CMMC Level I vs. Level II: Which Certification Does Your Business Need?

One of the most common questions from businesses entering the defense market is: "Which CMMC level do I need?" The answer depends on the type of information you'll handle and the contracts you're pursuing. This comprehensive guide breaks down the differences between CMMC Level 1 and Level 2, helping you make the right choice for your business.

CMMC Overview: Understanding the Framework

The Cybersecurity Maturity Model Certification (CMMC) 2.0 establishes three certification levels, each building upon the previous:

Level 1 (Foundational) — Basic cyber hygiene practices for all defense contractors

Level 2 (Advanced) — Comprehensive security aligned with NIST SP 800-171 for CUI handlers

Level 3 (Expert) — Enhanced security for critical defense programs (rarely required for small businesses)

Most small businesses will need either Level 1 or Level 2. Understanding which level applies to your situation is crucial for planning your certification investment and timeline.

Level 1: Foundational Cyber Hygiene

Who Needs Level 1 Certification?

Any company that handles Federal Contract Information (FCI) must achieve at least Level 1. FCI is defined as information provided by or generated for the government under a contract. This includes:

Contract documents and official correspondence

Technical specifications provided by the government

Pricing, cost data, and billing information

Delivery schedules and logistics information

Any other data created or obtained in performance of a federal contract

If you have any federal contract, you almost certainly handle FCI and need Level 1 certification.

Level 1 Requirements

Level 1 establishes the foundation of cybersecurity with 17 security practices based on FAR 52.204-21:

Key compliance elements:

Annual self-assessment — No third-party audit required

SPRS score submission — Submit your self-assessment score to the Supplier Performance Risk System

Basic security controls — Fundamental practices every business should have

The 17 Level 1 Practices

These foundational practices cover five security domains:

Access Control (4 practices):

Limit system access to authorized users

Limit system access to authorized transaction types

Verify and control connections to external systems

Control information posted on publicly accessible systems

Identification and Authentication (2 practices):

Identify system users and processes

Authenticate user identities

Media Protection (1 practice):

Sanitize or destroy media containing FCI before disposal

Physical Protection (4 practices):

Limit physical access to systems

Escort visitors and monitor activity

Maintain audit logs of physical access

Monitor and control communications at boundaries

System and Communications Protection (2 practices):

Implement subnetworks for public systems

Monitor system security alerts

System and Information Integrity (4 practices):

Identify and fix system flaws timely

Provide malicious code protection

Update malicious code mechanisms

Perform periodic system scans

Level 1 Investment Requirements

Cost Factor

Estimated Range

|-------------|-----------------|

Implementation cost	$5,000-$25,000
Timeline	4-12 weeks
Annual maintenance	$2,000-$10,000
Assessment type	Self-assessment

Level 1 is achievable for most small businesses with focused effort and represents the minimum entry requirement for defense contracting.

Level 2: Advanced Cybersecurity for CUI

Who Needs Level 2 Certification?

Any company that handles Controlled Unclassified Information (CUI) must achieve Level 2. CUI is sensitive but unclassified information that requires safeguarding or dissemination controls. Examples include:

Technical drawings and specifications marked as CUI

Export-controlled information (ITAR/EAR controlled data)

Critical infrastructure security information

Proprietary defense-related data

Personally identifiable information in defense contexts

Any information the government specifically marks as CUI

Level 2 Requirements

Level 2 is significantly more comprehensive, requiring 110 security practices aligned with NIST SP 800-171 Revision 2:

Key compliance elements:

Third-party assessment — Required for critical programs (by C3PAO - Certified CMMC Third-Party Assessment Organization)

Self-assessment — Allowed for non-critical programs

Plan of Action and Milestones (POA&M) — Permitted for up to 1 year for gap closure

Additional Practices Beyond Level 1

Level 2 adds 93 practices across 14 domains, significantly expanding security requirements:

Domain

Level 1

Level 2

Additional Practices

|--------|---------|---------|---------------------|

Access Control	4	22	18 additional
Awareness & Training	0	3	3 new practices
Audit & Accountability	0	9	9 new practices
Configuration Management	0	9	9 new practices
Identification & Authentication	2	11	9 additional
Incident Response	0	3	3 new practices
Maintenance	0	6	6 new practices
Media Protection	1	9	8 additional
Personnel Security	0	2	2 new practices
Physical Protection	4	6	2 additional
Risk Assessment	0	3	3 new practices
Security Assessment	0	4	4 new practices
System & Comm Protection	2	16	14 additional
System & Info Integrity	4	7	3 additional

Level 2 Investment Requirements

Cost Factor

Estimated Range

|-------------|-----------------|

Implementation cost	$50,000-$250,000
Third-party assessment	$30,000-$75,000
Timeline	6-18 months
Annual maintenance	$15,000-$50,000

Level 2 requires substantial investment but opens access to significantly more contract opportunities.

