CMMC Level 1 vs Level 2, Which Applies to You?

Contributors

Shantanoo Govilkar
Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions
Image
mmc-level-selection-guide

Many contractors default to assuming Level 2 applies to them, since it carries the higher public profile and stricter requirements. That assumption often costs businesses time and budget they do not need to spend. Your CMMC level depends entirely on the type of information your contract involves, not on the size of your company or the sensitivity of the broader program you support. Getting this classification wrong in either direction creates a real cost: under-preparing risks ineligibility for award, while over-preparing means implementing controls your contract never required. This guide walks through the distinction, so you classify your business correctly the first time.

cmmc-level-1-vs-level-2

The Core Distinction: FCI vs CUI

The entire Level 1 versus Level 2 determination rests on one distinction: does your contract involve Federal Contract Information, or does it involve Controlled Unclassified Information.

FCI covers information the government provides to you or generates through your performance of a contract, information the government does not intend for public release. A delivery schedule, a purchase order detail, or a facility access roster the government shares with you under contract all qualify as FCI. This category is broad and applies to nearly every DoD contract that shares any non-public operational detail with you.

CUI covers a narrower, more sensitive category defined by federal law, regulation, or government-wide policy that requires specific safeguarding or dissemination controls. Technical drawings, unclassified but export-controlled specifications, and detailed system architecture documents typically qualify as CUI. The government marks CUI explicitly in most cases, and your contract references specific CUI categories if it applies to you.

If your contract shares only FCI-level information, you stay in Level 1. If it includes CUI, you move into Level 2, regardless of your company's size or contract value.

What Level 1 Requires

Level 1 requires you to implement 15 basic safeguarding practices drawn directly from FAR 52.204-21. These practices cover foundational controls: limiting system access to authorized users, protecting information at transmission and disposal, and applying basic physical security to systems that process FCI.

You verify Level 1 compliance yourself through an annual self-assessment. No C3PAO reviews your environment, and no formal audit occurs. You complete the assessment, document your results, and submit an affirmation to SPRS under the authority of your designated senior official. This process runs on a fixed annual cycle, and your affirmation must stay current for every contract period you hold.

Because the assessment is self-administered, the burden shifts to your internal documentation. Auditors and contracting officers may request evidence of the practices you affirm, so maintaining clear records of each control matters as much as implementing the controls themselves.

What Level 2 Requires

Level 2 requires you to implement 110 controls drawn from NIST SP 800-171, a substantially larger scope than Level 1's 15 practices. These controls span access control, incident response, system monitoring, configuration management, and a dozen additional domains, each with specific technical and procedural requirements.

Most contractors at this level cannot self-certify. A Certified Third-Party Assessment Organization, or C3PAO, conducts an independent assessment of your environment and controls, and you submit the resulting score to SPRS. This assessment cycle typically runs on a three-year period, with your senior official affirming compliance annually between formal assessments.

The jump from Level 1 to Level 2 represents a significant increase in both technical scope and assessment cost, which is exactly why correctly identifying your information type matters before you commit budget in either direction.

How You Determine Your Own Level

You determine your level through a direct review of your contract documents rather than through assumption. Start by reading your contract for DFARS clause 252.204-7012, which signals that your work involves the safeguarding of covered defense information, a strong indicator that CUI is present.

Next, identify the actual information type you receive and generate in the course of performing the contract. Review purchase orders, statements of work, and any government-furnished data or documents you handle. If everything you touch falls under general operational or administrative categories, non-public but not specifically marked or restricted, you are likely working with FCI only.

If you find CUI markings on documents, references to controlled technical information, or export-controlled specifications, you are working with CUI and Level 2 applies to you.

When your contract language leaves the answer unclear, escalate the question to your prime contractor directly. Primes hold the flow-down obligation and know exactly which requirements your subcontract carries. Do not guess, and do not default upward to Level 2 out of caution. A documented, deliberate scope determination protects you from both under-preparing and from spending on controls your contract does not require.

What Misclassification Costs You

Getting this determination wrong carries real cost in either direction. Under-preparing for the level your contract requires risks disqualification from award or renewal once a contracting officer checks your SPRS status against your contract's true requirement. Over-preparing, implementing 110 NIST 800-171 controls and paying for a C3PAO assessment when your contract only involves FCI, wastes budget on infrastructure and audit costs your work never called for.

Accurate classification protects both your competitiveness and your bottom line. It also protects your credibility with your prime, who relies on your self-reported status when they submit their own compliance documentation up the supply chain.

Get the latest insights straight from our desk to your inbox.

Other Featured Articles

Explore More
what-is-cmmc-do-you-need-it

What Is CMMC and Do You Need It?

