What Is the Difference Between CMMC Level 1 and Level 2?

Posted: March 5, 2026 to Compliance.

What Is the Difference Between CMMC Level 1 and Level 2?

CMMC Level 1 requires 17 basic cybersecurity practices focused on protecting Federal Contract Information (FCI), while CMMC Level 2 requires 110 practices from NIST SP 800-171 designed to protect Controlled Unclassified Information (CUI). Level 1 allows annual self-assessment, whereas Level 2 typically requires a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO). The cost, timeline, and technical complexity increase substantially from Level 1 to Level 2.

Understanding the distinction between these two levels is critical for defense contractors and subcontractors who must achieve the correct certification level to maintain or win Department of Defense contracts. Choosing the wrong level wastes time and money; failing to meet the required level disqualifies you from contract eligibility entirely.

CMMC Framework Overview

The Cybersecurity Maturity Model Certification (CMMC) program was established by the Department of Defense to ensure that contractors handling sensitive government data meet minimum cybersecurity standards. The program replaced the previous self-attestation model, which relied on contractors honestly reporting their own compliance status under DFARS 252.204-7012.

CMMC 2.0, finalized in the December 2024 rule, streamlined the original five-level model into three levels. Level 1 covers basic cyber hygiene, Level 2 covers advanced cybersecurity practices aligned with NIST SP 800-171 Revision 2, and Level 3 covers expert-level cybersecurity practices aligned with a subset of NIST SP 800-172. Most defense contractors fall into Level 1 or Level 2 requirements.

CMMC Level 1: Basic Cyber Hygiene

Level 1 applies to contractors who handle Federal Contract Information but do not process, store, or transmit Controlled Unclassified Information. FCI is information provided by or generated for the government under contract that is not intended for public release, but it does not carry the same sensitivity classification as CUI.

Level 1 Requirements at a Glance

Number of practices: 17 practices across 6 domains. Assessment type: Annual self-assessment. Assessor: Internal company leadership affirms compliance. NIST alignment: Subset of FAR 52.204-21 basic safeguarding requirements. SPRS score submission: Required, score posted to the Supplier Performance Risk System. Estimated cost: $3,000 to $15,000 for most small businesses.

The 17 practices cover fundamental security measures that every organization should already have in place. These include limiting system access to authorized users, authenticating user identities before granting access, sanitizing or destroying media containing FCI before disposal, limiting physical access to systems, providing basic security awareness training, performing timely software updates, and using antivirus and anti-malware tools.

Level 1 Domains

The six domains covered at Level 1 are Access Control (4 practices), Identification and Authentication (2 practices), Media Protection (1 practice), Physical Protection (4 practices), System and Communications Protection (2 practices), and System and Information Integrity (4 practices).

CMMC Level 2: Advanced Cybersecurity

Level 2 applies to contractors who handle Controlled Unclassified Information. CUI includes technical data, export-controlled information, personally identifiable information, and other categories of sensitive but unclassified data defined in the CUI Registry. The vast majority of contractors who work directly with DoD technical data or designs fall into this category.

Level 2 Requirements at a Glance

Number of practices: 110 practices across 14 domains. Assessment type: Third-party assessment by a C3PAO for contracts involving critical CUI; self-assessment for select non-critical CUI contracts. NIST alignment: Full implementation of NIST SP 800-171 Revision 2. Plan of Action and Milestones (POA&M): Allowed with restrictions, must close findings within 180 days. System Security Plan (SSP): Required, must document implementation of all 110 controls. Estimated cost: $50,000 to $500,000 or more depending on organization size and current posture.

Level 2 builds on Level 1 by adding 93 additional practices across 14 security domains. These practices address more sophisticated security requirements including multi-factor authentication, encrypted communications, incident response planning, continuous monitoring, configuration management, and audit logging.

Level 2 Domains

The 14 domains at Level 2 are Access Control (22 practices), Awareness and Training (3 practices), Audit and Accountability (9 practices), Configuration Management (9 practices), Identification and Authentication (11 practices), Incident Response (3 practices), Maintenance (6 practices), Media Protection (9 practices), Personnel Security (2 practices), Physical Protection (6 practices), Risk Assessment (3 practices), Security Assessment (4 practices), System and Communications Protection (16 practices), and System and Information Integrity (7 practices).

Key Differences: Level 1 vs Level 2

The differences between Level 1 and Level 2 span seven major categories that directly impact your implementation timeline, budget, and ongoing operations.

Scope of Protection

Level 1 protects Federal Contract Information, which is less sensitive government data. Level 2 protects Controlled Unclassified Information, which includes technical drawings, specifications, source code, and other data that adversaries actively target. The scope of what you must protect at Level 2 is significantly broader and more technically demanding.

