Cubelet AI
Open your practice ↗
← Resources

CMMC Level 1 vs Level 2: Which Do You Need?

Cubelet AI ·
CMMC CMMC Level 1 CMMC Level 2 DFARS NIST 800-171 DoD Compliance Cybersecurity CUI FCI

CMMC Level 1 vs Level 2: Which Do You Need?

If your organization works with the Department of Defense, you've heard about CMMC. But the first question everyone asks is: do I need Level 1 or Level 2?

The answer depends on one thing: what kind of information do you handle?

The Simple Rule

  • Federal Contract Information (FCI) only → CMMC Level 1
  • Controlled Unclassified Information (CUI) → CMMC Level 2

FCI is basic contract information — things like delivery schedules, contract terms, and performance reports.

CUI is sensitive but unclassified information that requires safeguarding — technical data, engineering drawings, export-controlled information, and personally identifiable information related to defense programs.

If you're unsure which category your contracts fall into, check your contract clauses. DFARS 252.204-7012 indicates CUI requirements. If that clause is in your contract, you need Level 2.

Side-by-Side Comparison

Scope

Level 1 covers 17 basic safeguarding practices from FAR 52.204-21. These are fundamental cybersecurity hygiene practices that any organization should already have in place — things like:

  • Limiting system access
  • Authenticating users
  • Sanitizing media before disposal

Level 2 covers all 110 practices from NIST SP 800-171 across 14 security domains. This is a comprehensive cybersecurity program covering:

  • Access control
  • Audit logging
  • Configuration management
  • Incident response
  • Encryption

If your organization works with the Department of Defense, you've heard about CMMC. But the first question everyone asks is: do I need Level 1 or Level 2?

The answer depends on one thing: what kind of information do you handle?

The Simple Rule

  • Federal Contract Information (FCI) only → CMMC Level 1
  • Controlled Unclassified Information (CUI) → CMMC Level 2

FCI is basic contract information — delivery schedules, contract terms, performance reports. CUI is sensitive but unclassified — technical data, engineering drawings, export-controlled information, and PII related to defense programs.

Check your contract clauses. DFARS 252.204-7012 indicates CUI requirements. If that clause is in your contract, you need Level 2.

Side-by-Side Comparison

Scope

Level 1 covers 17 basic safeguarding practices from FAR 52.204-21 — fundamental cybersecurity hygiene like limiting access, authenticating users, and sanitizing media.

Level 2 covers all 110 practices from NIST SP 800-171 across 14 security domains — a comprehensive cybersecurity program covering access control, audit logging, configuration management, incident response, encryption, physical security, and more.

Assessment

Level 1 requires an annual self-assessment. Your organization evaluates its own compliance and submits a score to SPRS. No third party involved.

Level 2 requires a third-party assessment by an accredited C3PAO. Assessors interview personnel, examine evidence, test controls, and score each practice.

Cost

Level 1 is relatively low cost — mostly staff time and documentation. $5,000-$25,000 typical.

Level 2 is a substantial investment: technology (MFA, SIEM, encryption, EDR), documentation (SSP, POA&M, policies), training, C3PAO assessment fees, and remediation. $100,000-$300,000+ typical.

CMMC Level 1 vs Level 2: How to Decide

The key question is simple: Do you handle Controlled Unclassified Information (CUI)?

  • If yes → You need CMMC Level 2.
  • If you only handle Federal Contract Information (FCI)CMMC Level 1 is sufficient.

Getting this wrong either wastes money (over-scoping to Level 2) or risks losing contracts (under-scoping when you have CUI).

Quick Side‑by‑Side Comparison

| | Level 1 | Level 2 |

|---|---|---|

| Practices | 17 basic safeguarding practices | 110 practices (full NIST SP 800-171) |

| Assessment | Annual self-assessment | Third-party C3PAO assessment (for most CUI contracts) |

| Certification period | Renewed annually | Valid for 3 years |

| Data protected | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) |

| Typical cost | ~$5,000 – $25,000 | ~$150,000 – $1,000,000+ |

| Timeline | ~1–3 months | ~6–18 months |

| Who needs it | Any DoD contractor handling FCI | Contractors handling CUI |

Level 1: Basic Safeguarding of FCI

Level 1 is based on the 17 basic safeguarding requirements from FAR 52.204-21, which have been standard in federal contracts since 2016. If you’ve been working with the DoD, you’re probably already doing many of these.

What Level 1 requires (17 practices):

  • Limit system access to authorized users
  • Limit system access to authorized transaction types

Ready to practice?

The CMMC Assessment Simulator covers all 110 Level 2 practices with AI-guided coaching.

Try CMMC Simulator View Details