CMMC Level 1 and Level 2 sound like steps on the same staircase. They're not. They're different programs — different controls, different assessments, different costs, and completely different consequences if you pick wrong.
This is the short version every DoD supplier should read before writing a check for consulting or tooling.
It Starts With FCI vs CUI
You can't choose a CMMC level without first knowing what kind of government data you handle. Two terms matter:
Federal Contract Information (FCI). Information provided by or generated for the government under a contract that isn't intended for public release. Examples: proposal drafts, contract performance data, non-public delivery schedules, some purchase orders.
Controlled Unclassified Information (CUI). Information the government requires safeguarding under specific laws or policies. Examples: technical drawings under ITAR/EAR, engineering specs for weapons components, programmatic data marked CUI//SP-PROP, export-controlled software source code, certain contract financial data.
Rule of thumb: if any document, email, file, or drawing you receive from a DoD prime or the government carries a CUI marking — or would qualify as CUI under the National Archives CUI Registry — you are in Level 2 territory, not Level 1.
CMMC Level 1: Basic Cyber Hygiene
Level 1 covers contractors who only handle FCI. It aligns with the 17 basic practices drawn from FAR 52.204-21 — things like MFA on administrator accounts, limiting information system access to authorized users, and controlling connections to external systems.
- 17 practices total
- Annual self-assessment, submitted to SPRS
- No C3PAO required
- Senior official annual affirmation
If you're a contractor that, say, provides office supplies, non-CUI professional services, or commercial products with no technical data flow-down, Level 1 may be your ceiling. But read your contracts carefully — primes are increasingly flowing down Level 2 by default.
CMMC Level 2: The Standard for Most Defense Work
Level 2 is the big one. It's aligned directly with all 110 practices in NIST SP 800-171 Revision 2. If your business handles CUI in any meaningful way, you need it.
- 110 practices across 14 control families
- C3PAO third-party assessment for the vast majority of contracts (some low-risk cases allow self-assessment)
- Three-year certification cycle plus annual affirmations
- POA&Ms permitted only for specific controls, with 180-day close-out
Industries that almost always land on Level 2: aerospace, precision manufacturing, CNC machining, electronics, defense IT, engineering services, logistics supporting weapons programs, and cybersecurity subcontractors. Our CNC machining CMMC program and our broader industry coverage reflect the reality: most shops in the defense supply chain are Level 2.
Level 3 — Briefly
Level 3 is for the highest-risk programs involving APT-level threats. It adds 24 controls from NIST 800-172 on top of Level 2. Assessments are conducted by the Defense Contract Management Agency's DIBCAC rather than a C3PAO. If you're Level 3, you likely already know it — your program office will have told you.
How to Choose Your Level
Decision checklist:
- Do your contracts include DFARS 252.204-7012? → You handle CUI or FCI. Continue.
- Do you receive documents marked CUI, CDI, ITAR, EAR, or "For Official Use Only"? → Level 2 minimum.
- Do you access or store engineering drawings, specs, or technical data for defense components? → Level 2.
- Are you only providing commercial off-the-shelf goods with no sensitive data flow-down? → Level 1 may apply.
- Does your program office or prime specifically require Level 3? → Level 3.
- Unsure? Start with our free self-assessment, then talk to our consultants.
What Most Defense Suppliers Get Wrong
Two mistakes we see constantly.
First, assuming Level 1 because "we don't really get CUI." If your prime sends you schematics, BOMs, or engineering specs — even once — you're probably handling CUI. Level 1 won't save you if an assessor or DCMA auditor finds a CUI file on a Level-1-scoped system.
Second, over-shooting to Level 3. Level 3 costs significantly more and demands government-led assessment. Unless your contract explicitly requires it, you don't need it.
For context on the broader program and timeline, the official DoD CMMC site and the OSD CMMC program office publish the authoritative phase-in details. And if you want the longer playbook on preparing, read our 2026 assessment prep guide.