CMMC Level 1 vs. Level 2: Which Applies to Your Contract and What Each Requires

The single most expensive mistake a small federal IT contractor makes with the Cybersecurity Maturity Model Certification (CMMC) is scoping to the wrong level. CMMC Level 1 is an annual self-assessment against 15 requirements. CMMC Level 2 is a 110-requirement program that, for most contracts that touch Controlled Unclassified Information, requires a third-party assessment and a three-year certification. The trigger is the data type, not the contract size, and the contracting officer sets it in the solicitation. This guide explains what determines each level and what each one actually requires.

Read the complete guide: CMMC Compliance for Small Defense Contractors: The Definitive Guide.

What Determines Whether a Contract Is Level 1 or Level 2?

CMMC level is determined by the category of nonpublic government information the contractor will store, process, or transmit on its systems. There are two categories that matter at the lower two levels: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Federal Contract Information is information provided by or generated for the government under a contract that is not intended for public release. It is defined in the basic safeguarding clause at FAR 52.204-21. FCI is common: a delivery schedule, a non-public statement of work, or correspondence about contract performance is FCI. Handling FCI and no CUI puts a contract at CMMC Level 1 (Foundational).

Controlled Unclassified Information is information the government requires to be safeguarded or disseminated under a law, regulation, or government-wide policy, catalogued in the National Archives CUI Registry. Controlled technical information, certain privacy data, and many categories of system security documentation are CUI. Handling CUI puts a contract at CMMC Level 2 (Advanced) or, for the highest-risk programs, Level 3 (Expert).

The practical implication is that a contractor cannot self-select its level. The contracting officer identifies the required level in the solicitation based on the data the work involves. The CMMC Program is codified at 32 CFR Part 170, and the contractual requirement flows down through the Defense Federal Acquisition Regulation Supplement clause DFARS 252.204-7021.

What Does CMMC Level 1 Require?

CMMC Level 1 maps directly to the 15 basic safeguarding requirements in FAR 52.204-21(b)(1). These are foundational hygiene controls: limit system access to authorized users, control who can run which functions, sanitize media before disposal, control physical access, monitor and protect network boundaries, identify and correct flaws, and provide protection against malicious code. There is no separate control catalog to learn; the 15 requirements are the standard.

The assessment model for Level 1 is the lightest in the program:

• Annual self-assessment. The contractor assesses its own systems against the 15 requirements each year. No third-party assessor is involved at Level 1.
• Annual affirmation in SPRS. A senior official affirms continued compliance in the Supplier Performance Risk System (SPRS). The affirmation is an attestation that carries individual accountability.
• No POA&M at Level 1. All 15 requirements must be met. There is no partial-credit path; a Plan of Action and Milestones is not permitted to defer a Level 1 requirement.

Level 1 is achievable for most well-run small businesses without a large external engagement, but the "no POA&M" rule means all 15 controls must be genuinely in place at the time of affirmation. For firms operating in NAICS 541512 (Computer Systems Design Services), 541513, or 541519, the controls are ordinary IT practice; the work is documenting them defensibly.

What Does CMMC Level 2 Require?

CMMC Level 2 is built on the 110 security requirements of NIST Special Publication 800-171, organized across 14 control families spanning access control, audit and accountability, configuration management, incident response, system and communications protection, and more. This is a substantially larger and more documentation-intensive standard than Level 1.

Level 2 has two assessment paths, and the contract specifies which applies:

• Level 2 certification (C3PAO). For most Level 2 acquisitions involving CUI, an authorized Certified Third-Party Assessment Organization (C3PAO) conducts the assessment. The resulting certification is valid for three years, with an annual affirmation in SPRS in the intervening years. See how to select a C3PAO from the Cyber AB Marketplace.
• Level 2 self-assessment. 32 CFR Part 170 permits a self-assessment path for a limited subset of Level 2 acquisitions. Contractors should not assume self-assessment applies; the solicitation and contracting officer specify it.

Level 2 also carries the foundational DoD safeguarding obligations that pre-date CMMC and continue alongside it: DFARS 252.204-7012 requires implementation of NIST SP 800-171 and rapid cyber-incident reporting, and DFARS 252.204-7019/7020 require a current NIST SP 800-171 DoD Assessment score posted in SPRS. A contractor pursuing Level 2 work should already have that score on file.

How Does the POA&M Work at Level 2?

Unlike Level 1, Level 2 allows a conditional path. An assessment can yield Conditional CMMC Status when the score meets a defined minimum threshold and only eligible requirements remain open on a Plan of Action and Milestones. The contractor then has 180 days to close and verify those items, after which Final CMMC Status is granted.