Decision Framework: Which Level Do You Need?

Choose Level 1 If:

Your contracts only involve FCI, not CUI

You don't handle technical drawings or specifications

You're a general supplier of commercial items (COTS)

You're just beginning your defense market entry

Your contract values are below the simplified acquisition threshold

You want to establish foundational security before advancing

Choose Level 2 If:

Your contracts explicitly involve CUI

You receive technical data packages from the government

You work with export-controlled information (ITAR/EAR)

You're a subcontractor to a prime contractor handling CUI

Your contract includes DFARS 252.204-7012 clause

You're pursuing contracts on critical defense programs

Diagnostic Questions to Determine Your Level

Ask yourself these questions:

Does your contract include DFARS 252.204-7012? → If yes, you need Level 2

Do you handle any information marked as CUI? → If yes, you need Level 2

Do you receive technical data packages from the government? → If yes, likely Level 2

Are you working on programs involving classified or sensitive information? → If yes, Level 2

Has your prime contractor told you CUI flows down to your level? → If yes, you need Level 2

If you answered "yes" to any of these questions, you need Level 2 certification.

The Strategic Transition Path: Level 1 to Level 2

Many businesses successfully start with Level 1 and progress to Level 2 as their defense business grows. Here's a proven transition strategy:

Phase 1: Achieve Level 1 (Months 1-3)

Implement the 17 basic cybersecurity practices

Complete your self-assessment thoroughly

Submit your SPRS score to establish compliance

Begin pursuing FCI-only contracts to gain experience

Phase 2: Prepare for Level 2 (Months 4-9)

Conduct a comprehensive NIST 800-171 gap assessment

Develop your System Security Plan (SSP)

Begin implementing the additional 93 Level 2 controls

Invest in required technology and security infrastructure

Document all policies and procedures

Phase 3: Achieve Level 2 (Months 10-18)

Complete implementation of all 110 practices

Conduct thorough internal assessment and testing

Engage a C3PAO for third-party assessment scheduling

Address any assessment findings promptly

Receive Level 2 certification

The Business Case for Starting with Level 1

Even if you eventually need Level 2, starting with Level 1 makes strategic sense:

Immediate Benefits:

Enter the defense market faster (4-12 weeks vs. 6-18 months)

Build past performance with FCI-only contracts

Generate revenue to fund Level 2 investments

Develop government contracting experience

Foundation Building:

Establish basic security culture and practices

Train personnel on cybersecurity fundamentals

Build documentation and process discipline

Create infrastructure for advanced controls

Risk Mitigation:

Test your organization's ability to comply

Identify challenges before major investment

Refine processes with simpler requirements first

Avoid costly mistakes on critical Level 2 requirements

Conclusion: Make Your CMMC Decision Now

The right CMMC level depends on your specific business model, the contracts you pursue, and the information you handle. The most important decision is to start your CMMC journey now—whether that's Level 1 for immediate market entry or Level 2 preparation for comprehensive access.

Delaying CMMC certification means missing opportunities while competitors capture market share. Every month you wait is a month your certified competitors are winning contracts you can't bid on.

Ready to determine your optimal CMMC level and start your certification journey?

Whether you're a small business evaluating CMMC requirements, a government buyer looking for qualified suppliers, or a defense contractor deciding on your certification path, KDM & Associates and the V+KDM Consortium are here to help.

Join the KDM Consortium Platform today:

[Register as a Supplier (SME)](/register?type=sme) — Get matched with government contract opportunities, access CMMC level assessment tools, and connect with certified assessors.

[Register as a Government Buyer](/register?type=buyer) — Discover CMMC-certified small businesses at both Level 1 and Level 2.

*Schedule a free introductory session to learn how we can help you determine the right CMMC level for your business and accelerate your path to certification.*