Can I start with Level 1 and upgrade to Level 2 later?

Technically yes, but it's not efficient. Level 2 includes and expands on Level 1 requirements, so any Level 1 work carries forward. However, Level 2 requires fundamentally different infrastructure (audit logging, SIEM, MFA across all systems, documentation) that Level 1 doesn't prepare you for. If you know you'll need Level 2, start there.

Does Level 1 require a C3PAO assessment?

No. Level 1 is self-assessed annually with an executive affirmation submitted through SPRS. No third party evaluates your compliance.

What happens if I'm at the wrong level when enforcement starts?

You become ineligible for contract awards that require the level you haven't achieved. For Level 2 contracts, this means you cannot bid on or receive new work involving CUI until you're certified — and existing contracts may not be renewed.

Is there a CMMC Level 3?

Yes. Level 3 applies to contractors handling the most sensitive CUI and adds 24 additional controls beyond Level 2 based on NIST SP 800-172. Level 3 requires a government-led assessment (DIBCAC), not a C3PAO. Very few contractors need Level 3 — it applies primarily to programs with heightened threat profiles.

My prime contractor says I only need Level 1 but I handle technical drawings. Are they right?

Possibly not. If you handle technical data, engineering drawings, or export-controlled information, that's almost certainly CUI regardless of what your prime says. Review your contract terms independently and look for DFARS 252.204-7012. If it's there, you need Level 2. Primes sometimes understate flowdown requirements — protect yourself by verifying independently.

How long does a C3PAO assessment take?

The assessment itself typically takes 1 to 2 weeks of on-site and remote evaluation, depending on your organization's size and complexity. However, the total timeline from requesting an assessment to receiving certification can be 3 to 6 months due to scheduling backlogs.

CMMC Level 1 vs Level 2: Which One Does Your Business Need? (2026)

CMMC Level 1 requires 17 basic cybersecurity practices and annual self-assessment. CMMC Level 2 requires 110 security controls from NIST SP 800-171 and third-party certification by a C3PAO. The level you need depends on one thing: whether your contracts involve Controlled Unclassified Information (CUI) or only Federal Contract Information (FCI). Most defense contractors handling technical data, engineering drawings, or export-controlled information need Level 2.

Level 1 practices

FAR 52.204-21

110

Level 2 controls

NIST SP 800-171 Rev 2

Nov 10, 2026

Phase 2 begins

Level 2 C3PAO assessments

$5K–$200K+

Cost range

Level 1 vs Level 2 first year

Start Free Assessment

Why This Matters Right Now

The CMMC 2.0 final rule took effect on December 16, 2024. Phase 2 enforcement — when Level 2 certification starts appearing in new contracts — begins November 10, 2026. If you're pursuing the wrong level, you're either wasting money on compliance you don't need or underpreparing for requirements that will lock you out of contracts.

Getting this right is the first decision in your entire compliance journey. Everything else — your budget, your timeline, your technology choices — follows from it.

The Core Difference: FCI vs. CUI

The distinction between Level 1 and Level 2 comes down to the type of information you handle.

Federal Contract Information (FCI) is information provided by or generated for the government under contract that isn't intended for public release. Think basic contract terms, delivery schedules, and general project communications. It's not classified, and it's not particularly sensitive — but the government still doesn't want it freely available.

Controlled Unclassified Information (CUI) is a much broader and more sensitive category. It includes technical drawings, engineering specifications, test data, export-controlled information (ITAR/EAR), personnel records, proprietary manufacturing processes shared under contract, and any data marked with a CUI designation. CUI requires significantly more protection because its exposure could harm national security, even though it's not classified.

Here's the practical test: look at your active contracts and subcontracts. Search for DFARS clause 252.204-7012 ("Safeguarding Covered Defense Information"). If it's in your contract, you almost certainly handle CUI and need Level 2. If your contracts only contain DFARS 252.204-7021 ("Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement"), check what level is specified.

If you're a subcontractor, your prime contractor should be flowing down the appropriate CMMC requirements. If they haven't told you yet, ask — don't assume Level 1.

