CMMC Level 1 vs Level 2: Which One Do You Actually Need?
"Do I need Level 1 or Level 2?"
Most contractors don't know. And guessing wrong is expensive.
Pick Level 1 when you need Level 2? You're non-compliant. Risk losing contracts and facing False Claims Act penalties.
Prep for Level 2 when you only need Level 1? You just wasted $50K-$100K and 6 months.
Let's clear this up.
The Simple Answer
If you handle CUI (Controlled Unclassified Information), you need Level 2.
If you only handle FCI (Federal Contract Information) and no CUI, you need Level 1.
That's it. The decision tree is two boxes.
What Is FCI?
Federal Contract Information (FCI) is information provided by or generated for the government that's not intended for public release.
Examples:
- Contract specifications (not publicly available)
- Delivery schedules
- Invoices
- Proprietary cost data
- Technical data generated under contract (if not marked CUI)
FCI is not sensitive. It's just... not public.
If your contract says "FCI" or references FAR 52.204-21, you're handling FCI.
CMMC requirement: Level 1
What Is CUI?
Controlled Unclassified Information (CUI) is sensitive government data that requires safeguarding.
Common CUI categories for defense contractors:
- Export-controlled technical data (ITAR/EAR)
- Critical infrastructure information
- Naval nuclear propulsion information
- Operations security (OPSEC) data
- Procurement information (source selection, pre-award)
If your contract includes clauses like:
- DFARS 252.204-7012
- FAR 52.204-21 + DFARS 252.204-7012
- Any mention of "CUI"
- Export control requirements (ITAR/EAR)
You're handling CUI.
CMMC requirement: Level 2
How to Tell Which You Handle
Step 1: Look at Your Contract
Search your contract for these phrases:
- "Controlled Unclassified Information"
- "CUI"
- "DFARS 252.204-7012"
- "Export Control"
- "ITAR"
If any appear, you need Level 2.
Step 2: Look at Data Markings
CUI is supposed to be marked. Look for:
- "CUI" banner at top and bottom of documents
- "Controlled by: [agency]" markings
- Export control warnings ("ITAR controlled", "EAR99", etc.)
If you see these, you need Level 2.
Step 3: Ask Your Contracting Officer
If you're still not sure, ask:
"Does this contract involve Controlled Unclassified Information or only Federal Contract Information?"
They'll tell you. It's not a trick question.
Common Misconceptions
Misconception 1: "We're a machine shop. We only need Level 1."
Wrong.
If you make parts from export-controlled drawings (ITAR), you're handling CUI. Level 2.
If you receive technical data packages marked CUI, you're handling CUI. Level 2.
Your industry doesn't determine your level. The data you handle does.
Misconception 2: "We only see CUI occasionally. Maybe 5% of our contracts."
Doesn't matter. If you handle CUI on any contract, your entire IT environment needs to be Level 2 compliant.
You can't have a "Level 1 network" and a "Level 2 network." Well, you can, but it requires strict network segmentation (air-gap or equivalent). Most shops don't have that.
Misconception 3: "We can drop from Level 2 to Level 1 if we stop taking CUI contracts."
Technically yes. Practically difficult.
If you've been handling CUI, your systems have processed it. You'd need to:
- Purge all CUI from systems
- Verify no CUI remnants (emails, backups, old files)
- Potentially replace hardware if CUI can't be securely purged
- Document the downgrade
And if you ever want a CUI contract again, you're back to Level 2.
Most contractors stay at Level 2 once they're there.
Requirements Comparison
Level 1 Requirements (17 Controls)
Level 1 maps to FAR 52.204-21, which has 15 basic security controls plus 2 incident response requirements.
Key requirements:
- Access control: Limit system access to authorized users
- Identification & authentication: Use unique IDs and passwords
- Media protection: Sanitize/destroy media before disposal
- Physical protection: Limit physical access to systems
- System integrity: Protect systems from malicious code (antivirus)
- Incident response: Report cyber incidents within 72 hours
Assessment: Annual self-assessment (no third-party required)
Cost: $5K-$15K (mostly time and basic tools)
Timeline: 2-6 weeks
Level 2 Requirements (110 Controls)
Level 2 maps to NIST SP 800-171 Rev. 2, which has 110 security controls across 14 families.
Key requirements (in addition to everything in Level 1):
- Multifactor authentication (MFA)
- Audit logging of all user activity
- Encryption of CUI at rest and in transit
- Network segmentation
- Configuration management
- Continuous monitoring
- Security awareness training
- Incident response plan
- System security plan
- Plan of Action and Milestones (POA&M) for any gaps
Assessment: Self-assessment OR C3PAO assessment (Phase 1); C3PAO required for most (Phase 2+)
Cost: $50K-$150K (includes tools, consulting, potential infrastructure upgrades)
Timeline: 6-12 months
Level 3 (Briefly)
Level 3 is for "high-value" contracts involving advanced persistent threats (APTs).
