CMMC Level 1 vs Level 2: Which Do You Need?
Level 1 covers Federal Contract Information with 17 basic practices and a free annual self-assessment. Level 2 covers Controlled Unclassified Information with all 110 NIST SP 800-171 controls and usually a paid third-party C3PAO assessment. The data your contracts involve decides which one applies.
Level 1 vs Level 2 at a Glance
A side-by-side look at how the two most common CMMC levels differ.
| CMMC Level 1 | CMMC Level 2 | |
|---|---|---|
| Data protected | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) |
| Controls | 17 basic safeguarding practices | 110 controls from NIST SP 800-171 |
| Assessment | Annual self-assessment | Third-party C3PAO assessment |
| Typical cost | Low — mostly internal time | $30,000–$75,000 assessment; $138k–$285k all-in |
| Validity | Annual self-attestation | 3 years + annual affirmations |
| Best when | You only handle FCI | You store, process, or transmit CUI |
Which Do You Need?
Choose Level 1 if…
- ✓You only handle Federal Contract Information (FCI)
- ✓Your contracts don't involve CUI
- ✓You want the lowest-cost path to eligibility
- ✓An annual self-assessment is acceptable
Choose Level 2 if…
- ✓You store, process, or transmit CUI
- ✓Your contract requires a C3PAO certification
- ✓You need to bid on CUI-bearing DoD work
- ✓Self-assessment won't satisfy your customer
Cost & Timeline
CMMC Level 1 vs Level 2 FAQ
What is the difference between CMMC Level 1 and Level 2?
CMMC Level 1 protects Federal Contract Information (FCI) with 17 basic safeguarding practices verified by an annual self-assessment. Level 2 protects Controlled Unclassified Information (CUI) with all 110 controls from NIST SP 800-171, and most companies must pass a third-party C3PAO assessment. Level 2 is dramatically more rigorous and expensive.
How much does each CMMC level cost?
Level 1 is inexpensive because it's a self-assessment — your main cost is internal time to implement the 17 practices. Level 2 requires a C3PAO assessment costing $30,000–$75,000, and the total first certification cycle, including remediation and documentation, averages $138,000–$285,000.
Which CMMC level do I need?
It depends on the data your DoD contracts involve. If you only handle Federal Contract Information, Level 1 is enough. If you store, process, or transmit Controlled Unclassified Information, you need Level 2. Your contract and the DoD will specify the required level.
Can I self-assess for CMMC Level 2?
Only in limited cases. Most Level 2 contracts require a certified third-party assessment by a registered C3PAO. A small subset of Level 2 work may allow self-assessment, but the default expectation for CUI is a C3PAO certification valid for three years with annual affirmations.
When does CMMC become mandatory?
The DoD begins adding Level 2 C3PAO requirements to new contracts from November 10, 2026, and extends them to existing contracts in 2027. Because remediation can take months, contractors handling CUI should start preparing well ahead of those dates.
Plan Your CMMC Path
Tell us your contract requirements and get matched with assessors and advisors who can guide your CMMC journey. No sales calls.
Get Started →