CMMC Level 2 vs Level 1: What Small Contractors Need to Know

Q: How do I know which CMMC level my contracts require?

Your required CMMC level is specified in DoD contract solicitations under DFARS clause 252.204-7021. Look for this clause in your active contracts and any RFPs you are bidding on. If you handle CUI (marked documents, technical data, export-controlled information), expect Level 2. If unsure, contact your contracting officer for clarification.

Q: What happens if I have Level 1 but a new contract requires Level 2?

You will need to achieve Level 2 certification before the contract can be awarded. Since certification can take 6 to 12 months, start preparing as soon as you anticipate bidding on CUI-handling contracts. Your Level 1 compliance gives you a foundation, but you will need to implement 93 additional controls and likely undergo a C3PAO assessment.

Published April 17, 2026 — A detailed comparison to help you determine which level your contracts require and what each one involves.

One of the most common questions defense contractors ask is whether they need CMMC Level 1 or Level 2. The answer depends on the type of information you handle — and getting it wrong can mean losing contracts or investing in more compliance than you actually need.

This guide compares the two levels side by side so you can confidently determine your requirements and plan accordingly.

Quick Comparison: Level 1 vs Level 2

Aspect	CMMC Level 1	CMMC Level 2
Full Name	Foundational	Advanced
Number of Controls	17 practices	110 controls
Based On	FAR 52.204-21	NIST SP 800-171 Rev 2
Information Protected	Federal Contract Information (FCI)	Controlled Unclassified Information (CUI)
Assessment Type	Annual self-assessment only	Self-assessment or C3PAO third-party
Assessment Cost	Internal staff time only	$50,000–$150,000 for C3PAO
Total Implementation Cost	$5,000–$30,000	$50,000–$500,000+
Certification Validity	Annual (re-affirm each year)	3 years (C3PAO) or annual (self)
Documentation Required	Basic self-assessment results	SSP, POA&M, evidence artifacts, SPRS score
Timeline to Achieve	1–3 months	6–12 months
MFA Required	No	Yes (IA.L2-3.5.3)
SIEM / Log Monitoring	No	Yes (AU family controls)
Encryption of CUI	Not applicable	Yes, at rest and in transit (SC family)
Incident Response Plan	Not required	Required (IR.L2-3.6.1)

Understanding the Information Types: FCI vs CUI

The fundamental distinction between Level 1 and Level 2 is the type of information you handle. This is not something you choose — it is determined by your contracts and the data that flows through your systems.

Federal Contract Information (FCI)

FCI is information provided by or generated for the government under a contract that is not intended for public release. Examples include:

Contract terms and pricing data
Delivery schedules and logistics information
Performance reports submitted to the government
Internal project management data for DoD work

If FCI is the most sensitive information you handle, Level 1 is sufficient.

Controlled Unclassified Information (CUI)

CUI is a much broader category of sensitive information that requires safeguarding under federal law or regulation. The CUI Registry (maintained by NARA) lists over 100 categories, but common examples in defense contracting include:

Controlled Technical Information (CTI) — technical data with military or space application
Export-controlled data — information subject to ITAR or EAR restrictions
Engineering drawings and specifications for defense systems
Vulnerability assessments and penetration test results
Critical infrastructure information
Personnel records and PII from DoD employees

If any CUI flows through your systems, you need Level 2. There is no workaround.

What Level 1 Requires (17 Practices)

Level 1 is based on the 17 basic safeguarding requirements from FAR 52.204-21. These are common-sense security practices that every business should already follow:

Limit system access to authorized users
Limit system access to the types of transactions and functions authorized users are permitted to execute
Control information posted on publicly accessible systems
Identify and authenticate users before granting access
Sanitize or destroy media containing FCI before disposal
Limit physical access to systems and equipment
Escort visitors and monitor visitor activity
Monitor and control remote access sessions
Provide security awareness training
Perform periodic security scans and update antivirus

Most small businesses with a competent IT setup already meet many of these. The assessment is a self-assessment — you evaluate yourself, affirm the results, and submit to SPRS annually.

What Level 2 Adds (93 Additional Controls)

Level 2 includes all 17 Level 1 practices plus 93 additional controls from NIST SP 800-171. These additional controls add significant technical and procedural requirements:

Access Control (AC) — 22 controls total

Level 2 adds controls for account management, separation of duties, least privilege enforcement, unsuccessful login attempt lockouts, session timeouts, wireless access restrictions, and mobile device management. For example, AC.L2-3.1.5 requires employing the principle of least privilege, including for specific security functions and privileged accounts.

