CMMC Level 1 vs Level 2: Which Do You Actually Need?

Short answer: If your DoD contract handles only Federal Contract Information (FCI) — basic information not marked for public release — you need CMMC Level 1, a self-assessment against 17 controls. If your contract handles Controlled Unclassified Information (CUI) — anything marked CUI, FOUO, ITAR, or covered defense information — you need CMMC Level 2, a third-party assessment against the 110 controls in NIST SP 800-171 r2. Most subcontractors flow down to Level 2 the moment a prime sends them a drawing or technical data package.

The 5-minute test

Read your most recent prime contract or subcontract and look for three things:

1. DFARS 252.204-7012 in the clauses list. If present, you are handling — or may handle — CUI. That pushes you to Level 2.
2. DFARS 252.204-7019, -7020, or -7021. These are the CMMC assessment clauses. -7019 / -7020 = self-assessment posted to SPRS (most contracts today). -7021 = third-party CMMC certification required.
3. Any document, drawing, spec, or email marked CUI, FOUO, ITAR, EAR, NOFORN, or "Covered Defense Information". If yes, you handle CUI today, regardless of what the contract clause says.

If none of the three are present and you only ship commercial off-the-shelf goods (mowing the base lawn, selling office chairs, catering), you are likely Level 1.

FCI vs CUI in plain English

Federal Contract Information (FCI)

Information the government gave you, or that you generated for the government, that is not intended for public release. The contract itself, a delivery schedule, an invoice. Defined in FAR 52.204-21.

Controlled Unclassified Information (CUI)

Unclassified information the government has decided needs protection: technical drawings, export-controlled data, personally identifiable information about service members, source selection data, naval nuclear propulsion information. The full registry is maintained at archives.gov/cui. If a document is marked CUI, it is CUI — even if it arrived by Gmail.

What Level 1 requires

• 17 controls from FAR 52.204-21 (basic safeguarding).
• Annual self-assessment by a senior company official.
• Annual affirmation in SPRS by that same official.
• No third-party assessor required.
• No FedRAMP hosting required — commercial cloud is fine.

Cost: typically $1k–$10k/yr in tooling and a few days of internal time, assuming you don't need a consultant.

What Level 2 requires

• 110 controls from NIST SP 800-171 r2 plus 320 assessment objectives in NIST SP 800-171A.
• System Security Plan (SSP) documenting your environment and how each control is implemented.
• Plan of Action & Milestones (POA&M) for any control not yet at "Met".
• Third-party assessment by a C3PAO every three years, plus annual affirmation.
• FedRAMP Moderate Equivalent (or higher) cloud for any system that stores, processes, or transmits CUI. That means AWS GovCloud, Azure Government, or a CSP with a documented body-of-evidence equivalency package.
• US-persons-only access in many cases (ITAR data, certain CUI categories).

Cost: typically $40k–$150k for the first year for a 10–50 person shop, including infrastructure migration, an SSP, a C3PAO assessment, and remediation.

What happens if you guess wrong

Self-affirming Level 1 when you should be Level 2 is a False Claims Actexposure. The DOJ's Civil Cyber-Fraud Initiative has already collected eight-figure settlements from contractors who attested to controls they didn't have. Even an honest misread is risky — defense counsel will tell you the affirmation in SPRS is the legal hook. When in doubt, talk to your contracting officer in writing and keep the response.

Your next step

Pull your contract. Search for "DFARS 252.204-7012" and the words "controlled unclassified". If either is there, scope to Level 2 and start the SSP work now — a real assessment takes 4–6 months of preparation even when you know what you're doing. If neither is there, Level 1 is a weekend of work, not a quarter.