CMMC Level 1 vs Level 2: Complete Comparison

Feature	CMMC Level 1	CMMC Level 2
Data type protected	Federal Contract Information (FCI)	Controlled Unclassified Information (CUI)
Security controls	17 practices from FAR 52.204-21	110 controls from NIST SP 800-171 Rev 2
Assessment type	Annual self-assessment	Third-party assessment by authorized C3PAO
Assessment frequency	Annual with executive affirmation	Triennial C3PAO assessment + annual affirmation
Who assesses	Your own organization	Certified Third-Party Assessment Organization
SPRS score required	Not applicable	Yes — submitted to SPRS via PIEE portal
System Security Plan (SSP)	Not required	Required and reviewed during assessment
Plan of Action & Milestones (POA&M)	Not applicable	Required for unmet controls (180-day remediation window)
Estimated cost	$5,000–$15,000	$50,000–$200,000+
Timeline to achieve	1–3 months	6–18 months
Applies to	All DoD contractors	Contractors handling CUI
Phase-in date	Phase 1 — active now (since Dec 2024)	Phase 2 — November 10, 2026

CMMC Level 1: What It Actually Requires

Level 1 maps to the 17 security practices already required under FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). If you've been doing business with the federal government, you should already be meeting most of these. They include fundamentals like limiting system access to authorized users, using antivirus software, keeping systems patched, and controlling physical access to your systems.

The key points about Level 1:

Self-assessment only. You assess your own compliance against the 17 practices, and a senior company official submits an annual affirmation stating you've met the requirements. No external auditor visits your facility.

No NIST 800-171 requirement. Level 1 doesn't require compliance with the full NIST 800-171 framework. The 17 FAR practices are a subset — basic cyber hygiene that any business should already have in place.

Lower cost and complexity. Most small businesses can achieve Level 1 compliance with their existing IT infrastructure. The main cost is the time to document your practices and perform the self-assessment.

Already in effect. Level 1 requirements are being included in contracts now as part of Phase 1 of the CMMC rollout.

Who Needs Only Level 1?

You likely need only Level 1 if all of the following are true: your contracts involve only FCI (no CUI markings, no DFARS 252.204-7012 clause), you don't handle technical drawings or engineering data, you don't receive export-controlled information, and your prime contractor has confirmed Level 1 is the flowdown requirement. Examples include general office supply vendors to the DoD, basic logistics and transportation services, facilities maintenance contractors who don't access sensitive areas or information, and food service providers on military installations.

CMMC Level 2: What It Actually Requires

Level 2 maps to all 110 security controls in NIST SP 800-171 Revision 2. These are organized across 14 control families covering everything from access control and audit logging to incident response and system integrity.

This is a fundamentally different level of commitment compared to Level 1. The jump from 17 practices to 110 controls represents a roughly 6x increase in scope, and the controls are significantly more technical and documentation-heavy.

The key points about Level 2:

Third-party assessment required. A Certified Third-Party Assessment Organization (C3PAO) authorized by the Cyber AB will assess your organization. As of mid-2026, approximately 100 C3PAOs are authorized — creating assessment wait times that stretch 12 to 18 months in many cases.

All 110 NIST 800-171 controls must be addressed. Every control must be either fully implemented or documented on a Plan of Action & Milestones (POA&M) with a 180-day remediation window. You cannot simply ignore controls that don't apply — you must document why they don't apply if that's the case.

Extensive documentation required. You'll need a System Security Plan (SSP) that describes how each control is implemented, a POA&M for any unmet controls, written policies and procedures for each control family, and evidence (screenshots, configurations, logs) that demonstrates implementation.

SPRS score submission. Before your C3PAO assessment, you must complete a self-assessment using the DoD Assessment Methodology and submit your SPRS score to the Supplier Performance Risk System via the PIEE portal. Your score ranges from 110 (perfect) to -203 (no controls implemented).

Conditional certification is possible. If you score at least 88 points (meaning all 5-point and 3-point controls are met) and have remaining gaps only on 1-point controls, you may receive a conditional certification with a 180-day window to close those gaps.

Common Level 2 Requirements That Catch Small Contractors Off Guard

Several Level 2 controls are consistently problematic for small businesses because they require capabilities that most basic IT setups don't include.

Audit logging (3.3.1, 3.3.2): You must create and retain audit logs that track individual user actions on your systems. Standard Microsoft 365 Business licenses don't provide the audit log depth required — you typically need Business Premium or E5 licensing, or a separate SIEM solution.

Multi-factor authentication (3.5.3): MFA must be enforced for all network access, not just email. Every system that touches CUI needs MFA configured and enforced.

Incident response (3.6.1, 3.6.2, 3.6.3): You need a documented incident response plan, a defined process for reporting incidents, and you must actually test your incident response capability. Having a plan in a drawer isn't enough — you need evidence of tabletop exercises or drills.

Risk assessment (3.11.1): You must conduct periodic risk assessments. Many small contractors have never performed a formal risk assessment and don't have a framework for doing so.

Security assessment (3.12.1, 3.12.4): You must periodically assess your own security controls AND maintain a current System Security Plan. The SSP alone can be 100+ pages for a small organization.