Audit and Accountability (AU) — 9 controls

You must create, protect, and retain system audit logs. This typically means deploying a SIEM or centralized log management solution. Controls require audit log review, alerting on failures, and correlation of audit records. AU.L2-3.3.1 requires creating and retaining system audit logs sufficient to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Identification and Authentication (IA) — 11 controls

Multi-factor authentication (MFA) is mandatory for all network access to privileged and non-privileged accounts (IA.L2-3.5.3). Password complexity, replay-resistant authentication, and identifier management are all required. This is often one of the most impactful changes for small contractors.

System and Communications Protection (SC) — 16 controls

CUI must be encrypted at rest and in transit using FIPS-validated cryptography (SC.L2-3.13.8, SC.L2-3.13.11). Network segmentation, session authenticity, and collaborative device controls are required. This family often drives significant infrastructure changes.

System and Information Integrity (SI) — 7 controls

Timely flaw remediation (patching), malicious code protection at key points, security alert monitoring, and inbound/outbound communications monitoring are required. SI.L2-3.14.1 requires identifying, reporting, and correcting system flaws in a timely manner.

Key insight: The jump from 17 to 110 controls is not just about quantity. Level 2 controls are interconnected — your access controls feed your audit requirements, your incident response depends on your monitoring, and your SSP must describe how everything fits together.

When Level 1 Is Enough

Level 1 is sufficient when:

Your DoD contracts only involve Federal Contract Information (FCI)
You do not receive, process, or store any CUI from prime contractors or the government
Your contract solicitations specify CMMC Level 1 under DFARS 252.204-7021
You provide commercial off-the-shelf (COTS) products only

When Level 2 Is Required

You need Level 2 when:

Your contracts involve handling CUI in any form
You receive technical data, engineering drawings, or export-controlled information from prime contractors
Your contract solicitations specify CMMC Level 2
You are a subcontractor and CUI flows down to your systems from a prime contractor
You plan to bid on future DoD contracts that involve CUI

The Cost Difference

For a small contractor (25–50 employees), here is a realistic cost comparison:

Cost Category	Level 1	Level 2
Assessment	Free (self-assessment)	$50,000–$150,000 (C3PAO)
Technical Controls	$2,000–$10,000 (basic tools)	$20,000–$200,000 (MFA, SIEM, encryption, etc.)
Documentation	Minimal	$5,000–$25,000 (SSP, POA&M, policies)
Annual Maintenance	$1,000–$5,000	$10,000–$50,000
Total First Year	$5,000–$30,000	$75,000–$400,000+

This is exactly why determining your correct level matters. Spending $100,000+ on Level 2 when Level 1 suffices is a costly mistake. But assuming Level 1 when you actually need Level 2 means losing contract eligibility.

How to Track Either Level with NormSuite

NormSuite CMMC Tracker supports Level 2 compliance with all 110 controls mapped, real-time SPRS scoring, SSP generation, evidence management, and automated POA&M tracking. The free tier lets you assess up to 20 controls so you can evaluate your current gaps before committing.

Start Free CMMC Tracker

Frequently Asked Questions

Can I get CMMC Level 1 instead of Level 2 to save money?

You cannot choose your CMMC level. The required level is determined by the type of information you handle on DoD contracts. If your contracts involve CUI, you need Level 2 regardless of cost preferences. If you only handle FCI, Level 1 is sufficient.

Does CMMC Level 1 certification count toward Level 2?

Level 2 encompasses all Level 1 requirements. The 17 FAR 52.204-21 practices are a subset of the 110 NIST SP 800-171 controls. Achieving Level 1 means you have completed about 15% of Level 2, but you still need the remaining 93 controls and a more rigorous assessment.

How do I know which CMMC level my contracts require?

Check your active contracts and any RFPs for DFARS clause 252.204-7021, which specifies the required CMMC level. If you handle CUI, expect Level 2. Contact your contracting officer if you are uncertain.

What happens if I have Level 1 but a new contract requires Level 2?

You need to achieve Level 2 certification before the contract can be awarded. Since this can take 6 to 12 months, start preparing as soon as you anticipate bidding on CUI-handling contracts. See our CMMC 2026 deadline guide for a timeline.

Related Guides

What Is CMMC Level 2? — Complete guide to Level 2 requirements
How to Calculate Your SPRS Score — Scoring methodology explained
CMMC 2026 Deadline — Phase 2 timeline and action plan