CMMC Level 1 vs Level 2: Key Differences and How to Choose
Table of Contents
Choosing between CMMC Level 1 vs Level 2 is one of the first decisions defense contractors face when preparing for DoD contracts.
The right level depends on the type of information your organization handles, the applicable Cybersecurity Maturity Model Certification (CMMC) requirements, and the assessment requirements defined in the contract.
This guide compares CMMC Level 1 vs Level 2, explains the CMMC process for each level, and helps you determine the appropriate CMMC level for your organization.
TL;DR
- CMMC Level 1 applies to organizations that handle only FCI, while Level 2 applies to organizations that process CUI.
- Level 1 requires 15 basic safeguarding requirements and an annual self-assessment. Level 2 requires 110 NIST 800-171 controls and may require a third-party assessment.
- The correct CMMC level is determined by the contract and the type of information your organization handles, not the contract value.
- Level 2 generally requires more time, documentation, and investment, including gap analysis, evidence collection, and assessment preparation.
- Organizations managing both Level 1 and Level 2 contracts should clearly define compliance scopes and maintain centralized documentation and evidence.
- MotherBear helps defense contractors manage CMMC requirements, documentation, and evidence from a single platform.
What Is Cybersecurity Maturity Model Certification?
Cybersecurity Maturity Model Certification is the Department of Defense (DoD) cybersecurity program for defense contractors and subcontractors.
It establishes the security requirements organizations must meet to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The current CMMC 2.0 framework includes three certification levels. Most organizations will fall under Level 1 or Level 2, while the applicable CMMC level depends on the type of information handled and the requirements of a particular DoD contract.
Compared to the original CMMC 1.0 model, CMMC 2.0 reduces the framework from five certification levels to three and aligns more closely with existing cybersecurity standards.
As a result, the program places greater emphasis on implementing and demonstrating the security practices needed to protect FCI and CUI.
CMMC Level 1 Requirements
CMMC Level 1 applies to organizations that handle only Federal Contract Information. Its purpose is to safeguard FCI by implementing the 15 basic safeguarding requirements defined in Federal Acquisition Regulation (FAR) 52.204-21.
Unlike Level 2, Level 1 does not apply to organizations that process CUI. If an organization begins to process CUI, additional CMMC requirements and security controls will apply.
Level 1 focuses on basic cyber hygiene and practical security practices that help protect sensitive information used in support of DoD contracts.
Although the requirements are more limited than the other CMMC levels, organizations are still expected to implement the required controls, maintain compliance, and complete an annual self-assessment.
Key Level 1 practices include:
- Restrict access to systems that store or transmit FCI through appropriate access controls.
- Protect information with basic safeguards such as account management, malicious code protection, and proper media disposal.
- Document the annual self-assessment and maintain current records in the Supplier Performance Risk System (SPRS).
For many organizations within the Defense Industrial Base (DIB), Level 1 can be achieved within weeks or a few months, depending on their current cybersecurity posture.
CMMC Level 2 Requirements
CMMC Level 2 applies to organizations that process CUI. It requires implementation of all 110 security controls aligned with the National Institute of Standards and Technology (NIST) 800-171 to help protect CUI throughout its lifecycle.
Compared to Level 1, Level 2 introduces a more comprehensive cybersecurity program. Organizations must implement security controls, maintain supporting documentation, and demonstrate compliance through the appropriate assessment process.
Key Level 2 practices include:
- Develop and maintain a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M) to document the organization's security program and remediation activities.
- Implement and maintain security controls covering areas such as access control, configuration management, incident response plans, communications protection, risk assessment, and system integrity.
- Collect and maintain evidence that demonstrates control implementation and supports assessment readiness.
- Complete the required assessment, whether through a self-assessment or a third-party assessment performed by a Certified Third-Party Assessment Organization (C3PAO), depending on contract requirements.
For most organizations, achieving Level 2 takes several months. Preparation typically includes a gap analysis, remediation activities, documentation, evidence collection, and assessment readiness before completing the required CMMC assessment.
Key Differences Between CMMC Level 1 and Level 2
The table below summarizes the key differences between CMMC Level 1 and Level 2.
Although both levels support the CMMC program, they differ significantly in their security requirements, documentation, assessment methods, and implementation effort.
|
Category |
Level 1 |
Level 2 |
|
Data protected |
FCI |
CUI |
|
Control count |
15 requirements |
110 controls |
|
Baseline source |
FAR 52.204-21 |
NIST 800-171 |
|
Assessment type |
Internal review |
Internal or C3PAO review |
|
Certification cycle |
Annual affirmation |
Three-year cycle for C3PAO assessments |
|
Documentation |
Light evidence records |
SSP, POA&M, policies, and mapped evidence |
|
Typical timeline |
Weeks to a few months |
6 to 18 months |
Understanding these differences makes it easier to determine which certification level applies to your organization and how to prepare for implementation.
Implementing the Appropriate CMMC Level
Once you understand the differences between CMMC Level 1 and Level 2, the next step is determining which level applies to your organization and preparing for implementation.
