CMMC Level 1 vs Level 2FCI vs CUIC3PAO AssessmentSPRS Affirmation// 7 MIN READ
CMMC Level 1 vs Level 2
FCI vs CUI, Self-Assessment vs C3PAO, and What Triggers Each Level
Your required CMMC level is not determined by company size, contract value, or what your prime contractor demands. It is determined by one thing: the type of federal information your organization handles. Get that classification wrong and you will either over-engineer your compliance program or face enforcement action for operating at the wrong level.
CMMC Level 1 requires implementation of 17 foundational security practices for organizations handling Federal Contract Information (FCI) under FAR 52.204-21, while CMMC Level 2 requires full implementation of all 110 NIST SP 800-171 controls for organizations handling Controlled Unclassified Information (CUI) under DFARS 252.204-7021 and 32 CFR Part 170. The two levels reflect fundamentally different risk environments. Level 1 covers organizations handling FCI — basic, non-public contract data. Level 2 covers organizations handling CUI — sensitive technical, operational, or research data carrying legal handling obligations under federal law.
The assessment process, the documentation requirements, and the ongoing compliance burden are substantially different between the two levels. The table below shows the gap at a glance.
CMMC certificate issued by C3PAO, valid for 3 years
Table: Side-by-side comparison of CMMC Level 1 vs Level 2 requirements — controls, assessment type, SSP mandate, and certification.
Does my contract require CMMC Level 1 or Level 2?
The distinction between FCI and CUI is the threshold that determines whether your compliance program costs tens of thousands of dollars or hundreds of thousands. Both are non-public federal information — but CUI carries specific legal handling requirements under federal law and regulation.
Federal Contract Information (FCI) → Level 1
Information provided by or generated for the government under a contract to develop or deliver a product or service — not intended for public release.
Controlled Unclassified Information (CUI) → Level 2
Information the government creates or possesses that requires safeguarding per law, regulation, or government-wide policy — formally designated and marked by a DoD authority.
Defense system specifications and design documents
Naval and aviation maintenance data
Table: FCI vs CUI data type comparison — governing clauses, examples, and which CMMC level each triggers.
The practical test: if your contract involves technical work product — engineering, design, research, manufacturing — the data flowing through it is almost certainly CUI. If it is purely logistical — shipping, scheduling, basic services — it is more likely FCI. When uncertain, ask the contracting officer in writing and document the response.
What are the assessment requirements for CMMC Level 1 vs Level 2?
The operational gap between Level 1 and Level 2 is not incremental — it is a qualitative shift in the scale and formality of your entire security program. Level 1 requires basic hygiene. Level 2 requires a formally documented, third-party-verified implementation of all 110 NIST 800-171 controls.
110 practices across 14 domains — access control, incident response, risk assessment, system integrity, configuration management, media protection, and more
SSP
Not formally mandated — documenting your 17 controls is advisable protection against FCA exposure
Mandatory. Assessed by the C3PAO lead assessor on Day 1. Without it, there is no assessment.
Assessor
Organization assesses itself. No third party reviews the submission.
Must be conducted by an accredited C3PAO in Year 1. Self-assessment required in Years 2 and 3.
Pass/fail affirmation — 17 practices are either implemented or not
Numerical score from −203 to +110 based on NIST 800-171 DoD assessment methodology with weighted point values per control
POA&Ms
Not applicable at Level 1
Eligible for minor deficiencies if score ≥ 88/110 and no 5-point controls are missing. Strict 180-day closeout deadline.
Table: Assessment requirement comparison between CMMC Level 1 (self-assessment) and Level 2 (C3PAO audit) across controls, SSP, SPRS score, and POA&Ms.
How often do you need to re-certify for CMMC?
The most consequential misunderstanding in the defense supply chain is treating CMMC as a one-time hurdle. A Level 2 C3PAO certificate is valid for three years — but the compliance obligation runs every day of every contract it supports.
The Level 2 Triennial Compliance Cycle — 3-Year Certification Period
Year 1
🔍
C3PAO Independent Assessment
Accredited third-party auditor conducts full assessment. Certificate issued. CMMC UID recorded in SPRS. 3-year clock starts.
Year 2
✅
Annual Self-Assessment
Organization evaluates its own continued compliance against all 110 controls. Senior official affirms score to SPRS.
⚠ FCA Risk
Year 3
✅
Annual Self-Assessment
Same process as Year 2. Senior official affirms score to SPRS. New C3PAO assessment must be scheduled before expiration.
⚠ FCA Risk
Continuous Obligation: All 110 controls must be maintained every day of the 3-year cycle — not just on assessment day. A lapse in Month 14, even temporary, can invalidate the affirmation if a breach or investigation follows.
Figure: The CMMC Level 2 triennial compliance cycle — C3PAO assessment in Year 1, annual self-assessments with SPRS affirmation in Years 2 and 3.
Each SPRS affirmation — at both Level 1 and Level 2 — is a legal representation to the federal government signed by a senior official. The legal exposure from an inaccurate affirmation is direct and significant.
