2026-02-04
CMMC Level 1 vs Level 2: Which Do You Need?
How contract flow-downs and CUI exposure determine whether you need CMMC Level 1 or Level 2.
Level selection is contract-driven
Most confusion comes from choosing a level based on budget instead of contract requirements. The correct level is driven by whether your organization stores, processes, or transmits Controlled Unclassified Information.
Level 1 in practice
Level 1 focuses on basic safeguarding. Teams typically need straightforward process maturity and a clear baseline of access and system hygiene practices. Evidence is still required, but control scope is smaller.
Level 2 in practice
Level 2 aligns to NIST SP 800-171. It introduces deeper technical and procedural rigor: stronger authentication controls, logging discipline, incident readiness, and documented execution across all in-scope systems.
Side-by-side quick comparison
| Topic | Level 1 | Level 2 |
|---|---|---|
| Primary trigger | FCI only | CUI present |
| Control volume | Lower | Full NIST 800-171 baseline |
| Evidence burden | Moderate | High |
| Operational cadence | Basic recurring checks | Formalized recurring controls |
| Typical staffing demand | Lean | Cross-functional |
Decision checklist
- Confirm where CUI enters or transits your environment.
- Review flow-down terms with contracting and legal teams.
- Validate whether inherited controls from providers are documented.
- Build the program for the highest required level in the contract chain.
Bottom line
If CUI is in scope, Level 2 planning should begin immediately. Waiting for contract pressure often leads to rushed and expensive remediation.