If you've been on the receiving end of a prime's supplier cybersecurity questionnaire and you've walked away with the question “Wait, do I need Level 1 or Level 2?” you are not alone. This is the single most consequential decision in the CMMC program, and most online answers are written for the wrong reader. They're written for a Fortune-500 compliance team, in language a five-person electrical contractor outside Norfolk cannot reasonably parse.
This post is the answer in the language a small business owner actually uses. By the time you finish it, you'll know which level applies to you, what each one really requires, and what happens if you guess wrong. (Spoiler: do not guess.)
TL;DR — the single question that decides it
Forget every flowchart with eight branches. There is one question that decides Level 1 vs Level 2, and it's about what kind of information your contract gives you:
That's 95% of the answer. The rest of this post explains why, what each level actually requires, and the small minority of cases where it gets more nuanced.
The actual difference: FCI vs CUI
The CMMC level you owe is decided by the type of data the government hands you under your contract. Not the size of your company. Not your NAICS code. Not the size of the award. The data.
Federal Contract Information
Non-public information you receive or generate under a federal contract, but that the government has not specifically designated for protection.
- · A delivery schedule for non-classified parts
- · A statement of work for routine IT support
- · Pricing on a maintenance contract
- · Email about a janitorial scope of work on a base
Controlled Unclassified Information
Information the government has specifically designated for safeguarding under the CUI program (32 CFR Part 2002). Usually carries a banner marking like CUI//SP-EXPT.
- · A technical drawing marked CUI//SP-EXPT
- · Export-controlled (ITAR) technical data
- · PII from a DoD personnel records contract
- · A vulnerability assessment of a DoD system
Federal Contract Information (FCI) is the default category. Defined at FAR 4.1901, it covers any non-public information the government provides or you generate under a federal contract. It is not marked with anything special. It is the routine paperwork of doing government business: delivery schedules, pricing, scopes of work, emails from the contracting officer.
Controlled Unclassified Information (CUI) is the upgrade. Defined at 32 CFR Part 2002, CUI is information the government has specifically designatedfor safeguarding. It is identified by a banner marking on the document or system, almost always with a category code — CUI//SP-EXPT for export-controlled, CUI//SP-PRIV for privacy, and so on.
What CMMC Level 1 requires
CMMC Level 1 is the basic safeguarding tier. It is built on a clause the government has been quietly putting in federal contracts since 2016: FAR 52.204-21. Subsection (b)(1)(i)–(xv) of that clause lists the 15 safeguarding requirements that constitute Level 1 in their entirety.
The requirements are not exotic. Plain-English:
- Only authorized people can sign in to your systems
- People can only do the work their job requires
- Connections to outside networks are controlled
- What you post on public sites is reviewed
- Users and devices are identified and authenticated
- Media is wiped before you throw it out
- Physical access to your office is controlled
- Visitors are escorted and logged
- Boundaries of your network are monitored
- Public-facing systems are isolated from internal ones
- You patch known flaws
- You run anti-malware and keep it current
That is the entire Level 1 program. Most of it is common-sense business hygiene that any well-run 12-person company is already doing in some form — CMMC just asks you to do it deliberately and document the evidence.
What CMMC Level 2 requires
CMMC Level 2 protects CUI. The control set is NIST SP 800-171— all 110 of them, mapped to 320 assessment objectives in NIST SP 800-171A. Implementation is meaningfully harder than Level 1, and the assessment regime is a different planet:
- Triennial third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) authorized by the Cyber AB. Self-assessment is permitted only for a narrow slice of Level 2 work; for most DoD contracts touching CUI, a C3PAO is required.
- Score range: −203 to +110.The familiar “SPRS score out of 110” that primes ask about belongs to Level 2 (NIST 800-171 Basic Assessment), not Level 1.
- POA&M allowed (limited).Some controls can temporarily sit on a Plan of Action and Milestones, but the minimum acceptable score is 88/110 and any open POA&M items must be closed within 180 days. (32 CFR § 170.21(c).)
- Cost:typically $50K–$250K+ for the first assessment cycle, including implementation work to bring the environment up to standard.
If you genuinely handle CUI, Level 2 is the right and necessary burden. If you don't, paying for Level 2 is a six-figure mistake.
