Your company just received a request for proposal from a DoD contractor, or maybe you're already working with CUI and someone in procurement forwarded you a contract clause about CMMC. Now you're trying to figure out whether you need CMMC Level 1 or Level 2, and what that decision means for your budget, timeline, and operations.

The answer isn't determined by what you think sounds reasonable or what a consultant tells you during a sales call. It's written into your contract requirements. The difference between CMMC level 1 and level 2 isn't academic—it represents a significant gap in certification cost, preparation time, and ongoing compliance burden.

I've worked with defense contractors navigating this question, and the pattern I see is consistent: organizations waste time and money pursuing the wrong level because they didn't read their contracts carefully or misunderstood what types of information they actually handle. This article walks through how to make that determination correctly.

The Contract Tells You Which Level You Need

CMMC levels aren't optional tiers where you pick the one that fits your comfort zone. The requirement flows directly from what the DoD calls your "CUI footprint"—whether you handle Federal Contract Information (FCI) only, or if you also process, store, or transmit Controlled Unclassified Information (CUI).

Your contract will specify this. Look for clauses like DFARS 252.204-7012, which indicates CUI handling and points toward Level 2. If your contract only references DFARS 252.204-7019 or mentions basic federal contract information protection, you're likely looking at Level 1.

Here's the practical distinction: FCI is information provided by or generated for the government under a contract that isn't intended for public release. Think contract deliverables, pricing information, project schedules. CUI is a broader category that includes technical data, export-controlled information, and anything marked or identified as controlled under specific regulations like ITAR or EAR.

The confusion happens when contractors assume they only have FCI because they haven't seen anything stamped "CUI" or marked as controlled. That's backwards. If you're working with technical drawings, specifications, software source code, or anything related to defense articles or military applications, you're almost certainly handling CUI whether or not someone drew your attention to it.

CMMC Level 1: What It Actually Requires

Level 1 addresses Federal Contract Information protection through 17 practices drawn from NIST SP 800-171. These are foundational controls: access control basics, some incident response capability, media protection, physical security, system and information integrity fundamentals.

The assessment is an annual self-assessment. You attest that you've implemented these 17 practices. There's no third-party auditor showing up to verify your implementation. This makes Level 1 significantly less expensive and faster to achieve than Level 2, but don't mistake "self-assessment" for "no accountability." You're certifying compliance in a federal contract context. Misrepresentation has consequences.

In my experience, most organizations pursuing Level 1 need to address gaps in access management, incident response documentation, and media sanitization procedures. The technical lift isn't massive, but it requires discipline. You need policies, you need to follow them, and you need evidence that you're doing both.

Common gaps I see in Level 1 preparations:

The actual cost of Level 1 certification depends heavily on your starting point. If you're already managing IT systematically, you might spend $15,000-$30,000 on gap assessment, policy development, and implementation support. If you're starting from an unmanaged environment with no existing documentation, triple that estimate.

Inline article illustration

CMMC Level 2: A Different Scale of Commitment

Level 2 implements all 110 security requirements from NIST SP 800-171, and it requires third-party assessment by a CMMC Third Party Assessor Organization (C3PAO). This is where CMMC level 1 and level 2 diverge sharply in terms of cost, complexity, and operational impact.

The 110 practices cover the full scope of security controls: comprehensive access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

This isn't a checkbox exercise. The C3PAO will validate that controls are not just documented but actually implemented and effective. They'll review your System Security Plan (SSP), your Plan of Action and Milestones (POA&M), and they'll test controls directly. They'll want to see evidence: logs showing that access reviews happen, tickets demonstrating incident response, configuration baselines proving change management.

The pattern I see with organizations underestimating Level 2: they focus on the technical controls—firewalls, encryption, endpoint protection—and ignore the governance layer. Level 2 assumes you have a functioning security program with defined roles, regular assessments, continuous monitoring, and a documented approach to risk management. If you don't have those foundations, you're not ready for assessment regardless of your technology stack.

The System Security Plan Requirement

Your SSP is the cornerstone document for Level 2. It describes your assessment boundary (which systems are in scope), how you've implemented each of the 110 practices, and where you have gaps documented in your POA&M. Writing an SSP for the first time typically takes 80-120 hours of focused work by someone who understands both your environment and NIST 800-171.

This isn't a template you download and fill in. It requires mapping your actual security controls to each requirement, explaining your implementation approach, and providing evidence. Most organizations need outside help here, either from consultants who specialize in CMMC preparation or through a vCISO engagement that includes compliance support.

