CMMC Level 1 vs Level 2: Which Does Your Organization Need?Last Updated: February 2026

Quick Answer

CMMC Level 1 is required if you only handle Federal Contract Information (FCI) - basic unclassified information like contract terms and deliverables. CMMC Level 2 is required if you handle Controlled Unclassified Information (CUI) - sensitive defense data that requires protection. The key question: Does your contract involve technical data, operational information, or specifications marked as CUI? If yes, you need Level 2. If you only process billing and basic contract documents, Level 1 may be sufficient.

Question Level 1 Level 2
Do you handle CUI? No Yes
Assessment Type Self-assessment (until 2026) Third-party C3PAO
Practice Requirements 17 basic practices 110 practices across 14 domains
Typical Timeline 2-4 months 6-12 months
Estimated Cost $15,000-$50,000 $100,000-$300,000+

Understanding the Fundamental Difference: CUI vs. FCI

The distinction between CMMC Level 1 and Level 2 isn't arbitrary - it's based entirely on the type of information you handle under your Department of Defense contracts.

Federal Contract Information (FCI) is basic, unclassified information provided by or generated for the government that isn't intended for public release. This includes:

  • Contract terms and conditions
  • Delivery schedules
  • Invoicing and payment information
  • Basic performance reports
  • Unclassified procurement data

Controlled Unclassified Information (CUI) is significantly more sensitive and encompasses information that requires safeguarding or dissemination controls. Common CUI categories in defense contracting include:

  • Technical drawings and specifications
  • Software source code
  • Test and evaluation results
  • Manufacturing processes and techniques
  • Operational plans and procedures
  • Export-controlled technical data (ITAR/EAR)
  • Personally identifiable information (PII) related to defense operations
  • Critical infrastructure information

The presence of CUI in your contract flow - whether you create it, store it, process it, or transmit it - determines your CMMC level requirement. This isn't a choice; it's dictated by your contract terms and the nature of your work.

CMMC Level 1: Basic Cyber Hygiene

CMMC Level 1 represents foundational cybersecurity practices that every organization should implement regardless of compliance requirements. Think of it as the baseline for responsible information handling.

What Level 1 Requires

Level 1 maps to 17 practices derived from FAR 52.204-21, focusing on protecting Federal Contract Information. These practices fall into several key areas:

Access Control: Limit system access to authorized users and devices. This means implementing basic user account management, ensuring employees only access systems necessary for their jobs, and removing access when employees leave or change roles.

Identification and Authentication: Require unique identifiers for system users. No shared passwords, no generic "admin" accounts that multiple people use. Each person gets their own credentials.

Media Protection: Protect and sanitize media containing FCI. When you dispose of hard drives, USB sticks, or other storage devices, you need documented procedures to ensure data can't be recovered.

Physical Protection: Control physical access to systems and facilities. Lock server rooms, implement visitor logs, and ensure workstations aren't accessible to unauthorized individuals.

System and Communications Protection: Monitor and control communications at system boundaries. This typically means implementing a firewall and ensuring external connections are managed.

System and Information Integrity: Identify and manage information system flaws, including timely security updates and patches. You need a process for keeping systems current with security patches.

Level 1 Assessment Process

Currently, CMMC Level 1 allows for annual self-assessment. You evaluate your own compliance, document your practices, and attest to your implementation. However, this is changing - the DoD has indicated that third-party assessments may be required for Level 1 starting in late 2026 or 2027.

The self-assessment process involves:

  • Reviewing each of the 17 required practices
  • Documenting how you implement each practice
  • Identifying any gaps and creating remediation plans
  • Submitting an annual attestation of compliance
  • Maintaining documentation for potential spot checks or audits

Who Needs Level 1

Level 1 is appropriate for organizations that:

  • Only process FCI, with no CUI flowing through their systems
  • Provide commercial products or services to defense contractors
  • Handle only billing, scheduling, and basic contract administration
  • Serve in purely administrative or logistical support roles
  • Work on unclassified, non-technical contracts

Common examples include janitorial services for defense facilities, office supply vendors, food service providers, and similar commercial service providers who happen to have DoD customers but don't handle sensitive defense information.