Side-by-side comparison
| Dimension | Level 1 | Level 2 |
|---|---|---|
| Data protected | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) |
| Control set | 15 safeguarding requirements (FAR 52.204-21) | 110 controls (NIST SP 800-171) |
| Assessment objectives | 59 (mapped from NIST 800-171A) | 320 (NIST 800-171A) |
| Who assesses | Yourself, annually | C3PAO, every 3 years |
| Result format | Binary — MET or NOT MET | Numeric score −203 to +110 |
| POA&M permitted | No — every requirement must be MET | Yes (limited; minimum 88/110, close in 180 days) |
| Affirmation | Senior official, annual, in SPRS | Senior official, annual, in SPRS (plus C3PAO record) |
| Typical cost (initial) | Hundreds to low thousands — mostly your time | $50K–$250K+ including remediation |
| Recurring annual cost | Hours of attention; platform fee if guided | Sustainment + reassessment every 3 years |
| Contract clause that triggers it | FAR 52.204-21 (already in nearly every federal contract) | DFARS 252.204-7012, 7019, 7020, 7021 |
The decision tree
Drawn out, here is how the rule is actually applied:
Two notes on edge cases:
- Mixed environments. Some firms have one contract line item that touches CUI and another that touches only FCI. The CMMC level applies per contract, and the environment that processes CUI must be at the higher level. In practice, most small firms can't cleanly segment, so the whole firm becomes Level 2 the moment any one contract requires it.
- Civilian agency work. CMMC is a DoD program. A civilian agency contract still requires FAR 52.204-21 safeguarding for FCI, but the CMMC affirmation regime does not apply. If you only work for HHS, USDA, or DOI, you implement the 15 requirements as a matter of contract compliance but you do not post a CMMC affirmation in SPRS.
What happens if you pick the wrong level
This is the section nobody wants to write but everyone needs to read.
There are two failure modes:
- You file Level 1 when the contract required Level 2. This is the worse mistake. You've attested that you meet a standard you do not meet, and the data category gives the government strong evidence you should have known.
- You file Level 2 when you only needed Level 1. Less legally dangerous, but expensive. You've spent $50K–$250K on an assessment that contributes nothing to your eligibility and burdened your team with controls you didn't owe.
The fix in either direction is to confirm before you sign:
- Read every contract document for the word “CUI.”
- Search your contract for “252.204-7012.”
- Email the prime's contracts manager in writing if either is unclear; their answer becomes part of your file.
What “most small businesses” actually means
The DoD's own regulatory impact analysis estimates the Defense Industrial Base at roughly 220,000 firms. Of those, the rule projects approximately 139,000 to be Level 1 and approximately 80,000 to be Level 2 or 3. Translation: the typical small DoD subcontractor — the electrical firm, the machine shop, the IT services company, the janitorial outfit — is Level 1. Level 2 lives further up the food chain, with the firms doing weapon-system engineering, export-controlled software, classified-adjacent R&D, and the like.
If you've never seen a CUI banner on a document and your contract doesn't cite DFARS 252.204-7012, you're very likely in the L1 majority. The rest of this site is built for you.
What to do this week
- Verify your level in 5 minutes using our free CMMC check. No signup, no card.
- If you're Level 1, take the 4-minute SPRS readiness quiz to see where you stand against the 15 requirements.
- Get on the Monday Bid Digest— weekly SAM.gov opportunities a CMMC L1-fit small business can bid on, free, in your inbox. Subscribe here.
- Read the regulation yourselfif you want to verify any claim on this page — we keep an annotated regulations index of every primary source.
FAQ
What's the difference between CMMC Level 1 and Level 2?
Level 1 protects FCI with 15 self-assessed safeguarding requirements. Level 2 protects CUI with 110 NIST 800-171 controls assessed by a C3PAO every three years. Level 1 is binary; Level 2 is scored 0–110.
Which level do I need?
Level 1 if you handle FCI only. Level 2 if you handle CUI (look for a CUI banner marking, or check whether DFARS 252.204-7012 is in your contract). Level 3 only if you're on a designated high-priority DoD program.
Can I self-assess for Level 1?
Yes. Level 1 is self-assessed annually with a senior official affirmation posted in SPRS. No C3PAO is required at Level 1.
How much does Level 1 cost compared to Level 2?
Level 1 is typically a few hundred to a few thousand dollars per year on a guided platform — or one to two weeks of founder time DIY. Level 2 typically runs $50K–$250K+ in the first cycle, plus ongoing sustainment.
What happens if I get my level wrong?
Filing a Level 1 affirmation when Level 2 was required is a federal false statement under 18 U.S.C. § 1001 with False Claims Act exposure under 31 U.S.C. § 3729 — signed personally by the affirming official. Verify your level before you affirm.