CUI scoping: Before implementing any controls, you need to identify exactly where CUI flows in your organization — what systems store it, who accesses it, how it enters and leaves your environment. CUI scoping mistakes are the number one error CMMC assessors see in small contractor assessments. Getting the boundary wrong means you're either protecting too much (wasting money) or too little (failing the assessment).

Cost Comparison: Level 1 vs Level 2

Cost Category	Level 1	Level 2
Gap assessment	$0–$2,000 (self-assessed)	$5,000–$20,000
Documentation (SSP, policies, procedures)	Minimal	$10,000–$50,000
Technology remediation	$0–$5,000	$15,000–$100,000+
C3PAO assessment fee	N/A (self-assessment)	$30,000–$70,000
Consulting support	$0–$3,000	$20,000–$80,000
Annual maintenance	$1,000–$3,000	$10,000–$30,000/year
Total first-year investment	$5,000–$15,000	$50,000–$200,000+

These ranges represent actual market costs as of 2026. The DoD's own regulatory impact analysis projected Level 2 costs of $105,000–$118,000 for small organizations, and many contractors report spending within or above that range. The wide variance reflects differences in starting security posture — a company with an existing MSP and basic controls in place will spend far less on remediation than one starting from scratch.

The "I'm Not Sure" Scenario

If you're unsure whether you need Level 1 or Level 2, that ambiguity itself is a risk. Here's how to resolve it quickly:

Step 1: Review every active contract and subcontract. Look for DFARS 252.204-7012 (Safeguarding Covered Defense Information). If it's present, you handle CUI and need Level 2.

Step 2: Ask your contracting officer or prime contractor. They are required to flow down CMMC requirements. If they can't tell you what level you need, escalate — this isn't optional information.

Step 3: Look at the data you handle. Do you receive technical drawings, test data, specifications, personnel information, or anything marked "CUI"? If yes, plan for Level 2 even if your current contracts don't explicitly require it. Future contracts will.

Step 4: Take a gap assessment. Even if you're still determining your level, understanding your current security posture gives you a baseline. A free tool like CMMCGap can evaluate your compliance against NIST 800-171 controls and show you where you stand — whether you ultimately need Level 1 or Level 2.

What If You Need Level 2 But Can't Afford It?

This is the reality many small defense contractors face. The compliance costs are real, and the timeline is compressed. Here are your realistic options:

Scope your CUI boundary tightly. The more systems that handle CUI, the more systems need Level 2 controls. By creating a CUI enclave — a segregated environment specifically for CUI processing — you reduce the number of systems in scope and significantly lower your compliance cost. Solutions like PreVeil or Microsoft 365 GCC High can help create this boundary.

Phase your remediation. You don't have to implement everything at once. Start with the highest-weighted controls (the 5-point SPRS deductions) and work down. A solid POA&M with realistic timelines shows assessors you're moving in the right direction.

Leverage your MSP. If you use a managed service provider, many of the technical controls may already be partially implemented. Have a direct conversation with your MSP about CMMC — but verify their claims. Not all MSPs understand CMMC requirements, and assuming they've covered your controls without verification is a common and expensive mistake.

Remember that CMMC costs are allowable. Under FAR Part 31, CMMC compliance costs are generally allowable as costs necessary for contract performance. They can be included in your indirect rates for cost-reimbursable contracts or factored into pricing for fixed-price proposals.

Timeline: When Do You Need to Be Ready?

Milestone	Date	What Happens
Phase 1 (Active now)	December 16, 2024	Level 1 self-assessments required in applicable contracts
Phase 2	November 10, 2026	Level 2 C3PAO assessments required in applicable contracts
Phase 3	November 10, 2027	Level 2 required for all option periods and new awards with CUI
Phase 4	November 10, 2028	Full enforcement across all DoD contracts with CUI

If you need Level 2, the November 2026 date is your effective deadline — but the real deadline is months earlier. With C3PAO wait times of 12 to 18 months, you need to be in the assessment queue by now. Contractors who wait until Q3 2026 to begin preparation will almost certainly not have certification in time for Phase 2 enforcement.

Frequently Asked Questions

Determine Where You Stand Today

Whether you need Level 1 or Level 2, the first step is understanding your current compliance posture. Take the free CMMC gap assessment at CMMCGap to evaluate your security controls against NIST 800-171 requirements in about 3 minutes. You'll get an estimated SPRS score, a breakdown of gaps by control family, and a clear picture of what you need to address — no account required, no sales call.

Ready to start?

Get your estimated SPRS score in 3 minutes

Seven plain-English questions, a directional SPRS estimate, and your top critical gaps. No credit card, no sales call.