CMMC Level 2: Protecting Controlled Unclassified Information

CMMC Level 2 represents a substantial increase in cybersecurity maturity and is where most defense contractors will find themselves. This level is designed to protect CUI from advanced persistent threats and sophisticated cyber adversaries.

What Level 2 Requires

Level 2 implements all 110 practices from NIST SP 800-171, organized across 14 security domains. This is a comprehensive cybersecurity framework that touches every aspect of your IT environment.

The 14 domains include:

Access Control (22 practices): Granular control over who can access what information, including role-based access, least privilege principles, remote access management, and privileged account controls.

Awareness and Training (3 practices): Security awareness training for all users, role-based training for those with security responsibilities, and insider threat awareness.

Audit and Accountability (9 practices): Comprehensive logging of user activities, log review and analysis, protection of audit information, and retention of audit logs.

Configuration Management (9 practices): Baseline configurations, change control processes, restriction of software installations, and monitoring for unauthorized changes.

Identification and Authentication (11 practices): Multi-factor authentication, password complexity requirements, cryptographic authentication, and management of authenticators.

Incident Response (4 practices): Incident handling capability, incident tracking and reporting, testing of incident response procedures, and information spillage response.

Maintenance (6 practices): Controlled and documented system maintenance, tools management, and remote maintenance protections.

Media Protection (9 practices): Media access controls, sanitization procedures, protection during transport, and accountability for media containing CUI.

Personnel Security (2 practices): Background screening and termination procedures for positions with access to CUI.

Physical Protection (6 practices): Facility access controls, visitor management, physical access logging, and monitoring of physical access.

Risk Assessment (3 practices): Regular security assessments, vulnerability scanning, and remediation tracking.

Security Assessment (4 practices): Development and implementation of system security plans, periodic security assessments, and remediation of identified vulnerabilities.

System and Communications Protection (16 practices): Boundary protection, network segmentation, encryption in transit and at rest, denial of service protection, and cryptographic key management.

System and Information Integrity (6 practices): Flaw remediation, malicious code protection, security alerts and advisories, system monitoring, and spam protection.

Level 2 Assessment Process

CMMC Level 2 requires a triennial third-party assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). You cannot self-assess for Level 2.

The assessment process involves:

Pre-Assessment Phase: Working with a Registered Practitioner Organization (RPO) or internal team to conduct gap assessments, implement required controls, develop documentation, and prepare your environment for assessment.

Scoping: Clearly defining your CMMC assessment boundary - what systems, networks, and facilities will be assessed. This is critical because everything within the boundary must meet all 110 practices.

Document Review: The C3PAO reviews your System Security Plan (SSP), policies and procedures, network diagrams, asset inventories, and evidence of implementation for all practices.

On-Site Assessment: Assessors conduct interviews with staff, observe security controls in action, test technical implementations, and validate that documented practices match actual operations.

Reporting: The C3PAO provides a detailed assessment report identifying compliant and non-compliant practices. Any practice not fully implemented results in failing the assessment.

Certification: Upon successful completion, your organization receives CMMC Level 2 certification valid for three years. This certification is required to be eligible for contract awards.

Who Needs Level 2

Level 2 is required for any organization that:

  • Creates, stores, processes, or transmits CUI
  • Develops technical solutions for defense applications
  • Manufactures components using defense specifications
  • Provides engineering or technical services involving CUI
  • Handles operational or tactical information
  • Works with export-controlled technical data
  • Accesses DoD networks or systems containing CUI

In practice, this covers the vast majority of traditional defense contractors, including manufacturers, engineering firms, software developers, research organizations, and technical service providers.

