PlainAudit
Start assessment

CMMC Level 1 vs Level 2: How to Tell Which Your DoD Contract Requires

cmmc level2 nist 800 171cmmc level1data classification

A prime contractor sent your sales lead a flow-down clause referencing DFARS 252.204-7021 and CMMC, and your IT lead now has 30 minutes to answer one question: do we need to certify at Level 1 or Level 2? The control counts are public — 17 versus 110 — but the practical difference is not the count. It’s what kind of government data the contract obligates you to handle, what kind of assessment proves you can handle it, and how much rework happens if you misclassify.

Quick read Level 1 protects Federal Contract Information (FCI) with 17 practices and an annual self-assessment. Level 2 protects Controlled Unclassified Information (CUI) with the full 110 NIST SP 800-171 Rev 2 requirements, an SPRS score submission, and — for most contracts after Phase 2 begins in November 2026 — a third-party C3PAO assessment. The data type drives the level, not the contract size.

The Real Split: What Data You Handle

Both CMMC levels live in the same DoD framework, but they exist for different data categories. Misidentifying which one you have is the most consequential classification error in CMMC preparation — it’s the difference between implementing 17 controls and implementing 110.

  • Federal Contract Information (FCI) is information provided by or generated for the government under a contract, not intended for public release. Routine examples: contract correspondence, internal performance reports that aren’t externally distributed, deliverable drafts. All CUI is also FCI, but not all FCI is CUI.
  • Controlled Unclassified Information (CUI) requires safeguarding under federal law, regulation, or government-wide policy and is defined in the CUI Registry maintained by ISOO/NARA. In defense contracts, the common categories are technical drawings, test results, manufacturing specifications, and export-controlled data (ITAR/EAR).

If the contract carries DFARS 252.204-7012 (the safeguarding clause) and a contracting officer has flowed CUI down to you, the answer is Level 2 — even if you’re a small subcontractor on a small task order. Size does not change the classification; the data type does.

Side-by-Side: Controls, Assessment, Cost, and Timeline

Here is the practical comparison your IT lead is looking for:

DimensionLevel 1Level 2
Data protectedFCI onlyCUI (and FCI it contains)
Control count17 practices (basic safeguarding from FAR 52.204-21)110 requirements (NIST SP 800-171 Rev 2)
Control families6 families, basic safeguarding14 families: AC, AT, AU, CA, CM, IA, IR, MA, MP, PE, PS, RA, SC, SI
Assessment objectivesPer FAR 52.204-21 basic safeguarding320 across the 110 requirements (per NIST SP 800-171A)
Assessment typeAnnual self-assessment with senior-official affirmationSelf-assessment for non-prioritized acquisitions; C3PAO assessment for most others (mandatory after Phase 2)
SPRS scoreNot scored on the 110-point scale (Level 1 is pass/fail per control)Score from -203 to +110; minimum 88 for conditional certification with POA&Ms
POA&M allowed?No POA&Ms; all 17 must be implementedOnly for 1-point controls, only if overall score ≥ 88, closed within 180 days
Triggering DFARS clauseEffectively FAR 52.204-21 plus DFARS 252.204-7021 at Level 1DFARS 252.204-7012 (safeguarding) + DFARS 252.204-7021 (CMMC clause)
Typical preparation timeline2–4 months from baseline IT12–18 months from baseline; 6–12 months with SOC 2 or ISO 27001 in place
Total first-cycle cost (small business)Documentation effort plus annual affirmation overhead; minimal technology spend$138,000–$285,000 in published industry ranges, including remediation, technology, and consulting

The cost gap is what surprises most contractors. Level 1 is a documentation exercise on top of baseline IT hygiene; Level 2 typically requires technology investments (FIPS-validated encryption, SIEM, EDR, identity management with MFA) plus 30+ policy documents and a System Security Plan that assessors will read first.

How to Determine Which Level You Need

The determination is a four-question decision tree. Run it for each active and pipeline contract, not for your organization as a whole — a contractor can hold Level-1-only contracts and Level-2-required contracts at the same time.

