CMMC Level 1 and Level 2 reflect two fundamentally different risk environments. Level 1 covers organizations handling Federal Contract Information (FCI) — basic, non-public contract data. Level 2 covers organizations handling Controlled Unclassified Information (CUI) — sensitive technical, operational, or research data carrying legal handling obligations under federal law.
The assessment process, the documentation requirements, and the ongoing compliance burden are substantially different between the two levels. The table below shows the gap at a glance.
Controls
17 foundational practices
Assessment
Annual self-assessment — no third party required
Who Signs
Senior official affirms score to
SPRS annually
SSP
Not mandated, but strongly advisable
Certificate
No formal certificate —
SPRS affirmation is the record
Controls
110 practices across 14 NIST
800-171 domains
Assessment
Triennial C3PAO audit + annual self-assessments in Years 2–3
Who Signs
Senior official affirms score to
SPRS every year
SSP
Mandatory — assessed by C3PAO on Day 1
Certificate
CMMC certificate issued by C3PAO, valid for 3 years
FCI vs CUI: How to Tell Which One You Handle
The distinction between FCI and CUI is the threshold that determines whether your compliance program costs tens of thousands of dollars or hundreds of thousands. Both are non-public federal information — but CUI carries specific legal handling requirements under federal law and regulation.
Information provided by or generated for the government under a contract to develop or deliver a product or service — not intended for public release.
Governing Clause
FAR 52.204-21
Examples
DoD delivery schedules and project timelines
Contract pricing not publicly released
Procurement correspondence and status updates
Non-sensitive administrative contract documentation
Information the government creates or possesses that requires safeguarding per law, regulation, or government-wide policy — formally designated and marked by a DoD authority.
Governing Clauses
32 CFR Part 202
Examples
Controlled technical drawings and schematics
Export-controlled data (ITAR/EAR regulated)
Defense system specifications and design documents
Naval and aviation maintenance data
The practical test: if your contract involves technical work product — engineering, design, research, manufacturing — the data flowing through it is almost certainly CUI. If it is purely logistical — shipping, scheduling, basic services — it is more likely FCI. When uncertain, ask the contracting officer in writing and document the response.
What Requirements Apply at Each Level
The operational gap between Level 1 and Level 2 is not incremental — it is a qualitative shift in the scale and formality of your entire security program. Level 1 requires basic hygiene. Level 2 requires a formally documented, third-party-verified implementation of all 110 NIST 800-171 controls.
Controls
17 foundational practices — access control, password requirements, malware protection, physical safeguards
110 practices across 14 domains — access control, incident response, risk assessment, system integrity, configuration management, media protection, and more
SSP
Not formally mandated — documenting your 17 controls is advisable protection against FCA exposure
Mandatory. Assessed by the C3PAO lead assessor on Day 1. Without it, there is no assessment.
Assessor
Organization assesses itself. No third party reviews the submission.
Must be conducted by an accredited C3PAO in Year 1. Self-assessment required in Years 2 and 3.
Pass/fail affirmation — 17 practices are either implemented or not
POA&Ms
Not applicable at Level 1
Eligible for minor deficiencies if score ≥ 88/110 and no 5-point controls are missing. Strict
180-day closeout deadline.
Annual Affirmations and the Continuous Obligation Concept
The most consequential misunderstanding in the defense supply chain is treating CMMC as a one-time hurdle. A Level 2 C3PAO certificate is valid for three years — but the compliance obligation runs every day of every contract it supports.
Year 1
🔍
C3PAO Independent Assessment
Accredited third-party auditor conducts full assessment. Certificate issued. CMMC UID recorded in
SPRS. 3-year clock starts.
Year 2
✅
Annual Self-Assessment
Organization evaluates its own continued compliance against all 110 controls. Senior official affirms score to
SPRS.
⚠ FCA Risk
Year 3
✅
Annual Self-Assessment
Same process as Year 2. Senior official affirms score to
SPRS. New C3PAO assessment must be scheduled before expiration.
⚠ FCA Risk
Continuous Obligation: All 110 controls must be maintained every day of the 3-year cycle — not just on assessment day. A lapse in Month 14, even temporary, can invalidate the affirmation if a breach or investigation follows.
Each SPRS affirmation — at both Level 1 and Level 2 — is a legal representation to the federal government signed by a senior official. The legal exposure from an inaccurate affirmation is direct and significant.
The Invoice Attestation Risk
Every time a contractor submits an invoice to the DoD, they are implicitly attesting that they remain in compliance with all applicable CMMC requirements for that contract. A contractor who is not meeting their required controls — while continuing to invoice and receive payment — is making a false claim with each submission. This is how the
False Claims Act reaches cybersecurity non-compliance between formal
SPRS affirmation dates.