Side-by-Side Comparison: Level 1 vs. Level 2

Aspect CMMC Level 1 CMMC Level 2
Information Protected Federal Contract Information (FCI) only Controlled Unclassified Information (CUI)
Number of Practices 17 basic practices 110 comprehensive practices
Source Standard FAR 52.204-21 NIST SP 800-171
Assessment Type Annual self-assessment (currently) Triennial third-party C3PAO assessment
Maturity Level Performed (practices are implemented) Performed (practices are implemented)
Typical Implementation Timeline 2-4 months 6-12 months
Estimated Total Cost $15,000-$50,000 $100,000-$300,000+
Assessment Cost Minimal (self-assessment) $15,000-$75,000 per assessment
Technical Complexity Basic cybersecurity hygiene Advanced security controls
Documentation Requirements Basic policies and self-attestation Comprehensive SSP, POA&Ms, evidence packages
Multi-Factor Authentication Not required Required for all users
Encryption Requirements Media sanitization only Data at rest and in transit
Network Segmentation Not required Required for CUI environments
Incident Response Plan Not required Formal plan required with testing
Security Awareness Training Basic recommended Annual requirement for all personnel
Audit Logging Basic recommended Comprehensive logging required
Recertification Frequency Annual attestation Every 3 years

How to Identify If You Handle CUI

This is the most critical question in determining your CMMC level, and it's not always straightforward. Many contractors underestimate whether they handle CUI, which can lead to inadequate security posture or incorrect CMMC level pursuit.

CUI Marking Requirements

Starting in 2024, DoD contracts should clearly specify when CUI is involved. Look for:

Contract Language: Clauses specifically mentioning CUI, DFARS 252.204-7012, or requirements to protect covered defense information.

CUI Markings: Information marked with CUI banner markings, category markings, or distribution statements. Properly marked CUI will include headers and footers indicating its controlled status.

SF 1449 Block 19: Some contracts will specifically indicate CUI presence in the contract award documentation.

Common CUI Scenarios in Defense Contracting

Even without explicit markings, certain types of work almost always involve CUI:

Engineering and Design Work: If you're creating technical drawings, specifications, or design documents for defense systems, you're creating CUI. A manufacturer in Huntsville, Alabama producing precision components for missile systems will be generating manufacturing specifications and quality control data that constitute CUI, even if the final product is unclassified.

Software Development: Source code, software design documents, and technical architecture for defense systems are CUI. This includes both the code itself and documentation about how it works.

Maintenance and Repair: Technical manuals, repair procedures, and maintenance logs for defense equipment often contain CUI, particularly if they reveal vulnerabilities or operational capabilities.

Research and Development: Test results, research findings, and developmental data for defense technologies are typically CUI even in early stages.

Supply Chain Operations: If you have visibility into production schedules, delivery routes, or inventory levels for sensitive defense components, that operational information may be CUI.

Critical Infrastructure: Information about defense facility layouts, security systems, or utility infrastructure is often CUI due to security implications.

The "Email Test"

A practical way to identify CUI: If you receive emails from government customers or prime contractors containing technical information, specifications, or operational details that aren't publicly available, you're likely handling CUI.

Even if the information isn't formally marked, if the contract involves anything beyond purely commercial products or basic administrative services, CUI is probably flowing through your systems.

When in Doubt

If you're uncertain whether you handle CUI, several resources can help:

Contract Review: Your contracting officer or contracts administrator can clarify whether CUI is involved in your specific contract.

Prime Contractor Guidance: If you're a subcontractor, your prime should provide clear direction on CUI handling requirements.

NIST SP 800-171 Applicability: If your contract includes DFARS 252.204-7012 (the safeguarding covered defense information clause), you handle CUI and need Level 2.

RPO Consultation: A Registered Practitioner Organization can review your contracts and operations to definitively identify CUI presence.

Erring on the side of caution is wise. Assuming you need Level 2 and implementing those controls is far better than assuming Level 1 is sufficient and later discovering you've inadequately protected CUI.

Self-Assessment vs. Third-Party Assessment

Understanding the assessment process is crucial because it affects your timeline, costs, and the rigor of your compliance program.

Self-Assessment (Level 1 Only)

The self-assessment process for Level 1 puts the responsibility entirely on your organization. You evaluate your own practices, document your implementations, and attest to your compliance without external validation.