  1. Does the contract include DFARS 252.204-7012? If yes, the DoD has flagged this contract as potentially involving CUI. Continue to question 2. If no, you are likely Level 1 territory.
  2. Is your prime or contracting officer flowing CUI to you? Ask explicitly. Documents marked “CUI” or with a category designator (CUI//SP-PROPIN, CUI//EXPT) are unambiguous. Unmarked but sensitive technical data — drawings, specifications, test data on a controlled system — is often CUI even without a marking, and your prime is expected to clarify.
  3. Does the solicitation specify a CMMC level? Phase 1 solicitations (the period from November 2025 onward) increasingly state the required CMMC level explicitly in section L or H. If the solicitation says “Level 2,” that’s the answer regardless of your own data assessment.
  4. Is the contract a prioritized acquisition? Prioritized Level 2 acquisitions require C3PAO certification immediately. Non-prioritized Level 2 acquisitions allow annual self-assessment during Phase 1, then transition to C3PAO during Phase 2.
Common Mistake Contractors who handle CUI but only implement Level 1 because they misidentified their data as FCI face the most expensive classification error in CMMC: 93 controls of missing implementation. Assessors check actual data handling against the SSP’s declared boundary; if the prime confirms CUI flow-down, an assessor will look for evidence of Level 2 controls and fail the engagement when they find Level 1 hygiene.

Why “Level 1 Only” Rarely Works for Prime Flow-Down Contracts

If a prime contractor has a Level 2 requirement, the supplier chain usually inherits at least part of that obligation. The flow-down logic: if the prime hands you CUI in any form — a CAD file, a test spec, an export-controlled component drawing — you become a custodian of that CUI. The prime cannot pass through a Level 2 requirement to your environment and accept Level 1 controls on it.

There are narrow Level-1-only patterns that hold up in flow-down work:

  • Pure logistics: you handle shipping manifests and FCI scheduling data, never CAD or technical specifications.
  • Commercial-product supply: you sell standard catalog parts; the prime never sends you CUI to fabricate from.
  • Services strictly outside the CUI boundary: building maintenance, facility services, or commodity IT that the prime has explicitly carved out of the CUI enclave.

If your work touches the prime’s engineering data, technical drawings, or test results, plan for Level 2. The CUI vs. FCI determination process walks through the specific data-classification questions in more detail; if you’re uncertain, the safer error is to scope for Level 2 and confirm with your prime’s contracting officer that Level 1 is sufficient — not the other way around.

What Phase 2 Changes (November 2026)

The CMMC rollout has four phases under 32 CFR Part 170. Today (Phase 1) most Level 2 contracts allow self-assessment; this is the friendliest window for contractors who are still preparing. Phase 2 begins November 2026 and requires C3PAO certification for the majority of Level 2 contracts. Phase 3 (November 2027) extends CMMC requirements across all applicable solicitations, and Phase 4 (November 2028) covers exercised option periods on existing contracts.

The practical consequence for the Level 1 vs Level 2 decision: contractors handling CUI under Phase 1 self-assessment terms will, in most cases, need a C3PAO assessment to maintain contract eligibility into Phase 2. A self-assessed 110 today does not automatically become a C3PAO-confirmed 110 in 2026 — self-assessments and C3PAO assessments differ in their use of the Test method, and the typical gap reduction observed in the transition is 20–30%. Start the assessor selection conversation 9–12 months before your Phase 2 deadline; a C3PAO engagement walks through what those five days look like.

Where to Start

If you can answer “FCI only, no CUI in scope” with confidence after talking to your prime’s contracting officer, Level 1 is your target and your work is bounded. Document the 17 practices, complete the senior-official affirmation in SPRS, and revisit annually.

If you handle CUI — or you are uncertain — Level 2 is the floor. Start with a structured gap assessment against the 110 NIST SP 800-171 Rev 2 requirements, because the gap count is the input to every downstream cost, timeline, and scoping decision. The free CMMC readiness assessment walks you through all 14 control families and produces an estimated SPRS score, so you can compare against the 88-point threshold before engaging a C3PAO. For cost context on the Level 2 path specifically, see the $138K–$285K range for small-business compliance and what drives the variation.

Disclaimer: This guide is an educational starting point, not legal, audit, or compliance advice. It is not a substitute for a formal CMMC readiness assessment by a C3PAO or Registered Practitioner Organization (RPO). Your SPRS score must be calculated and submitted by your organization — this guide does not submit SPRS scores. Consult an RPO for formal assessment readiness guidance, and confirm contractual level requirements directly with your prime or contracting officer.

Related tools

CMMC Readiness Quiz

Estimate your SPRS score and CMMC Level 2 readiness across all 14 NIST 800-171 control domains.

CMMC L2 Assessment Kit

The CMMC Level 2 documentation kit for small defense contractors who want to drive their own self-assessment. 14 NIST 800-171 policies, SSP, POA&M, SPRS worksheet, and mapping matrix. $249.

← More cmmc level 2 readiness guides