CMMC Level 1 vs Level 2: Which Do You Need?

If your organization works with the Department of Defense, you've heard about CMMC. But the first question everyone asks is: do I need Level 1 or Level 2?

The answer depends on one thing: what kind of information do you handle?

The Simple Rule

• Federal Contract Information (FCI) only → CMMC Level 1
• Controlled Unclassified Information (CUI) → CMMC Level 2

FCI is basic contract information — things like delivery schedules, contract terms, and performance reports.

CUI is sensitive but unclassified information that requires safeguarding — technical data, engineering drawings, export-controlled information, and personally identifiable information related to defense programs.

If you're unsure which category your contracts fall into, check your contract clauses. DFARS 252.204-7012 indicates CUI requirements. If that clause is in your contract, you need Level 2.

Side-by-Side Comparison

Scope

Level 1 covers 17 basic safeguarding practices from FAR 52.204-21. These are fundamental cybersecurity hygiene practices that any organization should already have in place — things like:

• Limiting system access
• Authenticating users
• Sanitizing media before disposal

Level 2 covers all 110 practices from NIST SP 800-171 across 14 security domains. This is a comprehensive cybersecurity program covering:

• Access control
• Audit logging
• Configuration management
• Incident response
• Encryption