← All learn guides

Framework guide

CMMC Level 1 vs Level 2: which one do you need?

The two working tiers of the CMMC program differ in what information triggers them, how many requirements they carry, who performs the assessment, how results are scored, and whether you can pass with open remediation items. This guide walks through each difference so you can place your own contracts correctly.

Last reviewed: July 2026.

The short answer: it depends on the information, not the company

CMMC levels attach to the information your systems process, store, or transmit under a DoD contract. Federal Contract Information (FCI) is information provided by or generated for the government under contract and not intended for public release; if that is all you handle, Level 1 applies. Controlled Unclassified Information (CUI) is the more sensitive category that requires safeguarding under government-wide policy; if CUI touches your systems, Level 2 applies. The solicitation or contract states the required level, and primes flow the requirement down to subcontractors based on what information actually reaches them.

A subcontractor that only ever receives FCI can stay at Level 1 even when the prime holds a Level 2 requirement. The scoping question that decides your tier is concrete: does CUI reach your systems, or not?

Side by side

DimensionLevel 1Level 2
Information handledFederal Contract Information (FCI)Controlled Unclassified Information (CUI)
Requirements15 (FAR 52.204-21(b)(1)(i) through (xv))110 (all of NIST SP 800-171 Revision 2)
Requirement families614
Who assessesAlways a self-assessmentSelf-assessment or C3PAO certification, set by the solicitation
Assessment cadenceAnnuallyEvery three years, with an annual affirmation
ScoringNo score: every requirement must be MET or NOT APPLICABLE110-point scale with weighted deductions; can go as low as -203
POA&MNot permittedPermitted within strict limits, closed out within 180 days

15 requirements vs 110

Level 1 consists of the 15 basic safeguarding requirements of FAR 52.204-21(b)(1)(i) through (xv), the clause that has appeared in federal contracts since 2016, organized by the DoD assessment guide into six practice families: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity.

Level 2 is identical to NIST SP 800-171 Revision 2: all 110 security requirements across 14 families, from Access Control (22 requirements) through System and Information Integrity (7). It adds whole disciplines Level 1 does not touch, including Awareness and Training, Audit and Accountability, Configuration Management, Incident Response, Maintenance, Personnel Security, Risk Assessment, and Security Assessment. The Level 1 requirements correspond to a small subset of those practices, so clean Level 1 work carries forward rather than getting redone. For the full Level 1 walkthrough, see the Level 1 self-assessment checklist.

Self-assessment vs C3PAO certification

Level 1 is always a self-assessment: your organization checks itself against the 15 requirements every year, records the result in the Supplier Performance Risk System (SPRS), and a senior official, the Affirming Official, affirms compliance at the time of each assessment and annually thereafter.

Level 2 has two paths, and the solicitation or contract decides which applies. Level 2 (Self) means the organization conducts its own assessment in accordance with NIST SP 800-171A every three years, submits results in SPRS, and affirms annually. Level 2 (C3PAO) means an authorized or accredited third-party assessment organization conducts the certification assessment every three years, with results recorded in the CMMC eMASS instantiation and the same annual affirmation in SPRS. Under the phased acquisition rollout that began November 10, 2025, C3PAO certification requirements enter applicable solicitations in the second phase, beginning November 10, 2026.

Scoring: pass/fail vs a 110-point scale

Level 1 has no score. Every requirement must be fully MET or NOT APPLICABLE; a single NOT MET finding means the assessment does not produce a compliant result.

Level 2 uses the scoring methodology in 32 CFR 170.24. The maximum score equals the number of requirements, 110. Each NOT MET requirement subtracts its assigned value of 1, 3, or 5 points, which can drive the total as low as -203. Two requirements carry adjusted partial deductions: multi-factor authentication (subtract 3 if MFA covers only remote and privileged users, 5 if there is no MFA) and CUI encryption (subtract 3 if encryption is employed but not FIPS-validated, 5 if there is none). One requirement, the System Security Plan (CA.L2-3.12.4), has no point value at all: without an up-to-date SSP the assessment cannot be completed. That makes the SSP the practical gate for everything else, which is covered in depth in the CMMC SSP guide.

POA&M: not allowed vs narrowly allowed

At Level 1, a Plan of Action and Milestones is not allowed. There is no partial credit and no conditional status: fix the gap, then assess.

At Level 2, a POA&M is permitted only within the limits of 32 CFR 170.21. The assessment score must be at least 0.8 of the total, meaning 88 of 110. Every open POA&M item must be a 1-point requirement, with one exception: CUI encryption may be included at a value of 3 when encryption is employed but not FIPS-validated. Six requirements can never be on a POA&M, including the System Security Plan, external connections, control of public information, and the three physical-access requirements covering visitor escorts, physical access logs, and managing physical access devices. An open POA&M yields a Conditional CMMC Status that expires unless the POA&M is closed out within 180 days.

How to decide, in three questions

  1. Does CUI reach your systems? If yes, plan for Level 2 and read your solicitations for which assessment path applies. If only FCI, Level 1 is your floor.
  2. What do your primes require? Flow-down clauses can arrive before your own direct contracts do, so ask your primes which level and path they expect from subcontractors and when.
  3. Could a CUI contract be in your pipeline? If Level 2 is plausible within a contract cycle, do your Level 1 work in a way that carries forward: named accounts, documented boundaries, real policies, and evidence you can point to.

Assess your readiness at either level.

Security Binder includes internal readiness assessments for CMMC Level 1 and Level 2, the supporting document set, and a non-custodial SSP and POA&M. See the CMMC solution page for the full path.

Get started

Official sources

This guide is general information, not legal or compliance advice. Security Binder prepares documentation. It does not guarantee compliance, certification outcomes, insurance coverage, or audit acceptance, and it does not substitute for licensed legal or audit review. CMMC is a program of the U.S. Department of Defense; framework names are the property of their respective publishers.