CMMC Level 1 vs Level 2: Which Do You Need?

It comes down to FCI vs CUI

Level 1 (Foundational) applies if you handle Federal Contract Information (FCI) — information provided by or generated for the government under a contract that isn't intended for public release. It is based on the 15 basic safeguarding requirements in FAR 52.204-21 and is entered as a pass/fail self-assessment.

Level 2 (Advanced) applies if you handle Controlled Unclassified Information (CUI). It is based on the 110 NIST SP 800-171 Rev 2 requirements and produces a calculated SPRS score. Level 3 (Expert) adds 24 enhanced requirements from NIST SP 800-172 on top of Level 2 and is government-led (DIBCAC).

Level 2: self-assessment or C3PAO certification?

Not every Level 2 contractor self-assesses. The CMMC Level Determination guidance uses where your CUI sits to set the minimum:

• •If your CUI is in the NARA CUI Registry but not in the DoD Organizational Index Grouping (OIG), Level 2 (Self-Assessment) is the minimum.
• •If your CUI is in the DoD OIG, Level 2 (Certification by a C3PAO) is the minimum.
• •CUI meeting multiple criteria aligns to the highest applicable level.

Flow-down to subcontractors

Requirements flow down the supply chain. If a subcontractor will only ever touch FCI, Level 1 is the floor. If they'll handle CUI, Level 2 (Self) is the minimum — and if the prime is required to meet Level 2 (C3PAO) or Level 3, the subcontractor's minimum rises to Level 2 (C3PAO).

Still not sure?

If you can't confidently say whether you handle CUI, that determination should come first — it changes everything downstream. Our level-determination wizard walks the FCI/CUI and DoD-OIG questions and points you to the right level before you start assessing.