Advantages of Self-Assessment:

  • Lower immediate costs with no assessor fees
  • Flexible timeline that you control
  • Ability to remediate issues privately before attestation
  • Less disruptive to daily operations

Challenges of Self-Assessment:

  • No external validation of your interpretation
  • Potential for unconscious bias in self-evaluation
  • Risk of overlooking gaps that an expert would catch
  • Limited guidance on implementation specifics
  • Uncertainty about whether your approach meets intent

Even with self-assessment, many organizations choose to work with an RPO or consultant for an internal gap assessment before submitting their attestation. This provides confidence that your self-evaluation is accurate and complete.

Important Note: Self-assessment for Level 1 is currently allowed but is expected to transition to third-party assessment in the coming years. Organizations should prepare for this change by treating their Level 1 implementation with the same rigor they would for a third-party assessment.

Third-Party Assessment (Level 2 Required)

Level 2 requires assessment by a certified C3PAO - an organization that has been authorized by the Cyber Accreditation Body (Cyber-AB) to conduct CMMC assessments.

The C3PAO Assessment Process:

Scoping Session: The assessor works with you to define the assessment boundary - what systems, facilities, and personnel are in scope. This is a collaborative process but must include all systems that process, store, or transmit CUI.

Pre-Assessment Activities: Before the formal assessment, you'll provide extensive documentation including your System Security Plan, network diagrams, policy documents, and evidence of practice implementation.

Document Review: Assessors review all submitted documentation to understand your environment and verify that your documented practices address all 110 requirements.

Assessment Event: Typically 3-5 days on-site (depending on organization size and complexity), during which assessors:

  • Interview personnel across all relevant roles
  • Observe security practices in action
  • Test technical controls and configurations
  • Review additional evidence and artifacts
  • Validate that practice implementation matches documentation

Reporting: The C3PAO produces a detailed assessment report indicating compliant and non-compliant practices. Any practice that doesn't meet requirements results in assessment failure.

Certification: Upon successful assessment, your CMMC Level 2 certification is valid for three years from the assessment date.

Working with Assessors:

The relationship with your C3PAO is professional but collaborative. Good assessors want you to succeed and will provide clarity on what they're looking for. However, they cannot consult or help you implement practices - their role is strictly evaluation.

This is why many organizations work with an RPO during preparation. The RPO helps you implement and prepare, then a separate C3PAO conducts the formal assessment. This separation ensures objectivity in the assessment process.

Government Assessment for High Priority Programs

In some cases, particularly for high-priority programs or contracts involving extremely sensitive information, the DoD may conduct its own assessment rather than using a C3PAO. These government-led assessments follow similar processes but may have additional requirements or scrutiny.

What Happens If You Choose the Wrong Level

Pursuing the wrong CMMC level creates serious consequences that go beyond wasted time and money.

Pursuing Level 1 When You Need Level 2

This is the more dangerous scenario. If you pursue Level 1 certification but actually handle CUI, you're:

Violating Contract Requirements: Your contract likely includes DFARS 252.204-7012 or similar clauses requiring adequate protection of CUI. Level 1 controls are insufficient for CUI, putting you in breach of contract terms.

Inadequately Protecting Sensitive Information: CUI requires the comprehensive protections of NIST SP 800-171. Without these controls, you're creating real security vulnerabilities that could be exploited by adversaries seeking defense information.

Risking Contract Loss: When the mismatch is discovered - either through contract review, an incident, or DoD verification - you may lose current contracts and become ineligible for future awards until properly certified.

Facing Potential False Claims Liability: If you've attested to adequate CUI protection while only implementing Level 1 controls, you could face False Claims Act liability for misrepresenting your compliance status.

Creating Incident Response Nightmares: If a breach occurs and CUI is compromised, the incident will reveal your inadequate security posture. This triggers immediate reporting requirements, potential federal investigation, and serious reputation damage.

Pursuing Level 2 When Level 1 Would Suffice

This scenario is less risky but still problematic:

Unnecessary Costs: You'll spend $100,000-$300,000 implementing Level 2 controls when $15,000-$50,000 would have sufficed. For small businesses, this could represent a significant financial burden.

