes:

• Technical drawings with export control markings
• Controlled technical information
• Privacy data
• Proprietary information designated as controlled
• Law enforcement sensitive information

The key distinction: CUI is marked. If you're handling CUI, you should see those markings on documents, files, and data. If you've never seen a CUI marking on anything you've received, you're probably not handling CUI.

Level 1: What's Actually Required

Level 1 has 15 security requirements organized into six domains:

• Access Control (4 requirements): Control who accesses your systems and what they can do
• Identification & Authentication (2 requirements): Verify user identities with passwords
• Media Protection (1 requirement): Properly dispose of information
• Physical Protection (4 requirements): Secure physical access to systems
• System & Communications Protection (2 requirements): Protect network boundaries
• System & Information Integrity (4 requirements): Use antivirus and apply updates

These 15 requirements break down into 59 assessment objectives—specific things you need to verify and document.

Assessment process: You evaluate yourself, document your compliance, and affirm annually through SPRS (Supplier Performance Risk System). No third-party auditor required.

Realistic timeline: A small business with decent existing practices can achieve Level 1 compliance in weeks to a few months, depending on gaps.

Cost: Primarily your time. You may need to purchase some tools (shredder, better firewall, antivirus) or hire help for specific gaps, but there's no mandatory assessment fee.

Level 2: What's Actually Required

Level 2 has 110 security requirements from NIST SP 800-171, covering 14 domains:

• Access Control (22 requirements)
• Awareness & Training (3 requirements)
• Audit & Accountability (9 requirements)
• Configuration Management (9 requirements)
• Identification & Authentication (11 requirements)
• Incident Response (3 requirements)
• Maintenance (6 requirements)
• Media Protection (9 requirements)
• Personnel Security (2 requirements)
• Physical Protection (6 requirements)
• Risk Assessment (3 requirements)
• Security Assessment (4 requirements)
• System & Communications Protection (16 requirements)
• System & Information Integrity (7 requirements)

Assessment process: Most Level 2 certifications require a third-party assessment by a C3PAO (Certified Third-Party Assessment Organization). They review your documentation, interview staff, and examine your systems.

Documentation required: You'll need a System Security Plan (SSP) describing your entire security program, plus policies, procedures, and evidence for all 110 controls.

Realistic timeline: Most businesses need 12-24 months to prepare for Level 2, depending on their starting point.

Cost: Significant. The C3PAO assessment alone typically runs $50,000-$150,000 depending on scope. Implementation costs (tools, consultants, cloud migrations) can add substantially more. GCC High licensing for Microsoft services adds ongoing costs.

Common Scenarios

Machine shop making parts to government specs The specs aren't marked CUI. You receive purchase orders and technical drawings, but nothing with CUI markings. → Level 1

Engineering firm doing design work You receive and create technical data marked "CUI" or with export control markings. → Level 2

IT services provider supporting a defense contractor You access their systems containing CUI as part of your support work. → Level 2

Logistics company shipping DoD freight You handle shipping documents and schedules, but no marked sensitive data. → Level 1

Staffing firm placing contractors at DoD sites You handle personnel information but no technical data marked CUI. → Probably Level 1 (but verify with your contracting officer)

Consulting firm providing business advice You see financial and strategic information but nothing marked CUI. → Level 1

What If You're Not Sure?

If you're uncertain which level applies:

Check your contracts. Look for DFARS clauses and references to CUI or NIST 800-171. Contracts requiring 800-171 compliance indicate Level 2.

Review your documents. Search through technical data, drawings, and files you've received. CUI markings are required—if you're not seeing them, you're probably not handling CUI.

Ask your contracting officer. They can clarify what type of information you're expected to handle.

Ask your prime contractor. If you're a subcontractor, your prime should know what flows down to you and what level is required.

When in doubt, assume Level 1 and verify. It's better to confirm your level than to over-invest in Level 2 preparation you don't need—or under-invest and find out later you needed more.

The Bottom Line

For most small businesses in the defense supply chain, Level 1 is the appropriate certification. The DoD estimates that roughly 63% of the Defense Industrial Base falls into Level 1.

Level 1 is designed to be achievable without consultants, expensive tools, or dedicated security staff. It's 15 common-sense requirements that most businesses already partially meet. The work is in formalizing practices, documenting them, and closing gaps.

Level 2 is a different undertaking entirely—more appropriate for businesses doing engineering, design, or manufacturing work with marked technical data.

Know your level before you start your compliance journey. It determines everything that follows.

Assess Your Level 1 Readiness

If Level 1 is your target, CMMCheck can help you assess where you stand. Walk through each of the 15 requirements with simple yes/no questions—no technical background required. You'll identify gaps and understand exactly what needs attention.

Try CMMCheck and see your compliance status in plain English.

This article is part of CMMCheck's Plain English CMMC Level 1 Guide, a complete resource for small businesses navigating DoD cybersecurity requirements.