One of the most common questions defense contractors ask about CMMC is deceptively simple: which level do I need? The answer depends on the type of data your organization handles — and getting it wrong in either direction is costly. Underestimating your level means contract ineligibility. Overestimating it means spending money and effort on requirements that do not apply to your situation. Here is how to determine the right answer when evaluating CMMC Level 1 vs Level 2.

The Core Difference in CMMC Level 1 vs Level 2

The CMMC framework has three levels. For the vast majority of defense contractors in the Defense Industrial Base, the relevant question is whether they need Level 1 or Level 2. Level 3 applies to a small subset of contractors working on the most sensitive DoD programs that involve Advanced Persistent Threats. The distinction between Level 1 and Level 2 comes down entirely to the type of federal information your organization handles.

FactorCMMC Level 1CMMC Level 2Data typeFederal Contract Information (FCI)Controlled Unclassified Information (CUI)Controls required17 basic practices (FAR 52.204-21)110 controls (NIST SP 800-171)Assessment methodAnnual self-assessmentThird-party C3PAO assessment (for most)SPRS posting requiredYesYesAnnual affirmationYesYesRecertification cycleAnnual self-assessmentEvery 3 years (C3PAO)

What Is FCI and What Is CUI?

Federal Contract Information (FCI) is information provided by or generated for the government under a contract to develop or deliver a product or service to the government. It does not include information provided to the public or simple transactional information like the contractor's name and address. Most contractors in the supply chain handle at least some FCI, which means Level 1 applies as a baseline minimum.

Controlled Unclassified Information (CUI) is information the government creates or possesses that requires safeguarding under law, regulation, or government-wide policy. CUI encompasses a broad range of categories: technical data, export-controlled information, sensitive financial information, privacy data, and many others defined by the National Archives CUI Registry. If you are unsure whether your contract involves CUI, review your contract for DFARS clause 252.204-7012 — its presence is a strong indicator that you handle CUI and need Level 2.

CMMC Level 1: What It Actually Requires

Level 1 requires 17 basic cybersecurity practices aligned with FAR 52.204-21. These cover access control (limiting system access to authorized users and devices), basic malware protections, physical security over information systems, and a small set of other foundational controls. Level 1 allows for annual self-assessment — but self-assessment is not the same as self-certification with no supporting evidence. You need to demonstrate implementation with artifacts: configuration screenshots, access control documentation, policy excerpts. The affirmation is submitted by a senior official and posted to SPRS. False affirmation carries significant False Claims Act exposure, and the DoD has made clear that enforcement is a priority.

CMMC Level 2: What It Actually Requires

Level 2 requires all 110 security controls from NIST SP 800-171 across 14 requirement families. This is a substantial security program — covering access control, incident response, configuration management, system integrity, audit and accountability, personnel security, physical protection, media protection, risk assessment, and more. For most Level 2 contractors handling CUI in high-priority programs, a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) is required every three years. The C3PAO assessment is thorough, evidence-based, and not a process that can be rushed. Preparation alone takes a 50-person company an average of 6 to 12 months. If your organization handles CUI and has not started preparing for Level 2, that timeline needs to be treated as urgent.

The Subcontractor Question

CMMC requirements flow down through the supply chain, and this is where many subcontractors get caught off guard. If your prime contractor handles CUI and you handle any portion of that information in your work for them — even if your subcontract does not explicitly reference CMMC — the Level 2 requirement applies to you. Prime contractors are already beginning to require demonstrated compliance from their subcontractors as a condition of doing business, ahead of federal mandates. Being unprepared when your prime asks the question is the same as being unprepared when the federal deadline hits.

How to Determine Which Level Applies to Your Specific Contracts

Start by reviewing your existing contracts for DFARS clause 252.204-7012 and any explicit CMMC level requirements. Then inventory the types of information you receive, generate, and transmit under those contracts. If the information includes any CUI categories as defined by the National Archives registry, Level 2 applies. If you handle only FCI, Level 1 is your baseline. If you are unsure — which is a common and legitimate situation — that ambiguity needs to be resolved through a proper scoping exercise before your next contract renewal or new contract award.

Still Not Sure Which Level You Need?

OCD Tech helps contractors and subcontractors assess exactly which CMMC level applies to their contracts, identify current compliance gaps, and build a realistic path to certification. Contact us today and get a clear answer before it appears in a contract you cannot fulfill.