Decision guide · 2-minute quiz below
CMMC Level 1 vs Level 2: which do you need?
The decision rule: handle only FCI (Federal Contract Information) and you need Level 1 — 17 basic safeguards, self-assessed annually. Store, process, or transmit CUI and you need Level 2 — all 110 NIST SP 800-171 requirements, mostly C3PAO-assessed once Phase 2 starts November 10, 2026.
Side by side
| Level 1 | Level 2 | |
|---|---|---|
| Triggered by | Federal Contract Information (FCI) — non-public information provided or generated under a government contract | Controlled Unclassified Information (CUI) — e.g., controlled technical information under DFARS 252.204-7012 |
| Requirements | 17 basic safeguarding requirements (the FAR 52.204-21 safeguards, as mapped into NIST SP 800-171) | All 110 NIST SP 800-171 Rev 2 requirements |
| Assessment | Annual self-assessment with an affirmation — no third party involved | Mostly C3PAO-assessed: from November 10, 2026 (Phase 2), third-party certification becomes the default for contracts involving CUI, applied per-solicitation |
| POA&M allowed | Never — every requirement must be fully met | Limited — score ≥88 of 110, generally 1-point gaps only, six requirements never eligible, 180-day closeout (32 CFR 170.21) |
| Typical cost | Mostly your own time; self-serve tooling from $1,500/yr | Readiness $4,995 self-serve to $14,000–40,000 consultant-led, plus the separate C3PAO assessment ($30,000–75,000 published range) |
Sources: FAR 52.204-21; NIST SP 800-171 Rev 2; 32 CFR 170.21 and 170.3(e); published price bands verified June 2026 — full numbers in the Level 2 cost guide.
Which do I need? Four questions.
Answer what you know — the quiz stops as soon as your answers decide it, and "not sure" is a legitimate answer with its own advice.
Question 1 of 4
Do you hold — or plan to bid on — DoD contracts or subcontracts?
Straight answers
Can one company need both CMMC Level 1 and Level 2?
Yes. The level follows the information and the solicitation, not the company. A shop whose contracts involve only FCI self-assesses at Level 1; the moment a contract involves CUI, Level 2 applies to the systems that store, process, or transmit it. Many contractors run both: Level 1 hygiene everywhere, Level 2 scope where CUI lives.
Does CMMC Level 1 allow a POA&M?
No. Level 1 permits no POA&M at all — each basic safeguarding requirement must be fully met before you self-assess as compliant and affirm it annually. Limited POA&Ms exist only at Level 2, under the 32 CFR 170.21 rules (score of at least 88, generally 1-point items, 180-day closeout).
Who decides which level my contract requires?
The solicitation. DoD applies CMMC requirements per-solicitation under the 32 CFR 170 phase-in: Phase 1 (since November 10, 2025) put self-assessment requirements into new solicitations, and Phase 2 (from November 10, 2026) makes C3PAO-assessed Level 2 the default for contracts involving CUI, at contracting-officer discretion, through full implementation in 2028.
Is Level 2 always assessed by a C3PAO?
Not always — a Level 2 self-assessment track exists for a subset of contracts. But from November 10, 2026, C3PAO-assessed Level 2 becomes the default for contracts involving CUI, so the conservative plan for any CUI-handling contractor is to prepare for the third-party assessment.
Whichever level it is, the next step is your score
The free assessment walks the requirements in plain English and computes your SPRS score with the exact DoD methodology — so the level question becomes a plan, not a worry.
Start the free assessment