The Invoice Attestation Risk
Every time a contractor submits an invoice to the DoD, they are implicitly attesting that they remain in compliance with all applicable CMMC requirements for that contract. A contractor who is not meeting their required controls — while continuing to invoice and receive payment — is making a false claim with each submission. This is how the False Claims Act reaches cybersecurity non-compliance between formal SPRS affirmation dates.
What happens if you pick the wrong CMMC level?
The most expensive CMMC mistakes happen before a single control is implemented — when an organization misclassifies its data type and builds a compliance program at the wrong level. Four patterns appear repeatedly across the defense supply chain.
Trap 01The Prime Contractor Blanket Demand
Primes frequently issue blanket requirements mandating Level 2 across their entire supply chain. If a subcontractor exclusively handles FCI — or only resells standard COTS components without receiving CUI technical data — they do not require Level 2 regardless of what the prime requests.
→ Review the actual contract clauses. DFARS 252.204-7021 triggers Level 2. FAR 52.204-21 triggers Level 1. The prime's preference is not the governing document.
Trap 02The Copy-Paste Scope Expansion
Companies routinely assume accounting, HR, or project management software sits outside CMMC scope. The moment an employee copies contract data from a DoD document into QuickBooks, Salesforce, or a project management tool for job costing or tracking, that system is now processing FCI — and immediately enters Level 1 assessment scope. CUI copied into any system brings that system into Level 2 scope.
→ Map every system where DoD contract data lands — not just where it originates. Scope follows the data, not the intent.
Trap 03Assuming CUI Status Without Verification
Not all sensitive-sounding information is legally designated CUI. CUI must be formally designated by a DoD authority and marked on the document or transmission. Some contractors self-designate data as CUI and build costly Level 2 programs unnecessarily. Others receive genuinely CUI-marked data and don't recognize it because no one has reviewed the National Archives CUI Registry categories.
→ Check whether documents your organization receives carry an official CUI designation marking. Ask your contracting officer in writing if uncertain.
Trap 04Treating the Level 1 to Level 2 Transition as Incremental
Organizations adding a CUI-generating contract to an existing Level 1 program sometimes treat the transition as additive — 17 controls, now add 93 more. Level 2 is not an extension of Level 1. It requires a formal SSP, a documented assessment boundary, FIPS-validated cryptography, POA&M governance, and a C3PAO-ready evidence package. The gap is architectural, not incremental.
→ Treat the Level 1 to Level 2 transition as a new compliance program, not an upgrade. Budget time and resources accordingly.
How do you determine which CMMC level a contract requires?
Work through these questions sequentially. The first "yes" answer determines your required level. If a contract involves multiple data types, the most sensitive type governs the entire assessment scope for that system.
CMMC Level Selection — Sequential Decision Rules
Question 01Does your organization process, store, or transmit Controlled Unclassified Information (CUI) — such as controlled technical drawings, export-controlled data, or defense system specifications?
YES → CMMC Level 2 Required
CUI triggers Level 2 regardless of contract size, company size, or prime contractor instructions. Full implementation of all 110 NIST SP 800-171 controls required. Triennial C3PAO assessment in Year 1.
NO → Proceed to Question 2
You do not handle CUI in this contract or system. Continue to the next question.
Question 02Does your organization process, store, or transmit Federal Contract Information (FCI) — non-public contract data such as DoD delivery schedules, pricing, or procurement correspondence?
YES → CMMC Level 1 Required
Implement the 17 foundational practices under FAR 52.204-21. Conduct an annual self-assessment. Upload the affirmed score to SPRS each year. A senior official must sign each affirmation.
NO → Proceed to Question 3
You do not handle FCI in this contract. Continue to the next question.
Question 03Do you supply only unmodified, commercially available off-the-shelf (COTS) items in the same form as sold to the general public — with no DoD-specific modifications and no FCI or CUI data flow?
YES → Likely Exempt
The COTS exclusion in DFARS 252.204-7021(f) generally applies. Confirm with your contracting officer that no FCI or CUI flows through the subcontract. Any product modification or data flow removes the exemption entirely.
NO → Consult Contracting Officer
If the contract involves federal work but does not fit any category above, ask your contracting officer in writing. Document the response. Never assume exemption without explicit written confirmation.
Flowchart: CMMC level selection decision tree — CUI triggers Level 2, FCI triggers Level 1, COTS may be exempt.
Important
The decision tree applies per contract and per system — not once for the whole organization. A company can simultaneously hold Level 1 contracts, Level 2 contracts, and COTS-exempt contracts. Systems that handle data from multiple contracts must be scoped to the highest applicable level.
The Bottom Line
Review each contract for the presence of DFARS 252.204-7012 and DFARS 252.204-7021 — their presence signals CUI and triggers Level 2. If only FAR 52.204-21 appears, Level 1 applies. Map every system where DoD contract data lands — not just where it originates — and define your assessment scope based on actual data flow, not organizational assumptions. When uncertain about data classification, ask the contracting officer in writing and document the response. Treat every SPRS affirmation for what it legally is — a sworn representation to the federal government.
The decision tree applies per contract and per system. Build your compliance program for the correct level based on actual contract language, and budget for the continuous obligation that follows.
The question is not "what level can we get away with?" It is "what level does our data actually require?" Answer that accurately — in writing, from your contracting officer if uncertain — and every other CMMC decision follows logically from there.