Delayed Contract Participation: Level 2 implementation takes 6-12 months versus 2-4 months for Level 1. You could miss contract opportunities during the extended preparation period.

Operational Complexity: Maintaining Level 2 controls requires more sophisticated IT infrastructure, additional personnel, and ongoing monitoring that may be overkill for your actual requirements.

However, there's a strategic argument for pursuing Level 2 even when Level 1 might technically suffice: it positions you for growth. Many contractors start with FCI-only work but eventually take on CUI-handling contracts. Having Level 2 certification from the start makes you eligible for a broader range of opportunities.

How to Verify Your Requirement

To avoid choosing the wrong level:

Contract Review: Carefully review all current and anticipated contracts. Look for CUI-related clauses, DFARS requirements, and information handling specifications.

Discuss with Customers: Talk to your government customers or prime contractors. They can clarify whether CUI flows to your organization.

Conservative Approach: When uncertain, assume Level 2. The cost of over-compliance is manageable; the cost of under-compliance is potentially catastrophic.

Professional Assessment: Engage an RPO to review your contracts and operations. They can definitively identify your requirement level.

Real-World Scenarios: Which Level Do You Need?

Understanding your requirement becomes clearer when you see how it applies to actual defense contracting situations.

Scenario 1: Precision Manufacturing Subcontractor (Huntsville, AL)

A small manufacturer in Huntsville produces machined components for aerospace defense systems. They receive technical drawings and specifications from their prime contractor, manufacture parts to exact tolerances, and ship completed components.

CMMC Level Required: Level 2

Why? The technical drawings and manufacturing specifications are CUI. Even though they're a subcontractor and the final product may not be classified, the technical data they receive and work with requires protection. The drawings reveal design details, tolerances, and specifications that could compromise the defense system if obtained by adversaries.

This manufacturer needs to implement all 110 NIST SP 800-171 practices, including encrypting the CAD files containing drawings, restricting access to authorized personnel only, implementing multi-factor authentication, and maintaining comprehensive audit logs of who accesses technical data.

Scenario 2: IT Services Provider for Base Operations

A managed service provider offers general IT support for administrative offices on a military installation. They manage email, help desk services, printer support, and basic troubleshooting. They don't access operational systems, classified networks, or technical programs.

CMMC Level Required: Likely Level 1

Why? If their work is limited to unclassified administrative IT support and they only handle basic contract information (invoices, work schedules, support tickets), Level 1 may suffice. However, they must ensure clear separation from any systems containing CUI.

The key question: Do administrative email systems contain CUI? If personnel on the installation use their email for operational discussions, technical coordination, or sensitive matters, CUI may flow through systems the MSP manages, elevating the requirement to Level 2.

This scenario highlights why many IT service providers pursue Level 2 even when Level 1 might technically apply - the risk of inadvertent CUI exposure in email or shared drives is substantial.

Scenario 3: Software Development for Training Systems

A software company develops training and simulation software for military use. The software itself is unclassified and used for basic skills training, not tactical operations. They receive general requirements and usability feedback but no classified operational plans.

CMMC Level Required: Level 2

Why? Even unclassified software development for defense applications typically involves CUI. The source code itself is CUI, as are architectural designs, API documentation, and technical specifications. If revealed to adversaries, this information could be analyzed for vulnerabilities or reverse-engineered.

Additionally, user feedback might contain operational insights or training deficiencies that reveal capability gaps - information adversaries could exploit.

Scenario 4: Facilities Maintenance Contractor

A company provides janitorial, landscaping, and general facility maintenance for office buildings leased by defense contractors. They have badge access to buildings but no access to computer systems or technical areas.

CMMC Level Required: Level 1

Why? This is one of the clearest Level 1 scenarios. The contractor handles only basic contract information - work schedules, invoicing, and building access procedures. No CUI flows to their organization.

However, even here caution is warranted. If the maintenance company uses shared drives or email systems where building security plans, access control lists, or infrastructure details are stored, that information could be CUI due to security implications.

Scenario 5: Engineering Services Subcontractor

An engineering firm provides design analysis and testing services for a prime contractor developing next-generation defense electronics. They receive partial design specifications, conduct analysis using specialized software, and report findings back to the prime.

