Back to BlogDefense Contracting & CMMC

CMMC Level I vs. Level II: Which Certification Does Your Business Need?

Understanding the differences between CMMC levels is crucial for planning your certification journey. Here's a detailed comparison to help you decide.

KDM & Associates
January 30, 2026
9 min read
CMMCCertificationComplianceCybersecurity

One of the most common questions from businesses entering the defense market is: "Which CMMC level do I need?" The answer depends on the type of information you'll handle and the contracts you're pursuing. This guide breaks down the differences and helps you make the right choice.


CMMC Overview


The Cybersecurity Maturity Model Certification (CMMC) 2.0 has three levels:

  • Level 1 (Foundational) — Basic cyber hygiene
  • Level 2 (Advanced) — Aligned with NIST SP 800-171
  • Level 3 (Expert) — Enhanced security for critical programs

    • Most small businesses will need Level 1 or Level 2. Level 3 is reserved for contractors working on the most sensitive defense programs.


    Level 1: Foundational


    Who Needs It

    Any company that handles Federal Contract Information (FCI) — which is essentially any company with a federal contract.


    FCI includes:

  • Contract documents and correspondence
  • Technical specifications provided by the government
  • Pricing and cost data
  • Delivery schedules and logistics information

    • Requirements

  • 17 security practices — based on FAR 52.204-21
  • Annual self-assessment — (no third-party audit required)
  • SPRS score submission — to the Supplier Performance Risk System

    • Key Practices

  • Limit system access to authorized users
  • Limit system access to authorized transaction types
  • Verify and control connections to external systems
  • Control information posted on publicly accessible systems
  • Identify system users and processes
  • Authenticate user identities
  • Sanitize or destroy media containing FCI
  • Limit physical access to systems
  • Escort visitors and monitor activity
  • Maintain audit logs of physical access
  • Monitor and control communications at boundaries
  • Implement subnetworks for public systems
  • Identify and fix system flaws timely
  • Provide malicious code protection
  • Update malicious code mechanisms
  • Perform periodic system scans
  • Monitor system security alerts

    • Cost and Timeline

  • Implementation cost: — $5,000-$25,000
  • Timeline: — 4-12 weeks
  • Annual maintenance: — $2,000-$10,000

    • Level 2: Advanced


    Who Needs It

    Any company that handles Controlled Unclassified Information (CUI) — sensitive but unclassified defense information.


    CUI includes:

  • Technical drawings and specifications marked as CUI
  • Export-controlled information (ITAR/EAR)
  • Critical infrastructure information
  • Proprietary defense data
  • Personally identifiable information in defense contexts

    • Requirements

  • 110 security practices — aligned with NIST SP 800-171 Rev 2
  • Third-party assessment — by a C3PAO for critical programs
  • Self-assessment — for non-critical programs
  • Plan of Action and Milestones (POA&M) — allowed for up to 1 year

    • Additional Practices Beyond Level 1

    Level 2 adds 93 practices across 14 domains:


    DomainLevel 1 PracticesLevel 2 Practices

    |--------|------------------|-------------------|

    Access Control422Awareness & Training03Audit & Accountability09Configuration Management09Identification & Authentication211Incident Response03Maintenance06Media Protection19Personnel Security02Physical Protection46Risk Assessment03Security Assessment04System & Comm Protection216System & Info Integrity47

    Cost and Timeline

  • Implementation cost: — $50,000-$250,000
  • Third-party assessment: — $30,000-$75,000
  • Timeline: — 6-18 months
  • Annual maintenance: — $15,000-$50,000

    • Decision Framework


    Choose Level 1 If:

  • You only handle FCI (not CUI)
  • Your contracts don't involve sensitive technical data
  • You're a general supplier of commercial items
  • You're just entering the defense market
  • Your contracts are below the simplified acquisition threshold

    • Choose Level 2 If:

  • Your contracts involve CUI
  • You handle technical drawings or specifications
  • You work with export-controlled information
  • You're a subcontractor to a prime handling CUI
  • Your contract includes DFARS 252.204-7012 clause

    • Not Sure? Ask These Questions:

  • Does your contract include the DFARS 252.204-7012 clause?
  • Are you handling any information marked as CUI?
  • Do you receive technical data packages from the government?
  • Are you working on a program involving classified or sensitive information?
  • Has your prime contractor told you CUI flows down to your level?

    • If you answered "yes" to any of these, you likely need Level 2.


    The Transition Path: Level 1 to Level 2


    Many businesses start with Level 1 and progress to Level 2 as they pursue larger contracts. Here's a smart transition strategy:


    Phase 1: Achieve Level 1 (Months 1-3)

  • Implement 17 basic practices
  • Complete self-assessment
  • Submit SPRS score
  • Begin pursuing FCI-only contracts

    • Phase 2: Prepare for Level 2 (Months 4-9)

  • Conduct NIST 800-171 gap assessment
  • Develop System Security Plan
  • Begin implementing additional controls
  • Invest in required technology

    • Phase 3: Achieve Level 2 (Months 10-18)

  • Complete implementation of 110 practices
  • Conduct internal assessment
  • Engage C3PAO for third-party assessment
  • Address any findings and achieve certification

    • Conclusion


    The right CMMC level depends on your business model, the contracts you pursue, and the information you handle. Start with Level 1 to enter the market quickly, then progress to Level 2 as your defense business grows. The important thing is to start now.



    Ready to Take the Next Step?

    Whether you're a small manufacturer seeking defense contracts, a government buyer looking for qualified suppliers, or a business owner pursuing CMMC certification, KDM & Associates and the V+KDM Consortium are here to help.

    Join the KDM Consortium Platform today:

    Register as Supplier (SME)Register as Government Buyer

    Schedule a free introductory session to learn how we can accelerate your path to government contracting success.


    Whether you're a small manufacturer seeking defense contracts, a government buyer looking for qualified suppliers, or a business owner pursuing CMMC certification, KDM & Associates and the V+KDM Consortium are here to help.


    Join the KDM Consortium Platform today:


  • [Register as a Supplier (SME)](/register?type=sme) — Get matched with government contract opportunities, access capacity-building resources, and connect with prime contractors.
  • [Register as a Government Buyer](/register?type=buyer) — Discover qualified, defense-ready small businesses and streamline your procurement process.

    • *Schedule a free introductory session to learn how we can accelerate your path to government contracting success.*


    The 6th Region of Africa: Caribbean Opportunity Zone StrategiesTaiwan Risk and Supply Chain Resilience: What Defense Contractors Should Know

    More in Defense Contracting & CMMC

    CMMC Certification in 12 Weeks: Is Your Business Ready for Defense Contracts?
    11 min
    Read
    The Ultimate CMMC Readiness Checklist for Small Defense Contractors
    10 min
    Read
    Why CMMC Certification Is Your Ticket to Defense Industrial Base Contracts
    8 min
    Read

    Start Your Defense Contracting Journey

    Join the KDM Consortium Platform and connect with opportunities, resources, and expert guidance.

    Register as Supplier (SME)Register as Government Buyer