Learn what CMMC is, who needs it, and how to determine if your business requires Level 1 compliance for DoD contracts.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
mmc-level-selection-guide

CMMC Level 1 vs Level 2, Which Applies to You?

Learn the key differences between CMMC Level 1 and Level 2, understand FCI vs. CUI, and determine which CMMC level your DoD contract requires to avoid unnecessary costs or compliance risks.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
cmmc-dod-subcontractors

What CMMC Means for DoD Subcontractors

Understand what CMMC means for DoD subcontractors, how compliance requirements flow down from prime contractors, who must comply, and the steps to determine your CMMC obligations.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
cmmc-level-1-self-assessment-guide

How to Complete Your CMMC Level 1 Self Assessment

Complete CMMC Level 1 self-assessment guide: define scope, work through 15 practices, fix common gaps, and submit your SPRS affirmation.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
cmmc-october-2026-deadline

The October 2026 CMMC Deadline: What Happens If You Miss It 

Prepare for the October 2026 CMMC deadline. Learn how compliance affects DoD contract eligibility, SPRS affirmations, renewals, and subcontractors.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
IT-OT-Boundary-Ransomware-Entry-Point

Operational Technology (OT) Penetration Testing Guide for Ransomware Defense

Ransomware doesn't need to breach your control room it needs to get close enough that you can't trust it hasn't.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
FDA-510K-and-PMA-Cybersecurity-Testing

A Medical Device Maker's Guide to FDA Cybersecurity Testing for 510(k) & PMA

The FDA doesn't publish a pen testing checklist, but its guidance, 524B requirements, and reviewer expectations add up to one.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Pharma-Pen-Testing-FDA-Complianc

Pharma Pen Testing: Why FDA and IP Risk Need Different Scoping

Standard pen test scoping frameworks weren't built for pharma.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
FDA-524B-Medical-Device-Cybersecurity-Testing

FDA 524B Is Here: What Medical Device Makers Must Test Now

Section 524B made medical device cybersecurity a legal requirement, not a guideline.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
CMMC-2-0-Pen-Testing-Requirements

Why CHIPS Act Manufacturers Can't Rely on CMMC Pen Testing Alone

Semiconductor manufacturers face dual compliance obligations under CMMC 2.0 and the CHIPS Act and a standard pen test satisfies neither fully.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
C3PAO-Audit-Evidence-Mapping

Why Pen Test Evidence Fails C3PAO Assessments (and How to Fix It)

Completing a pen test isn't enough for CMMC.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
PTaaS-vs-Annual-Pen-Testing

PTaaS vs. Annual Pen Testing: Why Manufacturers Are Switching

Annual penetration testing produces documentation, not security.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Map-OT-Attack-Surface

Map Your OT Attack Surface Before the Next Audit

Don't wait for an auditor to tell you what you missed.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Scope-IT-OT-Penetration-Testing

How to Scope IT-OT Penetration Testing Safely

Learn how to safely scope IT-OT penetration testing engagements.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Manufacturing-Penetration-Testing-Frequency

How Often Should Manufacturers Run OT Penetration Testing?

Annual pen testing fits a budget cycle but it doesn't reflect how fast manufacturing environments actually change.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
21-CFR-Part-11-and-cGMP-Requirements

Pharmaceutical Pen Testing: What 21 CFR Part 11 and cGMP Require

21 CFR Part 11 and cGMP don't mention penetration testing but the controls they require depend on it.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
RD-and-Regulated-Systems-Penetration-Testing-Scopes

Pharmaceutical Pen Testing: Why R&D and GxP Need Different Scopes

R&D and GxP regulated environments have different risk profiles, compliance requirements, and testing constraints.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Nation-State-Cyber-Threats-in-Pharma

Why Pharmaceutical Pen Testing Must Address Nation-State Threats

Nation-state actors treat pharma like critical infrastructure targeting formulation data, synthesis routes, and clinical IP with patience and precision.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
IT-OT-Boundary-Ransomware-Risk

How Ransomware Crosses the IT-OT Boundary (And How to Stop It)

Ransomware operators target the IT-OT boundary deliberately and they know manufacturing economics well.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Where-Industry-4-0-Exposed-OT

Where Industry 4.0 Left Your OT Attack Surface Wide Open

Industry 4.0 connected OT environments were never built for. Learn why traditional IT security tools fall short and what OT penetration testing reveals that audits miss.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
What-AS4-Actually-Solves-Banner-Image

What AS4 Actually Solves: Real Outcomes Companies See After Migration

Discover what AS4 actually solves for modern businesses. Learn the real outcomes companies achieve after migration, from stronger security to better B2B integration performance.

