CMMC Decision Guide

CMMC Level 1 vs Level 2: Which Do You Need?

Level 1 covers Federal Contract Information with 17 basic practices and a free annual self-assessment. Level 2 covers Controlled Unclassified Information with all 110 NIST SP 800-171 controls and usually a paid third-party C3PAO assessment. The data your contracts involve decides which one applies.

Level 1 vs Level 2 at a Glance

A side-by-side look at how the two most common CMMC levels differ.

CMMC Level 1CMMC Level 2
Data protectedFederal Contract Information (FCI)Controlled Unclassified Information (CUI)
Controls17 basic safeguarding practices110 controls from NIST SP 800-171
AssessmentAnnual self-assessmentThird-party C3PAO assessment
Typical costLow — mostly internal time$30,000–$75,000 assessment; $138k–$285k all-in
ValidityAnnual self-attestation3 years + annual affirmations
Best whenYou only handle FCIYou store, process, or transmit CUI

Which Do You Need?

Choose Level 1 if…

  • You only handle Federal Contract Information (FCI)
  • Your contracts don't involve CUI
  • You want the lowest-cost path to eligibility
  • An annual self-assessment is acceptable

Choose Level 2 if…

  • You store, process, or transmit CUI
  • Your contract requires a C3PAO certification
  • You need to bid on CUI-bearing DoD work
  • Self-assessment won't satisfy your customer

Cost & Timeline

Cost gap: Level 1 is mostly internal effort, while Level 2 means a $30,000–$75,000 C3PAO assessment and a $138,000–$285,000 total first cycle once remediation and documentation are included. Timeline: Level 2 typically needs months of preparation. DoD enforcement of Level 2 ramps up from November 10, 2026, so start early.

CMMC Level 1 vs Level 2 FAQ

What is the difference between CMMC Level 1 and Level 2?

CMMC Level 1 protects Federal Contract Information (FCI) with 17 basic safeguarding practices verified by an annual self-assessment. Level 2 protects Controlled Unclassified Information (CUI) with all 110 controls from NIST SP 800-171, and most companies must pass a third-party C3PAO assessment. Level 2 is dramatically more rigorous and expensive.

How much does each CMMC level cost?

Level 1 is inexpensive because it's a self-assessment — your main cost is internal time to implement the 17 practices. Level 2 requires a C3PAO assessment costing $30,000–$75,000, and the total first certification cycle, including remediation and documentation, averages $138,000–$285,000.

Which CMMC level do I need?

It depends on the data your DoD contracts involve. If you only handle Federal Contract Information, Level 1 is enough. If you store, process, or transmit Controlled Unclassified Information, you need Level 2. Your contract and the DoD will specify the required level.

Can I self-assess for CMMC Level 2?

Only in limited cases. Most Level 2 contracts require a certified third-party assessment by a registered C3PAO. A small subset of Level 2 work may allow self-assessment, but the default expectation for CUI is a C3PAO certification valid for three years with annual affirmations.

When does CMMC become mandatory?

The DoD begins adding Level 2 C3PAO requirements to new contracts from November 10, 2026, and extends them to existing contracts in 2027. Because remediation can take months, contractors handling CUI should start preparing well ahead of those dates.

Plan Your CMMC Path

Tell us your contract requirements and get matched with assessors and advisors who can guide your CMMC journey. No sales calls.

Get Started →