The Assessment Process and Timeline

A C3PAO assessment takes several days of on-site or remote evaluation. Before that happens, you need to be assessment-ready: SSP complete, controls implemented, evidence collected and organized, staff trained on what to expect during assessment interviews.

From "we need Level 2" to "we're certified," expect 12-18 months for most small to mid-sized contractors starting from a relatively immature security posture. Organizations with existing compliance programs—maybe you're already managing regulatory compliance frameworks like HIPAA or have ISO 27001 certification—can compress that timeline to 6-9 months.

Need to Brief Your Board on CMMC?

Carl delivers practical CMMC presentations for leadership teams and boards of defense contractors. No vendor pitch, no compliance theater—just clear guidance on costs, timelines, and strategic implications.

Book Carl to Speak

Reading Your Contract for CMMC Requirements

Contract clauses tell you what you need. Here's how to decode them:

DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting): This clause means you're handling CUI. You need CMMC Level 2. The clause explicitly requires contractors to implement NIST SP 800-171 security requirements, which is exactly what Level 2 assesses.

DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements): This clause can appear for both FCI and CUI, but if it's the only security-related clause in your contract and references only basic information protection, you might be Level 1. Read it in context with the overall contract scope.

DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements): This clause requires DoD assessment (or in CMMC terms, third-party assessment). It indicates Level 2.

DFARS 252.204-7021 (Cybersecurity Maturity Model Certification Requirements): This is the CMMC clause itself. It will explicitly state which CMMC level your contract requires.

If you're inheriting a contract from a teammate or working as a subcontractor, don't assume the prime has correctly flowed down requirements. I've seen cases where primes misunderstood their own CMMC obligations and under-specified requirements in subcontracts. When in doubt, ask the contracting officer directly.

Inline article illustration

The Cost Difference Between Levels

Level 1 costs are primarily internal effort plus modest consulting support if needed. Self-assessment doesn't require paying a C3PAO. Your expenses are gap remediation, policy documentation, and annual re-assessment time.

Budget estimate for Level 1 (first year):

Total first-year range: $28,000-$88,000, heavily dependent on your starting maturity and internal versus external resource mix.

Level 2 costs are substantially higher because you're implementing 110 controls and paying for third-party assessment. The C3PAO assessment itself typically runs $20,000-$60,000 depending on your environment's complexity, number of sites, and assessment scope. But that assessment cost is often the smallest piece of your total Level 2 budget.

Budget estimate for Level 2 (first certification cycle):

Total first certification cycle range: $193,000-$595,000. Most small to mid-sized defense contractors fall in the $250,000-$400,000 range when accounting for both external support and internal staff time.

Ongoing annual costs for Level 2 (re-certification every three years, but continuous compliance in between):

These numbers shock organizations accustomed to treating cybersecurity as an IT line item. That's the reality. Level 2 CMMC isn't a project you complete and forget. It's an operational program requiring dedicated resources, both human and financial.

Preparing Your Organization for CMMC Compliance

Carl speaks regularly on CMMC strategy, cost management, and building sustainable compliance programs for defense contractors. See all keynote speaking topics or reach out about your event.

Book Carl for Your Event

When Organizations Get This Wrong

The most common mistake: assuming you only need Level 1 because you don't see "CUI" stamped on every document. CUI isn't always explicitly marked, especially in contracts that predate current marking requirements. If you're working with technical data, specifications, or drawings related to defense systems, you're handling CUI.

I've seen contractors proceed with Level 1 self-certification, win contract renewals based on that attestation, and then face DCAA audits or DCMA reviews that identified undisclosed CUI. At that point, you're explaining to a contracting officer why you certified the wrong level. That conversation doesn't go well.

The second mistake: trying to implement Level 2 without understanding the difference between compliance and actual security. You can buy every tool your consultant recommends, but if you don't have someone managing those tools, analyzing the data, and responding to findings, you're not compliant. The C3PAO will identify that gap immediately.

Third mistake: treating CMMC as an IT project rather than an organizational program. Level 2 requires involvement from HR (personnel security), facilities (physical controls), procurement (supply chain risk), legal (incident reporting obligations), and executive leadership (risk acceptance decisions). IT can't deliver CMMC in isolation.