 

EDI Solutions Group
Marketing Group view
AS4-migration-pitfalls-Banner-image

7 Migration Pitfalls That Derail AS4 Upgrades (and How to Avoid Them)

Avoid costly AS4 upgrade mistakes. Discover 7 migration pitfalls that delay projects, create risk, and disrupt B2B messaging, plus practical ways to avoid them.

EDI Solutions Group
Marketing Group view
pen-testing-in-cloud-enviroment-banner-image

How to Perform Penetration Testing in Cloud Environments (AWS, Azure, and GCP) - 2026 Edition

A practical guide to cloud penetration testing across AWS, Azure, and GCP. Learn methods, tools, and best practices to identify vulnerabilities and improve security.

Cybersecurity Solutions Group
Marketing Group view
when-to-switch-legacy-edi-to-as4

5 Signs It's Time to Move Legacy EDI Environment to AS4 Protocol

Partner onboarding delays, compliance gaps, and rising maintenance costs are signals your EDI infrastructure is reaching its limits. Learn the five signs it is time to evaluate a move to AS4.

EDI Solutions Group
Marketing Group view
How-to-Design-Custom-Chatbots-Banner-Image

How to Design Custom Chatbots That Cannot “Make Stuff Up”

Confident AI answers without traceable sources create institutional risk. Learn how Grounded RAG architecture retrieves real documents first and attaches verifiable citations to every response.

Data and AI Solutions Group
Marketing Group view
Conversational-AI-blog-banner

How Citation-Backed Conversational AI Improves Public Access and Internal Decision-Making

AI without source citations creates real liability. Learn how citation-backed AI brings traceable sources, version awareness, and audit-ready outputs to every institutional decision.

Data and AI Solutions Group
Marketing Group view
Network-penetration-testion-blog-banner

How to Perform a Successful Network Penetration Test: Comprehensive Guide for 2025

Learn how to perform a successful network penetration test to identify vulnerabilities, simulate real cyberattacks, and strengthen your organization’s network security.

Cybersecurity Solutions Group
Marketing Group view
Penetration-testing-banner-image

What Is Penetration Testing? A 2026 Expert Guide

A 2026 expert guide to penetration testing for security leaders and IT teams seeking proactive defense, compliance, and stakeholder trust.

Cybersecurity Solutions Group
Marketing Group view
ot-ransomware-prevention-banner-image

OT Ransomware Prevention: Practical Best Practices for Industrial Cybersecurity

Explore enterprise grade OT ransomware prevention strategies, including segmentation, identity control, threat informed detection, and resilient recovery design to protect industrial operations fro

Cybersecurity Solutions Group
Marketing Group view
OT-Ransomware-Risks-and-Response-Banner

10 Myths About OT/ICS Security That Put Your Business at Risk

Think your OT network is secure? Learn the 10 most dangerous myths about OT and ICS cybersecurity that leave industrial operations exposed to attacks.

Cybersecurity Solutions Group
Marketing Group view
OT-ransomeware-risk-and-responses-banner-image

OT Ransomware Risks and Response for Industrial Systems

Learn why OT environments face higher ransomware risk, how attackers gain access, and how effective detection and response reduce operational impact.

Cybersecurity Solutions Group
Marketing Group view
AI-Risk-Assessment-Best-Practices-Banner

AI Risk Assessment: Risk Types, Best Practices & More

Explore AI risk types, essential assessment frameworks, and proven best practices to mitigate threats in AI deployment. Learn actionable strategies for secure AI systems today.

Cybersecurity Solutions Group
Marketing Group view
AI Risk Assessment Banner Image

AI Risk Assessment: Everything You Need to Know

Learn essential processes, methodologies, risk types, regulatory requirements, and practical implementation strategies for safe AI deployment.

Cybersecurity Solutions Group
Marketing Group view
Whitepaper: Ransomware Threat Management

Whitepaper: Ransomware Threat Management

Ransomware continues to be a real threat to business operations across all industries, no organization is safe from this threat.

Laszlo S. Gonc
CISSP, First Senior Fellow, DivIHN Cybersecurity Center of Excellence view
Cybersecurity Incident Response Preparedness

Cybersecurity Incident Response Preparedness

An incident response framework provides a structure to support incident response operations. A framework typically provides guidance on what needs to be done, but not on how it is done.

Laszlo S. Gonc
CISSP, First Senior Fellow, DivIHN Cybersecurity Center of Excellence view
Internet of Things

IoT Medical Device Cybersecurity

Healthcare data and medical devices would be aggressively targeted by ransomware attacks since early 2017 has proven to be true

Laszlo S. Gonc
CISSP, First Senior Fellow, DivIHN Cybersecurity Center of Excellence view
Back
to Top