StealthTech
Most defense contractors encounter CMMC requirements one of two ways: they receive a solicitation that references a specific level, or they get told by a prime contractor that they need to be compliant before work can begin. Either way, the first practical question is usually the same — which level actually applies to us, and what does that mean for what we have to do?
The answer matters more than most contractors initially realize. CMMC Level 1 and Level 2 are not simply different points on the same spectrum of effort. They represent fundamentally different compliance regimes — different control sets, different verification mechanisms, different documentation requirements, and very different cost profiles. Treating them as variations on a theme rather than structurally distinct programs is one of the more expensive misunderstandings in the defense industrial base.
This article walks through what separates the two levels, how to determine which applies to your organization, and what the practical implications are for your compliance program.
The Architecture of CMMC 2.0: Why Three Levels Became Two That Matter
When the original CMMC framework launched, it had five maturity levels. The 2.0 revision that took effect in late 2021 streamlined that structure to three levels, with Levels 1 and 2 covering the vast majority of the defense contractor population. Level 3 — reserved for contractors working on the most sensitive programs — involves a government-led assessment and applies to a relatively small number of organizations. For most contractors reading this, the relevant question is whether they’re a Level 1 or Level 2 organization.
The DoD’s official CMMC program documentation describes the tiered structure in terms of the sensitivity of the information being protected and the sophistication of the threats that information faces. Level 1 addresses the baseline practices needed to protect Federal Contract Information (FCI). Level 2 addresses the more rigorous controls needed to protect Controlled Unclassified Information (CUI). The distinction between FCI and CUI is the hinge point on which most level determinations turn.
Federal Contract Information vs. Controlled Unclassified Information: The Core Distinction
Before comparing the two levels, it’s worth being precise about the information types that drive them — because this is where contractor determinations most often go wrong.
Federal Contract Information (FCI) is information provided by or generated for the government under a contract to develop or deliver a product or service. It’s not intended for public release, but it doesn’t carry the specific sensitivity markers of CUI. Most contractors who provide services to the federal government — even routine, non-sensitive services — generate or handle FCI as a natural byproduct of the contracting relationship.
Controlled Unclassified Information (CUI) is a more specific designation, governed by the National Archives CUI program and defined in 32 CFR Part 2002. It covers information that requires safeguarding under law, regulation, or government-wide policy — not because someone decided it was sensitive, but because it meets specific criteria. In the defense sector, CUI commonly includes technical data, export-controlled information, controlled technical information, and information related to defense programs and acquisition.
The practical question for determining your CMMC level is: does your contract involve CUI? If the answer is yes, Level 2 almost certainly applies. If your contract involves only FCI — no technical drawings, no program-sensitive data, no export-controlled information — Level 1 may be sufficient. Your contracting officer, the contract’s DFARS clauses, and your program manager are the right resources for confirming which category your work falls into.
CMMC Level 1: Scope, Controls, and Verification
Level 1 covers 17 practices drawn from FAR 52.204-21, the basic safeguarding clause for federal contract information. These practices map to fundamental cybersecurity hygiene — the kind of controls that any reasonably managed organization should already have in place.
The 17 Level 1 practices span six domains: access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. The controls at this level address things like limiting system access to authorized users, sanitizing or destroying media before disposal, and providing protection from malicious code.
What makes Level 1 operationally manageable is its verification mechanism: annual self-attestation. There is no third-party assessor involved. The organization’s senior official — typically a CEO, CISO, or equivalent — affirms in the Supplier Performance Risk System (SPRS) that the organization meets all 17 practices. That attestation carries legal weight under the False Claims Act, which means it shouldn’t be taken lightly, but it doesn’t require the organizational investment of a full C3PAO engagement.
For organizations that genuinely only handle FCI and have reasonable basic security practices already in place, Level 1 compliance is achievable without transformative investment. The controls are not trivial, but they don’t require the documentation depth, formal System Security Plan, or ongoing program infrastructure that Level 2 demands.
CMMC Level 2: Scope, Controls, and Verification
Level 2 is a different undertaking. It covers 110 practices aligned to NIST SP 800-171 Revision 2, organized across 14 domains. These practices go significantly beyond basic hygiene — they address incident response planning, audit log management, configuration baselines, system and communications protection in depth, risk assessment processes, and security awareness training, among many others.