CMMC Level Required: Level 2

Why? Everything they touch is CUI. The design specifications they receive, the analysis they perform, the test results they generate, and the reports they deliver all contain technical information that must be protected. Even preliminary design data and analytical findings reveal capabilities and vulnerabilities.

This firm needs robust security controls including encrypted storage for all technical data, network segmentation separating CUI systems from general business networks, multi-factor authentication for all engineering staff, and comprehensive incident response capabilities.

Scenario 6: HR and Recruiting Services

A firm provides recruiting and HR services for defense contractors, helping them find qualified security clearance holders and technical personnel. They handle resumes, conduct background screening coordination, and manage hiring paperwork.

CMMC Level Required: Level 2 (likely)

Why? Personally Identifiable Information (PII) related to individuals seeking positions on defense programs is often CUI, particularly if it includes security clearance information, technical qualifications, or program assignments.

Resumes of security-cleared individuals with specialized defense experience could be valuable to foreign intelligence services seeking to identify recruitment targets or understand program staffing.

This scenario shows how CUI requirements extend beyond obvious technical work to supporting services that handle sensitive personnel information.

Making Your Decision: A Practical Framework

Based on everything we've covered, here's a step-by-step decision framework to determine your CMMC level requirement.

Step 1: Review All Current Contracts

Examine every active DoD contract or subcontract for:

  • DFARS 252.204-7012 or similar CUI protection clauses
  • References to NIST SP 800-171
  • Explicit mention of CUI or controlled information
  • Requirements to protect "covered defense information"

If any contract includes these elements, you need Level 2.

Step 2: Identify Information Types

List every category of information you receive from government customers or primes:

  • Technical drawings or specifications
  • Software code or technical documentation
  • Test results or research data
  • Operational plans or procedures
  • Export-controlled information
  • PII related to defense programs
  • Infrastructure or security information

If any of these categories apply to your work, you handle CUI and need Level 2.

Step 3: Evaluate Future Contract Opportunities

Consider contracts you plan to pursue in the next 1-2 years:

  • Will they involve technical work beyond what you do now?
  • Are you expanding into new defense market segments?
  • Will growth require handling more sensitive information?

If your business trajectory points toward CUI-handling work, pursuing Level 2 now may be strategically wise even if Level 1 technically suffices today.

Step 4: Consult with Customers and Primes

Have explicit conversations with your government customers or prime contractors:

  • "Does our contract involve CUI?"
  • "What CMMC level do you expect from us?"
  • "Are there specific information types we should be protecting?"

Government customers want you to get this right. They'll provide guidance if asked directly.

Step 5: Assess Risk Tolerance

Consider the consequences of guessing wrong:

  • Can your business absorb the cost of implementing Level 2 if it turns out to be required?
  • Can you afford the contract loss if you pursue Level 1 but actually need Level 2?
  • How would a security incident affect your reputation and business?

For most contractors, the safe answer is Level 2. The cost difference is manageable; the risk of inadequate CUI protection is not.

Step 6: Make the Call

Based on your analysis:

Pursue Level 1 if:

  • You have definitive confirmation that you handle only FCI
  • Your contracts explicitly state no CUI is involved
  • Your work is purely commercial products or administrative services
  • You have no plans to pursue CUI-handling contracts

Pursue Level 2 if:

  • Any contracts include DFARS 252.204-7012 or CUI clauses
  • You handle any technical, operational, or sensitive information
  • You're uncertain about CUI presence in your contracts
  • You plan to grow into more technically sophisticated defense work

When truly uncertain: Engage a CMMC RPO for a professional assessment of your contracts and information flows. The consultation cost is minimal compared to the consequences of choosing wrong.

Getting Started with Your CMMC Journey

Once you've determined your required level, the implementation journey begins. While the specific path differs between Level 1 and Level 2, some common first steps apply to both.

Immediate Actions (First 30 Days)

Document Your Decision: Create a written record of why you determined your CMMC level requirement, including contract reviews, customer discussions, and information type analysis. This documentation demonstrates due diligence and provides a foundation for your compliance program.

