CMMC Level 1 vs Level 2, Which Applies to You?
Contributors
Many contractors default to assuming Level 2 applies to them, since it carries the higher public profile and stricter requirements. That assumption often costs businesses time and budget they do not need to spend. Your CMMC level depends entirely on the type of information your contract involves, not on the size of your company or the sensitivity of the broader program you support. Getting this classification wrong in either direction creates a real cost: under-preparing risks ineligibility for award, while over-preparing means implementing controls your contract never required. This guide walks through the distinction, so you classify your business correctly the first time.
The Core Distinction: FCI vs CUI
The entire Level 1 versus Level 2 determination rests on one distinction: does your contract involve Federal Contract Information, or does it involve Controlled Unclassified Information.
FCI covers information the government provides to you or generates through your performance of a contract, information the government does not intend for public release. A delivery schedule, a purchase order detail, or a facility access roster the government shares with you under contract all qualify as FCI. This category is broad and applies to nearly every DoD contract that shares any non-public operational detail with you.
CUI covers a narrower, more sensitive category defined by federal law, regulation, or government-wide policy that requires specific safeguarding or dissemination controls. Technical drawings, unclassified but export-controlled specifications, and detailed system architecture documents typically qualify as CUI. The government marks CUI explicitly in most cases, and your contract references specific CUI categories if it applies to you.
If your contract shares only FCI-level information, you stay in Level 1. If it includes CUI, you move into Level 2, regardless of your company's size or contract value.
What Level 1 Requires
Level 1 requires you to implement 15 basic safeguarding practices drawn directly from FAR 52.204-21. These practices cover foundational controls: limiting system access to authorized users, protecting information at transmission and disposal, and applying basic physical security to systems that process FCI.
You verify Level 1 compliance yourself through an annual self-assessment. No C3PAO reviews your environment, and no formal audit occurs. You complete the assessment, document your results, and submit an affirmation to SPRS under the authority of your designated senior official. This process runs on a fixed annual cycle, and your affirmation must stay current for every contract period you hold.
Because the assessment is self-administered, the burden shifts to your internal documentation. Auditors and contracting officers may request evidence of the practices you affirm, so maintaining clear records of each control matters as much as implementing the controls themselves.
What Level 2 Requires
Level 2 requires you to implement 110 controls drawn from NIST SP 800-171, a substantially larger scope than Level 1's 15 practices. These controls span access control, incident response, system monitoring, configuration management, and a dozen additional domains, each with specific technical and procedural requirements.
Most contractors at this level cannot self-certify. A Certified Third-Party Assessment Organization, or C3PAO, conducts an independent assessment of your environment and controls, and you submit the resulting score to SPRS. This assessment cycle typically runs on a three-year period, with your senior official affirming compliance annually between formal assessments.
The jump from Level 1 to Level 2 represents a significant increase in both technical scope and assessment cost, which is exactly why correctly identifying your information type matters before you commit budget in either direction.
How You Determine Your Own Level
You determine your level through a direct review of your contract documents rather than through assumption. Start by reading your contract for DFARS clause 252.204-7012, which signals that your work involves the safeguarding of covered defense information, a strong indicator that CUI is present.
Next, identify the actual information type you receive and generate in the course of performing the contract. Review purchase orders, statements of work, and any government-furnished data or documents you handle. If everything you touch falls under general operational or administrative categories, non-public but not specifically marked or restricted, you are likely working with FCI only.
If you find CUI markings on documents, references to controlled technical information, or export-controlled specifications, you are working with CUI and Level 2 applies to you.
When your contract language leaves the answer unclear, escalate the question to your prime contractor directly. Primes hold the flow-down obligation and know exactly which requirements your subcontract carries. Do not guess, and do not default upward to Level 2 out of caution. A documented, deliberate scope determination protects you from both under-preparing and from spending on controls your contract does not require.
What Misclassification Costs You
Getting this determination wrong carries real cost in either direction. Under-preparing for the level your contract requires risks disqualification from award or renewal once a contracting officer checks your SPRS status against your contract's true requirement. Over-preparing, implementing 110 NIST 800-171 controls and paying for a C3PAO assessment when your contract only involves FCI, wastes budget on infrastructure and audit costs your work never called for.
Accurate classification protects both your competitiveness and your bottom line. It also protects your credibility with your prime, who relies on your self-reported status when they submit their own compliance documentation up the supply chain.
Other Popular Articles
In the digital age, businesses must adopt an ad
GRC is the capability, or integrated collection