The jump from 17 to 110 practices is not linear in terms of effort. Many of the Level 2 controls require formal documentation, ongoing operational processes, and evidence of implementation that can withstand assessor scrutiny. A control like “establish and maintain baseline configurations for information technology” involves not just having a baseline, but documenting it, enforcing it, updating it when systems change, and being able to demonstrate that the process functions as described. That’s a materially different compliance burden than the equivalent Level 1 requirements.
Verification at Level 2 is also structurally different for most contractors. While some Level 2 contractors may qualify for self-attestation — those whose contracts don’t involve programs prioritized for third-party assessment — the majority of contractors handling CUI on significant defense programs will be required to undergo a triennial assessment by a Certified Third-Party Assessment Organization (C3PAO). That assessment involves a formal review of documentation, interviews with personnel, and technical testing of implemented controls. Passing it requires not just having controls in place, but being able to demonstrate their consistent operation.
This is where the compliance program infrastructure matters — a Level 2 organization that prepares only for the assessment rather than building ongoing compliance operations is likely to face findings that a well-run continuous program would have caught and remediated long before the assessor arrived.
Side-by-Side: Key Differences Between Level 1 and Level 2
These two sections use structured formatting to give contractors a practical reference they can return to.
What Changes Between the Levels
| Dimension | CMMC Level 1 | CMMC Level 2 |
|---|---|---|
| Information type protected | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) |
| Number of practices | 17 | 110 |
| Underlying framework | FAR 52.204-21 | NIST SP 800-171 Rev 2 |
| Verification method | Annual self-attestation | Triennial C3PAO assessment (most contractors) |
| System Security Plan required | Not formally required | Required |
| POA&M required | Not formally required | Required |
| Assessment cost | Low (internal effort only) | Significant (C3PAO fees + preparation) |
| Ongoing program infrastructure | Minimal | Substantial |
What Level 2 Requires That Level 1 Does Not
- A formally documented System Security Plan (SSP) describing the environment, in-scope assets, and control implementations
- A Plan of Action and Milestones (POA&M) tracking any gaps and remediation timelines
- Formal incident response planning with documented procedures and practiced capabilities
- Audit log generation, protection, and review as ongoing operational activities
- Configuration management with documented baselines and change control processes
- Risk assessment processes conducted on a defined schedule
- Media sanitization procedures documented and applied consistently
- Personnel security controls including role-based access reviews
- System and communications protection controls including network segmentation documentation
- Evidence of security awareness training completed by relevant personnel annually
How to Determine Which Level Applies to Your Organization
The determination process isn’t always self-evident, particularly for organizations with mixed contract portfolios — some contracts involving CUI, others involving only FCI. A few practical steps help clarify the picture.
Review your contract’s DFARS clauses. DFARS 252.204-7012 is the primary indicator that CUI is in play. If your contract includes this clause, Level 2 requirements apply. DFARS 252.204-7021 references CMMC directly and will specify the required level. If neither clause appears in your contract, review whether FAR 52.204-21 is present — that’s the FCI indicator that points toward Level 1.
Identify the information you actually receive and generate. Contracts don’t always make information sensitivity immediately obvious. Technical drawings, specifications, test data, program schedules, and acquisition-sensitive information are all potential CUI. Your contracting officer can confirm whether specific data types in your program carry CUI designations.
Consider what your primes require. If you’re a subcontractor, your prime’s flow-down requirements may specify a CMMC level independent of what the prime contract clauses say directly. Primes are responsible for ensuring their subcontractors meet applicable levels, and they may impose Level 2 requirements even where direct CUI handling is limited, as a risk management measure.
Get confirmation in writing. Verbal guidance from a program manager about what level applies isn’t sufficient. Get the determination documented — either through contract language, a written communication from the contracting officer, or formal guidance from the prime.
For organizations uncertain about where they stand, a scoping and level determination engagement with a qualified cybersecurity advisor is a relatively modest investment compared to the cost of building toward the wrong level. Our earlier piece on how to scope your CMMC environment correctly covers the technical scoping decisions that follow once the level determination is made.
The Cost Gap Between Level 1 and Level 2
Understanding the cost difference between the two levels is important for business planning — particularly for smaller contractors who may be evaluating whether DoD contract work makes financial sense given the compliance requirements.
Level 1 compliance, for an organization with reasonable existing security practices, is largely an internal effort. The 17 practices require review and documentation, and the annual attestation requires senior executive sign-off, but there’s no mandatory third-party cost and the ongoing program infrastructure is manageable with existing staff or a co-managed IT partner providing routine security services.