Requirements: NIST 800-171 + 24 additional controls from NIST 800-172
Assessment: C3PAO assessment + DIBCAC validation
Very few contractors need Level 3 right now. If you think you might, your contracting officer will explicitly tell you.
We won't cover Level 3 in detail here. If you need it, you know it.
Cost Breakdown: Level 1 vs Level 2
Level 1 Estimated Costs
Tools:
- Password manager: $5-10/user/month
- Antivirus: $5-15/user/month
- Basic backup: $10-50/month
Implementation labor: 40-80 hours (internal IT or consultant)
Self-assessment: 8-16 hours
Total first year: $5K-$15K
Annual recurring: $2K-$5K
Level 2 Estimated Costs
Tools:
- Password manager with MFA: $5-10/user/month
- Endpoint protection (EDR): $10-25/user/month
- SIEM/log management: $500-2000/month
- Backup/disaster recovery: $200-1000/month
- Asset management: $5-10/user/month
- Vulnerability scanning: $200-500/month
Infrastructure upgrades:
- Network segmentation: $5K-$20K
- MFA implementation: $2K-$10K
- Encryption tools: $2K-$10K
Implementation labor: 300-600 hours (consultant or internal)
Assessment (C3PAO): $30K-$100K
Total first year: $50K-$150K
Annual recurring: $20K-$40K + re-assessment every 3 years
Timeline Comparison
Level 1 Timeline
Week 1-2:
- Buy tools (password manager, antivirus, backup)
- Configure basic access controls
- Set up incident reporting process
Week 3-4:
- Document policies
- Train employees
- Perform self-assessment
Week 5:
- Submit results to SPRS
- Done
Total: 4-6 weeks
Level 2 Timeline
Month 1:
- Gap analysis (what controls do you have vs need?)
- Tool procurement
- Consultant engagement (if needed)
Month 2-4:
- Implement missing controls
- Configure MFA, logging, encryption
- Network segmentation
- Document policies and procedures
Month 5-6:
- Security awareness training
- System security plan documentation
- POA&M for any remaining gaps
Month 6-8:
- Schedule C3PAO assessment
- Pre-assessment by C3PAO
- Remediate any findings
Month 8-9:
- Formal C3PAO assessment
- Final report
- Certification
Total: 6-12 months
(Shorter if you're already doing some of NIST 800-171; longer if starting from scratch)
Can You Do Both? (Hint: No)
Some contractors ask: "Can we certify some systems at Level 1 and others at Level 2?"
Technically yes. If you have strict network segmentation (physically separate networks or very strong logical separation), you could have a Level 1 environment and a Level 2 environment.
But most small shops can't do this cost-effectively.
Reasons:
- Separate networks = duplicate infrastructure = higher cost
- Users need access to both = complexity = mistakes = breaches
- C3PAO will scrutinize the separation = may require air-gap
Practical advice: If you handle any CUI, bring your whole environment to Level 2.
It's simpler, more defensible, and opens you up to more contracts.
What Happens If You Pick Wrong?
Scenario: You Need Level 2 But Certify at Level 1
You bid a contract involving CUI. You self-assess at Level 1 (17 controls) instead of Level 2 (110 controls).
Outcome:
- You're non-compliant
- If DoD audits you, you'll fail
- If you attest compliance, you're committing False Claims Act violation
- Penalty: Up to $28,619 per violation + 3× damages
Scenario: You Need Level 1 But Prep for Level 2
You spend 9 months and $100K implementing NIST 800-171 for a contract that only needed FAR 52.204-21.
Outcome:
- You're compliant (technically)
- But you wasted money and time
- On the bright side, you're ready for CUI contracts now
(So it's not the worst mistake, just expensive)
Decision Matrix
| What You Handle | Required Level | Assessment Type | Cost Range | Timeline |
|---|
| Only FCI | Level 1 | Self-assessment (annual) | $5K-$15K | 4-6 weeks |
| Any CUI | Level 2 | Self or C3PAO (Phase 1), C3PAO (Phase 2+) | $50K-$150K | 6-12 months |
| High-value CUI + APT risk | Level 3 | C3PAO + DIBCAC | $200K+ | 12-18 months |
The Bottom Line
Check your contract for "CUI", "DFARS 252.204-7012", or export control requirements.
If you see any of those, you need Level 2.
If you don't, and you only see "FCI" or "FAR 52.204-21", you need Level 1.
When in doubt, ask your contracting officer. Or err on the side of Level 2 (better to overprepare than underprepare).
Don't guess. The cost of being wrong is too high.
Next Steps:
Not sure what data you handle? Take our 2-minute quiz to find out.
Know you need Level 2 but overwhelmed by 110 controls? Read our NIST 800-171 priority guide.
Need to understand when C3PAO becomes mandatory? Check out our Phase 2 timeline.