Making the Level Decision When It's Unclear

Sometimes contract language is ambiguous, or you're bidding on new work where CMMC requirements aren't yet fully specified. In those cases, here's how to think through the decision:

If you handle any technical data related to defense articles, assume Level 2. Technical data package (TDP) work, engineering drawings, software code for defense systems, specifications for military equipment—all CUI, all Level 2.

If you're only receiving contract deliverables or administrative information from DoD customers, and you're not involved in defense production or technical services, you're likely Level 1. Examples: janitorial services at DoD facilities, landscaping contracts, non-technical administrative support.

When in doubt, default to Level 2 preparation. It's better to be over-prepared and discover you only needed Level 1 than to realize mid-contract that you've been operating under incorrect assumptions. The financial and reputational cost of the latter far exceeds the incremental expense of the former.

One practical approach: engage a consultant with CMMC assessment experience (not someone selling you products) to perform a CUI identification exercise. They'll review your contract portfolio, interview key staff about information handling, and map your actual data flows against CUI categories. This typically costs $5,000-$12,000 and provides defensible documentation of your CMMC level determination.

The Strategic Implications of Your CMMC Level

Your CMMC level determines which contracts you can compete for. Level 1 opens basic DoD subcontracting opportunities. Level 2 opens the broader defense industrial base market, including prime contracts and work involving significant CUI.

This creates strategic choices. Some smaller contractors decide to exit the DoD market rather than invest in Level 2 compliance. That's a legitimate business decision if your DoD revenue doesn't justify the compliance cost. But understand that you're not just foregoing current contracts—you're closing off future growth in that market.

Other organizations pursue Level 2 certification as a market differentiator even when their current contracts only require Level 1. If you're trying to move upstream in the supply chain or win prime contracts, demonstrating Level 2 compliance before you need it can be a competitive advantage. Not many small contractors have made that investment yet.

The timing matters too. CMMC rollout is happening in phases. Early adopters who certify now—while many competitors are still trying to figure out their requirements—position themselves for contract opportunities as requirements become mandatory. Organizations that wait until they lose a bid due to missing CMMC certification will face an 18-month gap before they can compete again.

From a CISO perspective, the question isn't really "what's the minimum level I can get away with?" It's "what level of security maturity does my business strategy require?" If you're serious about DoD work, you need Level 2 whether your current contracts require it or not. The market is moving that direction, and certification timelines mean you can't wait until a specific RFP drops.

For organizations concerned about the intersection of different compliance frameworks, understanding how compliance and security relate can help you build programs that address multiple requirements efficiently rather than treating each framework as a separate effort.

How to Start Regardless of Level

Whether you determine you need CMMC level 1 or level 2, start with an honest gap assessment. Not a vendor's "free assessment" designed to sell you products, but an objective evaluation of your current security posture against the specific CMMC requirements.

For Level 1, you can perform much of this assessment internally if you have someone with security knowledge. Map your current practices against the 17 Level 1 requirements, identify gaps, prioritize remediation, and document your implementation. Budget 60-80 hours of focused work.

For Level 2, bring in external expertise unless you have dedicated security staff with NIST 800-171 experience. The gap assessment alone typically requires 40-60 hours of interviews, documentation review, and technical evaluation. The resulting gap analysis should give you a costed remediation roadmap with realistic timelines.

Don't start by buying tools. Start by understanding your current state, your target state, and the delta between them. Then make informed decisions about which controls require technology, which require process change, and which require both.

Security and privacy aren't separate concerns in the CMMC context—many Level 2 controls address data protection requirements that overlap with privacy principles. Organizations already managing privacy obligations may find that existing practices translate well to CMMC requirements, particularly around access control, data minimization, and incident response. For perspective on building integrated approaches, privacy protection fundamentals often align with foundational security controls.

The organizations that handle CMMC well treat it as an opportunity to mature their security programs rather than a burden to minimize. They invest appropriately, build sustainable processes, and integrate compliance into their operational rhythm. The organizations that struggle treat it as a one-time certification exercise, cut corners on implementation, and face continuous firefighting to maintain compliance.

Your CMMC level isn't a choice, but how you respond to the requirement is. Whether you need Level 1 or Level 2, the question is whether you'll build a defensible, sustainable program or try to manufacture compliance for an assessment. The first approach costs more upfront but less over time. The second approach never actually works.

📖
Related Reading
What Is Regulatory Compliance? A Practical Guide → How to Protect Your Privacy Online: A CISO's Guide →