Level 2 compliance involves a different cost structure. The preparation phase — gap assessment, remediation, SSP development, POA&M management — typically runs from tens of thousands of dollars for smaller, simpler environments to well over six figures for larger or more complex ones. The C3PAO assessment itself carries a direct fee that varies by assessor and organization size. And ongoing program maintenance — continuous monitoring, internal audits, annual training, configuration management — represents a recurring operational cost that needs to be budgeted for, not just incurred once.
The DoD has acknowledged this cost reality. The CMMC 2.0 revision was partly motivated by concerns that the original framework’s burden would price smaller contractors out of the defense industrial base. The self-attestation option for qualifying Level 2 contractors reflects that concern, though it doesn’t eliminate the need to actually implement the 110 controls — it only affects how that implementation is verified.
For organizations thinking through the investment required, a vCIO engagement that models the compliance roadmap against contract revenue can help leadership make a genuinely informed decision about the business case rather than treating compliance as a cost to be minimized without understanding its scope.
Mixed Portfolios: When You May Need Both Levels
Some contractors work across multiple contract vehicles — some involving CUI, others involving only FCI. In theory, a contractor could maintain a Level 1 posture for the FCI-only portion of their work and a Level 2 posture for the CUI-handling portion.
In practice, this usually means building to Level 2 across the relevant environment and treating Level 1 as a subset already covered by the more rigorous program. The administrative complexity of maintaining genuinely separate compliance postures for different contract categories — different documented environments, different attestation approaches, different vendor relationships — typically outweighs any cost savings from restricting the Level 2 scope.
The exception is organizations where the CUI-handling work is genuinely isolated in a purpose-built environment (a CUI enclave) that’s separate from the general business infrastructure handling FCI work. In that case, the Level 2 scope is limited to the enclave, and the rest of the business operates under Level 1 requirements. This is a viable architecture but requires real technical separation — not just an organizational assertion that the environments are different.
For manufacturing and engineering firms that work across both commercial and defense programs, this kind of portfolio management is a live question that deserves specific attention in the compliance planning process.
Preparing for Level 2 When You’ve Been Operating at Level 1
Organizations that have been self-attesting at Level 1 and are now facing a Level 2 requirement — because they’ve won a new contract, because a prime has changed their flow-down requirements, or because CMMC rule-making has updated which contracts require which level — face a specific challenge: they likely have good basic hygiene but significant gaps in the documentation, processes, and program infrastructure that Level 2 requires.
The gap between Level 1 and Level 2 is rarely a technology gap. Most organizations already have firewall, endpoint protection, and access control capabilities that are directionally aligned with Level 2 requirements. The gap is almost always in documentation depth, process formalization, and the operational continuity of security practices. The controls exist in some form; they just haven’t been documented to SSP standards, tested to produce evidence, or embedded in operational processes that can sustain themselves without manual intervention at assessment time.
A gap assessment against the full 110 NIST SP 800-171 controls is the right starting point. It tells you where you actually stand, what needs to be built versus documented, and how long a credible remediation program will take before you’re ready for a C3PAO assessment. Our article on how long it takes to become CMMC compliant sets realistic expectations for that timeline, which contractors consistently underestimate.
The vendor dimension of the Level 2 transition also deserves attention. Managed IT services providers and cloud platforms that were adequate for a Level 1 environment may not meet the requirements for a Level 2 scope. Reviewing those relationships early in the transition — before you’ve built your compliance program architecture around vendors who may need to be replaced — avoids a painful and costly mid-program correction.
Conclusion: Know Your Level, Build for It Correctly
CMMC Level 1 and Level 2 are not simply different degrees of the same thing. They reflect different information protection mandates, different verification requirements, and different program investment profiles. Confusing them — or building toward the wrong one — creates either compliance exposure or unnecessary cost, neither of which serves the organization.
The starting point is accurate level determination based on the information your contracts actually involve. From there, the work is building a program that matches the level’s requirements — not just at assessment time, but continuously, so that the compliance posture your assessor or attestation reflects is the one your organization actually maintains.
If your organization is planning its CMMC compliance journey, contact Stealth Technology Group today at (617) 903-5559 or visit the website to learn how modern cybersecurity infrastructure can accelerate your path toward certification readiness.
