CMMC Level 1 vs Level 2: Which applies to you?
By Melissa McCoy, Chief Information & Security Officer – CISSP-ISSAP, CCSP, RP
All Department of Defense (DoD) contractors must meet the Cybersecurity Maturity Model Certification (CMMC) Level 1 standard. For companies handling controlled unclassified information (CUI), CMMC Level 2 applies.
CMMC Level 1: Foundational
CMMC Level 1 is the entry-level certification for companies in the Defense Industrial Base (DIB).
- Data Type: This level is for organizations that only handle Federal Contract Information (FCI). FCI is information that is not intended for public release and is provided by or generated for the government under a contract.
- Practices: Level 1 requires the implementation of 15 basic cybersecurity practices, which are derived from the Federal Acquisition Regulation (FAR) Clause 52.204-21. These practices focus on fundamental cyber hygiene.
- Assessment: Compliance with Level 1 is verified through an annual self-assessment. The organization’s senior leadership must attest to the accuracy of the self-assessment and submit the results to the DoD’s Supplier Performance Risk System (SPRS). No third-party audit is required for this level of compliance.
CMMC Level 2: Advanced
CMMC Level 2 is required for companies that access CUI within their own systems.
- Data Type: This level is for companies that handle CUI, which is a broad category of sensitive but unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies. Examples include export-controlled data, technical drawings, and other sensitive project information. The DoD defines CUI for each contract.
- Practices: Level 2 requires a much more robust cybersecurity posture, encompassing 110 security practices. These practices align with the security requirements outlined in NIST Special Publication (SP) 800-171. The controls are grouped into 14 domains that cover a comprehensive range of security areas.
- Assessment: The assessment process for Level 2 is more rigorous and depends on the specific contract.
- For “non-prioritized” acquisitions, an organization can perform a self-assessment annually, similar to Level 1.
- For “prioritized” and more critical acquisitions, a third-party assessment by a CMMC Third-Party Assessor Organization (C3PAO) is required every three years. The results are submitted to SPRS.
- Plan of Action & Milestones (POA&Ms): Unlike Level 1, CMMC Level 2 allows for a limited use of POA&Ms to address minor, non-critical deficiencies after an assessment. However, high-priority practices must be fully implemented before certification (180 days to address PoA&M actions).
Summary of Key Differences
| FEATURE | CMMC LEVEL 1 | CMMC LEVEL 2 |
| Data Handled | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) |
| Number of Practices | 15 practices | 110 practices |
| Governing Standard | FAR 52.204-21 | NIST SP 800-171 |
| Assessment Type | Annual Self-Assessment | Self-Assessment (for some contracts) or Third-Party Assessment (for others) |
| Assessment Frequency | Annually | Annually (self-assessment) or every 3 years (third-party) |
| POA&Ms Permitted? | No | Yes, for limited deficiencies |
Contact us for a free consultation to discuss your CMMC needs, today!