Establish Your Assessment Boundary: Define which systems, networks, facilities, and personnel will be included in your CMMC scope. For Level 2 particularly, an effective scoping strategy can significantly reduce implementation costs by clearly separating CUI-handling systems from general business operations.

Conduct Initial Gap Assessment: Evaluate your current security posture against required practices. For Level 1, you can do this internally. For Level 2, consider engaging an RPO to conduct a comprehensive gap assessment identifying all areas needing remediation.

Create Implementation Timeline: Based on your gap assessment, develop a realistic timeline for closing identified gaps and preparing for assessment. Allow adequate time - rushing leads to incomplete implementation and failed assessments.

Budget Appropriately: Develop a comprehensive budget covering all implementation costs including technology, consulting, assessment fees, and ongoing maintenance. Underfunding your CMMC program leads to partial implementation and assessment failure.

Building Your Program (Months 2-6)

Remediate Critical Gaps: Prioritize the most significant security deficiencies first. For Level 2, this often means implementing multi-factor authentication, encryption, network segmentation, and logging capabilities.

Develop Required Documentation: Create or update your System Security Plan, policies and procedures, incident response plans, and evidence packages. Documentation is as important as technical implementation.

Implement Technical Controls: Deploy the technology solutions required to meet practice requirements. This might include new firewalls, encryption solutions, security monitoring tools, and backup systems.

Train Your Team: Ensure all personnel understand their security responsibilities, recognize threats, and know how to handle CUI appropriately. Training is a required practice for Level 2 and a practical necessity for Level 1.

Establish Ongoing Processes: Create sustainable processes for patch management, access reviews, incident response, and continuous monitoring. CMMC isn't a one-time project - it requires ongoing maintenance.

Preparing for Assessment (Final 2-4 Months)

Internal Readiness Review: Conduct a complete review of all practices to verify implementation meets requirements. Test your technical controls, review documentation for completeness, and practice interview scenarios with staff.

Address Remaining Gaps: Remediate any outstanding deficiencies identified in your readiness review. Don't schedule an assessment with known gaps - you'll fail.

Select Your Assessor (Level 2): Research and engage a C3PAO to conduct your assessment. Schedule your assessment date well in advance - qualified assessors often have 2-3 month waiting lists.

Final Documentation Review: Ensure all required documentation is complete, current, and accurately reflects your implemented practices. Mismatches between documentation and reality are common assessment failures.

Staff Preparation: Prepare your team for assessor interviews. Ensure they understand their roles in security, can articulate how practices are implemented, and know where to find supporting evidence.

Frequently Asked Questions

Can I start with Level 1 and upgrade to Level 2 later?

Yes, but this approach often costs more in the long run. You'll implement Level 1 controls, then need to significantly enhance those controls for Level 2 within a short timeframe. If you know you'll eventually need Level 2, implementing it from the start is more efficient. However, if you're genuinely uncertain and want to start with basic security while you clarify requirements, Level 1 can be a reasonable interim step.

How do I handle both FCI and CUI in the same organization?

You can implement an enclave strategy where CUI systems are segmented and protected with Level 2 controls while general business systems remain at Level 1. This requires clear boundaries, strong access controls, and disciplined information handling to prevent CUI from leaking into unprotected systems. Many organizations find it simpler to implement Level 2 across their entire IT environment rather than managing complex segmentation.

What if my contract doesn't specify a CMMC level?

Until CMMC is fully implemented in DoD contracts, you may have contracts that don't explicitly state a requirement. However, if you have DFARS 252.204-7012 in your contract, you're required to implement NIST SP 800-171, which means you need Level 2 when CMMC becomes mandatory. Don't wait for contract language to update - implement appropriate controls now based on the information you handle.

Can I change my CMMC level after starting implementation?

Yes, but it creates complications. If you discover midway through Level 1 implementation that you actually need Level 2, you'll need to significantly expand your scope and timeline. Conversely, if you're pursuing Level 2 and determine Level 1 suffices, you can scale back, but you've already invested in Level 2 preparation. This is why careful upfront determination is critical.