Number of Controls

Level 1 requires 17 controls. Level 2 requires 110 controls, which is more than six times the number at Level 1. This is not merely an incremental increase; Level 2 introduces entirely new security domains and requires sophisticated technical implementations.

Assessment Method

Level 1 uses annual self-assessment where a senior company official affirms compliance. Level 2 typically requires assessment by a C3PAO, which is an independent organization accredited by the Cyber AB to conduct CMMC assessments. The C3PAO assessment is more rigorous, takes longer, and costs significantly more. Some Level 2 contracts allow self-assessment for non-critical CUI, but the majority require third-party validation.

Documentation Requirements

Level 1 requires basic documentation of your 17 practices. Level 2 requires a comprehensive System Security Plan documenting how each of the 110 practices is implemented, along with network diagrams, data flow diagrams, hardware and software inventories, and supporting evidence for every control. Organizations pursuing Level 2 should expect to produce hundreds of pages of documentation.

Cost Comparison

Level 1 implementation typically costs between $3,000 and $15,000 for a small contractor. Level 2 costs range from $50,000 to $500,000 or more. The cost drivers at Level 2 include technology investments in encryption, SIEM, endpoint detection, and network segmentation; consulting fees for gap assessment and remediation planning; C3PAO assessment fees ranging from $25,000 to $100,000; staff training and potential hiring of security personnel; and ongoing monitoring and maintenance costs.

Timeline

Level 1 compliance can typically be achieved in 2 to 4 weeks for organizations with basic IT security in place. Level 2 compliance requires 6 to 18 months for most organizations, depending on their starting posture. Organizations starting from scratch should plan for 12 to 18 months of preparation before scheduling a C3PAO assessment.

Ongoing Maintenance

Level 1 requires annual self-assessment and basic evidence of continued compliance. Level 2 requires triennial C3PAO assessments, annual affirmation of continued compliance, continuous monitoring of all 110 controls, and regular updates to the System Security Plan and supporting documentation.

How to Determine Your Required Level

Your CMMC level is determined by the type of information you handle under your DoD contracts, not by your preference. Review your existing contracts and any new solicitations for the following indicators.

You need Level 1 if: Your contracts reference FAR 52.204-21 basic safeguarding requirements, you handle Federal Contract Information but not CUI, and there is no DFARS 252.204-7012 clause in your contracts. Most small subcontractors who provide commercial products or non-technical services fall into this category.

You need Level 2 if: Your contracts include DFARS 252.204-7012, you receive, process, store, or generate Controlled Unclassified Information, your work involves technical data, engineering drawings, test results, or specifications marked as CUI, or your prime contractor has flowed down CUI handling requirements to your subcontract.

If you are unsure, request clarification from your contracting officer or prime contractor. Petronella Technology Group provides CMMC readiness assessments that help contractors determine their required level and current compliance gaps.

Common Mistakes When Choosing a Level

The most expensive mistake is underestimating your required level. Contractors who assume they only need Level 1 often discover CUI in their environment that triggers Level 2 requirements. This discovery during a contract audit can result in stop-work orders and contract termination.

Another common mistake is over-scoping. If you can isolate your CUI processing to a defined enclave, you reduce the number of systems that must meet Level 2 requirements. This approach significantly reduces costs and complexity. Petronella Technology Group specializes in designing CUI enclaves that minimize scope while maintaining full compliance.

Frequently Asked Questions

Can I achieve CMMC Level 2 without a C3PAO assessment?

Some Level 2 contracts involving non-critical CUI allow self-assessment, but the majority of contracts involving critical CUI require a third-party C3PAO assessment. The specific requirement is determined on a contract-by-contract basis and will be specified in the solicitation or contract.

Does Level 1 certification automatically satisfy Level 2?

No. While Level 2 encompasses all 17 Level 1 practices, achieving Level 1 does not satisfy Level 2 requirements. You must separately implement and demonstrate compliance with all 110 Level 2 practices. There is no automatic progression from one level to the next.

What happens if I fail a C3PAO assessment?

If your assessment reveals gaps, you receive a report detailing the deficiencies. You may use a Plan of Action and Milestones to address findings, but POA&M items must be closed within 180 days. You will need to schedule a reassessment to demonstrate remediation. During this period, you may be unable to bid on or perform contracts requiring CMMC Level 2 certification.

Get Started with CMMC Compliance

Whether you need Level 1 or Level 2, the first step is understanding where you stand today. Petronella Technology Group has guided hundreds of defense contractors through CMMC compliance over more than 23 years in the cybersecurity industry. Our CMMC readiness assessment identifies your gaps, estimates your remediation costs, and provides a clear implementation roadmap.

Schedule your free CMMC assessment today and get clarity on your compliance requirements before deadlines arrive.