Common Level-Selection Mistakes That Force a Re-Scope
The most expensive CMMC mistakes happen before a single control is implemented — when an organization misclassifies its data type and builds a compliance program at the wrong level. Four patterns appear repeatedly across the defense supply chain.
Trap 01The Prime Contractor Blanket Demand
Primes frequently issue blanket requirements mandating Level 2 across their entire supply chain. If a subcontractor exclusively handles FCI — or only resells standard COTS components without receiving CUI technical data — they do not require Level 2 regardless of what the prime requests.
→ Review the actual contract clauses.
DFARS 252.204-7021 triggers Level 2. FAR 52.204-21 triggers Level 1. The prime's preference is not the governing document.
Trap 02The Copy-Paste Scope Expansion
Companies routinely assume accounting, HR, or project management software sits outside CMMC scope. The moment an employee copies contract data from a DoD document into QuickBooks, Salesforce, or a project management tool for job costing or tracking, that system is now processing FCI — and immediately enters Level 1 assessment scope. CUI copied into any system brings that system into Level 2 scope.
→ Map every system where DoD contract data lands — not just where it originates. Scope follows the data, not the intent.
Trap 03Assuming CUI Status Without Verification
Not all sensitive-sounding information is legally designated CUI. CUI must be formally designated by a DoD authority and marked on the document or transmission. Some contractors self-designate data as CUI and build costly Level 2 programs unnecessarily. Others receive genuinely CUI-marked data and don't recognize it because no one has reviewed the National Archives CUI Registry categories.
→ Check whether documents your organization receives carry an official CUI designation marking. Ask your contracting officer in writing if uncertain.
Trap 04Treating the Level 1 to Level 2 Transition as Incremental
Organizations adding a CUI-generating contract to an existing Level 1 program sometimes treat the transition as additive — 17 controls, now add 93 more. Level 2 is not an extension of Level 1. It requires a formal SSP, a documented assessment boundary, FIPS-validated cryptography, POA&M governance, and a C3PAO-ready evidence package. The gap is architectural, not incremental.
→ Treat the Level 1 to Level 2 transition as a new compliance program, not an upgrade. Budget time and resources accordingly.
Decision Tree: Which Level Do We Need for This Contract?
Work through these questions sequentially. The first "yes" answer determines your required level. If a contract involves multiple data types, the most sensitive type governs the entire assessment scope for that system.
Question 01Does your organization process, store, or transmit Controlled Unclassified Information (CUI) — such as controlled technical drawings, export-controlled data, or defense system specifications?
YES → CMMC Level 2 Required
CUI triggers Level 2 regardless of contract size, company size, or prime contractor instructions. Full implementation of all 110
NIST SP 800-171 controls required. Triennial C3PAO assessment in Year 1.
NO → Proceed to Question 2
You do not handle CUI in this contract or system. Continue to the next question.
Question 02Does your organization process, store, or transmit Federal Contract Information (FCI) — non-public contract data such as DoD delivery schedules, pricing, or procurement correspondence?
YES → CMMC Level 1 Required
Implement the 17 foundational practices under FAR 52.204-21. Conduct an annual self-assessment. Upload the affirmed score to
SPRS each year. A senior official must sign each affirmation.
NO → Proceed to Question 3
You do not handle FCI in this contract. Continue to the next question.
Question 03Do you supply only unmodified, commercially available off-the-shelf (COTS) items in the same form as sold to the general public — with no DoD-specific modifications and no FCI or CUI data flow?
YES → Likely Exempt
The
COTS exclusion in
DFARS 252.204-7021(f) generally applies. Confirm with your contracting officer that no FCI or CUI flows through the subcontract. Any product modification or data flow removes the exemption entirely.
NO → Consult Contracting Officer
If the contract involves federal work but does not fit any category above, ask your contracting officer in writing. Document the response. Never assume exemption without explicit written confirmation.
Important
The decision tree applies per contract and per system — not once for the whole organization. A company can simultaneously hold Level 1 contracts, Level 2 contracts, and COTS-exempt contracts. Systems that handle data from multiple contracts must be scoped to the highest applicable level.
The Bottom Line
CMMC level selection is a legal determination — not a compliance formality. The trigger is the data type. The obligation is continuous. The consequences of misclassification run in both directions: over-scoping wastes resources; under-scoping creates enforcement risk and FCA exposure on every SPRS affirmation and every invoice submitted under the contract.
Determine your data type from your actual contract language. Build your compliance program for the correct level. Treat every SPRS affirmation for what it legally is — a sworn representation to the federal government.
The question is not "what level can we get away with?" It is "what level does our data actually require?" Answer that accurately — in writing, from your contracting officer if uncertain — and every other CMMC decision follows logically from there.