How does CMMC affect my subcontractors?

If you flow CUI down to subcontractors, they need the same level of CMMC certification you have. You're responsible for ensuring adequate protection of CUI throughout your supply chain. Include CMMC requirements in subcontractor agreements and verify their certification status before sharing CUI.

What happens when my Level 2 certification expires in three years?

You'll need to undergo another C3PAO assessment to renew your certification. The triennial reassessment evaluates your ongoing compliance with all 110 practices. Between assessments, you're expected to maintain continuous compliance - you can't let security lapse after certification and scramble to fix it before the next assessment.

Can I operate without CMMC if I don't pursue DoD contracts?

Yes, CMMC is specifically a DoD requirement. However, if you currently have DoD contracts containing DFARS 252.204-7012, you're already required to implement NIST SP 800-171 (essentially Level 2 controls) regardless of CMMC certification. CMMC adds the assessment requirement but doesn't change the underlying security obligations.

Is there a grace period if I fail my assessment?

The C3PAO assessment is pass/fail - any practice not fully implemented results in failure. If you fail, you can remediate deficiencies and schedule a new assessment, but there's no grace period for contract eligibility. You cannot bid on or receive awards for contracts requiring your certification level until you successfully pass assessment. This is why thorough preparation is essential.

Conclusion: The Right Level for Your Organization

Determining your CMMC level requirement isn't optional - it's dictated by the information you handle and the contracts you pursue. The decision comes down to a single critical question: Does your organization create, store, process, or transmit Controlled Unclassified Information?

If the answer is yes, Level 2 is your requirement. The 110 practices of NIST SP 800-171 exist because CUI requires comprehensive protection from sophisticated threats. There are no shortcuts, no workarounds, and no alternatives.

If you handle only Federal Contract Information - basic contract documents, invoices, and administrative data - Level 1 may be sufficient. But given the trajectory of defense contracting and the likelihood of CUI touching most technical work, Level 2 is the safer path for most organizations.

The cost difference between Level 1 and Level 2 is significant, but it's measured in tens or low hundreds of thousands of dollars. The cost of choosing wrong could be your entire defense business.

When uncertain, choose the higher level. Implement comprehensive security. Protect the information entrusted to you as if national security depends on it - because it does.

Need Help Determining Your CMMC Level?

Understanding your CMMC requirement shouldn't be guesswork. Our team has helped defense contractors throughout Maryland, the DMV region, Huntsville, Alabama, Kentucky, and Florida navigate CMMC compliance, from initial level determination through successful certification.

We offer comprehensive CMMC services including:

  • Contract and information flow analysis to definitively determine your requirement level
  • Gap assessments identifying exactly what you need to implement
  • Complete implementation support for both Level 1 and Level 2
  • System Security Plan development and documentation
  • Assessment preparation and readiness reviews
  • Ongoing compliance maintenance and monitoring

As a Cyber-AB Registered Practitioner Organization (RPO), we have the expertise to guide you through every phase of your CMMC journey - from that first critical decision of which level you need through successful certification and beyond.

Contact us today for a complimentary CMMC level consultation. Let's ensure you're pursuing the right certification for your organization's actual requirements.

Disclaimer: This guide provides general information about CMMC Level 1 and Level 2 requirements based on current DoD guidance and industry best practices. CMMC requirements are subject to change as the program continues to evolve. Individual contract requirements, organizational circumstances, and information handling practices vary significantly across defense contractors. This content should not be considered legal, compliance, or cybersecurity advice for your specific situation. Organizations should consult with qualified CMMC practitioners, legal counsel, and their contracting officers to determine their specific CMMC requirements and compliance obligations.

About the Author: CISPOINT is a Cyber-AB Registered Practitioner Organization (RPO) and Managed Security Service Provider (MSSP) specializing in CMMC compliance for defense contractors. Based in Columbia, Maryland, we serve organizations throughout the DMV region, Huntsville, Alabama, Kentucky, and Florida with comprehensive cybersecurity and compliance services.