Two constraints make this less generous than it sounds. First, certain higher-weighted requirements are not eligible for a POA&M and must be fully met before any status is granted. Second, the conditional path requires the assessment score to clear the minimum bar; a low score does not qualify for a conditional certification at all. The scoring methodology assigns point deductions per unmet requirement against a 110-point baseline, consistent with the DoD Assessment Methodology used for the SPRS score under DFARS 252.204-7020. Confirm the current eligibility list and score threshold in 32 CFR Part 170 before planning around a conditional certification, because these specifics are the part of the rule most likely to be misread.

Level 1 vs. Level 2 at a Glance

• Trigger. Level 1 = Federal Contract Information only. Level 2 = Controlled Unclassified Information.
• Requirement count. Level 1 = 15 (FAR 52.204-21). Level 2 = 110 (NIST SP 800-171).
• Assessment. Level 1 = annual self-assessment. Level 2 = C3PAO certification (most contracts) or self-assessment (limited subset), valid three years.
• Affirmation. Both require an annual senior-official affirmation in SPRS.
• POA&M. Level 1 = not permitted; all 15 must be met. Level 2 = permitted for eligible requirements with a 180-day closeout, subject to a minimum score.
• Documentation. Level 1 = practice-level evidence. Level 2 = a System Security Plan covering all 110 requirements, supporting policies, and assessment objectives evidence.

Why Small Contractors Scope This Wrong

Three patterns recur, and each carries real cost.

Assuming FCI work needs Level 2. Over-scoping to Level 2 when a contract only involves FCI loads months of unnecessary preparation and an avoidable C3PAO expense into a bid. The data type, confirmed with the contracting officer, sets the level. Do not bid Level 2 cost on a Level 1 requirement.

Assuming Level 2 means self-assessment. The reverse error is more dangerous. A contractor that plans for a Level 2 self-assessment and then learns the contract requires C3PAO certification faces an assessment scheduling backlog that can run months, putting award timing at risk. Treat C3PAO certification as the default Level 2 assumption unless the contract states otherwise.

Treating the SPRS score and CMMC as separate projects. The NIST SP 800-171 DoD Assessment score required under DFARS 252.204-7019/7020 and the CMMC Level 2 assessment are built on the same 110 requirements. A contractor with a current, honest SPRS score has already done most of the Level 2 readiness work. A contractor whose SPRS score was posted optimistically has created a future certification gap and a potential civil False Claims Act exposure under the Department of Justice Civil Cyber-Fraud Initiative.

What the Phased Rollout Means for Your Next Bid

CMMC requirements are being incorporated into solicitations on a phased schedule defined in 32 CFR Part 170 and implemented through DFARS 252.204-7021. Early phases emphasize self-assessment levels, with C3PAO certification requirements expanding across subsequent phases over a multi-year ramp. The operational takeaway for a small business in NAICS 541512, 541611 (Administrative Management and General Management Consulting), or 541330 (Engineering Services) is simple: do not wait for the clause to appear in a solicitation you want to win. Establish a current SPRS score, write a defensible System Security Plan, and decide your level posture before the requirement is in front of you on a deadline.

For the broader certification, set-aside, and positioning view, see SDVOSB Federal IT Contracting: The Definitive Guide and the TDS-IS Capability Statement, which documents current compliance posture for contracting-officer review.

Frequently Asked Questions

Does a contract that only involves Federal Contract Information require CMMC Level 2? No. CMMC Level 2 is triggered by Controlled Unclassified Information, not by FCI. A contract that involves FCI but no CUI requires CMMC Level 1, an annual self-assessment against the 15 basic safeguarding requirements in FAR 52.204-21. The level is set by the data type, and the contracting officer specifies it in the solicitation. If you are unsure whether your work involves CUI, ask the contracting officer to confirm the data type and the marked level before you bid your compliance cost.

Can a small federal IT contractor self-assess for CMMC Level 2, or is a C3PAO assessment always required? Most Level 2 contracts that involve CUI require a third-party assessment by a C3PAO, with a certification valid for three years and an annual affirmation in between. 32 CFR Part 170 allows a self-assessment path for a limited subset of Level 2 acquisitions, but contractors should not assume it applies. The solicitation and contracting officer specify whether the contract requires Level 2 self-assessment or Level 2 certification. Plan for C3PAO certification unless the contract document explicitly states otherwise.

Can you win a CMMC Level 2 contract with open findings on a POA&M? Conditional CMMC status is possible at Level 2 when the assessment score meets the minimum threshold and only eligible requirements remain open on a POA&M. Those items must be closed and verified within 180 days for final status. Certain higher-weighted requirements cannot be placed on a POA&M and must be met before any status is granted. Confirm current eligibility and scoring rules in 32 CFR Part 170 before relying on a conditional path.