For many organizations, choosing the correct level is only the first step. Budget, documentation, assessment planning, and ongoing compliance all become part of the implementation process.
How to Determine the Appropriate CMMC Level
The appropriate CMMC level depends on the type of information your organization handles and the requirements defined in the contract.
As already mentioned, organizations that handle only FCI will typically require Level 1, while those that process CUI should prepare for Level 2 unless the contracting officer specifies otherwise.
Consider the following when determining the appropriate CMMC level:
- Start with the data type: FCI generally points to Level 1, while CUI requires the additional security controls associated with Level 2.
- Review the contract clauses: Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 establishes requirements for handling CUI, while DFARS 252.204-7021 identifies the applicable CMMC level.
- Check flow-down requirements: Prime contractors may require subcontractors to meet Level 2 requirements when their work involves CUI.
- Confirm the assessment requirements: Clarify the required assessment method, scope, and any C3PAO requirements with the contracting officer before beginning implementation.
Contract value alone does not determine the appropriate CMMC level. A smaller subcontract may require Level 2 if it involves CUI, while a larger contract may require only Level 1 if it is limited to FCI.
Planning for Cost and Implementation Timeline
The cost and timeline for CMMC implementation depend on the required certification level, your current cybersecurity posture, and the amount of work needed before the assessment.
Organizations pursuing Level 1 typically focus on implementing the required basic cybersecurity practices, completing the annual self-assessment, and maintaining supporting documentation.
Level 1 often costs between $5,000 and $20,000, depending on organization size, existing security controls, and current cybersecurity posture. Many organizations can achieve compliance within weeks or a few months.
Level 2 requires a greater investment of time and resources because organizations must implement 110 security controls and technical safeguards for safeguarding CUI.
First-cycle CMMC programs often cost $75,000 to $300,000+, while the direct C3PAO assessment fee commonly ranges from $35,000 to $125,000+, depending on the scope of the assessment.
Preparation typically includes a gap analysis, remediation activities, documentation, evidence collection, and assessment readiness before either a self-assessment or a third-party assessment.
The CMMC implementation timeline follows a similar pattern. Level 1 generally takes weeks to a few months, while Level 2 commonly requires 6 to 18 months to complete remediation, documentation, evidence collection, and assessment preparation.
After certification, organizations should shift their focus to maintaining ongoing compliance.
Continuous monitoring, regular evidence reviews, and documentation updates help maintain CMMC compliance between triennial third-party assessments and keep organizations prepared for future assessments and maintain contract eligibility.
Managing Mixed CMMC Environments
Some organizations support both Level 1 and Level 2 contracts at the same time.
For example, one contract may involve only FCI, while another requires the organization to process CUI. In these situations, organizations should clearly define which contracts, systems, users, and suppliers fall within each compliance scope.
This helps make sure the correct security controls, documentation, and assessment requirements are applied to the appropriate environment.
A mature Level 2 environment generally satisfies the Level 1 control baseline. However, contractual obligations may still require separate affirmations or assessment activities, making clear documentation and evidence management important.
When managing both certification levels, organizations should track:
- Which contracts involve FCI or CUI
- Which systems, suppliers, and users support each compliance scope
- Which evidence demonstrates control implementation for each CMMC level
Maintaining centralized requirements tracking and an organized evidence repository makes it easier to manage multiple compliance scopes, support ongoing assessments, and maintain consistency throughout the defense supply chain.
Simplify CMMC Compliance With MotherBear

MotherBear helps defense contractors and compliance consultants manage CMMC requirements, documentation, and evidence from a single platform.
Whether you're preparing for Level 1, Level 2, or managing both certification levels, teams can centralize requirements tracking, maintain an organized evidence repository, and keep documentation aligned with assessment requirements and improve audit readiness.
FAQs About CMMC Level 1 vs Level 2
Is CMMC Level 2 required?
Cybersecurity Maturity Model Certification (CMMC) Level 2 is required when a contract includes Controlled Unclassified Information (CUI), and many Level 2 contracts also require C3PAO review.
How do you decide between CMMC Level 1 and Level 2?
The appropriate CMMC level depends on the type of information your organization handles and the requirements defined in the contract.
Organizations that handle only Federal Contract Information (FCI) will typically require Level 1, while those that process Controlled Unclassified Information (CUI) generally require Level 2.
Can a company have both CMMC Level 1 and Level 2?
Yes. Some organizations support contracts that require only Level 1 while others require Level 2. In these cases, organizations should clearly define which systems, users, and contracts fall within each compliance scope and maintain documentation for both certification levels.
How long does CMMC Level 2 take?
CMMC Level 2 usually takes 6 to 18 months for DoD contractors. The timeline runs longer than Level 1 because Level 2 requires 110 security controls aligned to the National Institute of Standards and Technology (NIST) 800-171, deeper documentation, and often a third-party assessment from a C3PAO.
Working on CMMC Level 1 or Level 2?
Schedule a demo of MotherBear to see how you can simplify your program management