CMMCDocs.comOne of the most common questions from defense contractors is whether they need CMMC Level 1 or Level 2. The answer depends entirely on the type of information you handle, which is determined by your contracts — not by your company size, revenue, or the nature of your products.
The Key Distinction: FCI vs CUI
Federal Contract Information (FCI) is information provided by or generated for the government under contract that is not intended for public release. If you only handle FCI, you need Level 1. This covers 17 basic practices from FAR 52.204-21, and you demonstrate compliance through an annual self-assessment submitted to SPRS.
Controlled Unclassified Information (CUI) is information the government creates or possesses that requires safeguarding under law, regulation, or government-wide policy. If any of your contracts involve CUI, you need Level 2. This covers all 110 NIST SP 800-171 Rev 2 requirements and typically requires a third-party assessment by a C3PAO.
How to Determine Your Level
Start by reviewing your contracts. Look for DFARS clause 252.204-7012 (Safeguarding Covered Defense Information). If this clause is in your contract, you handle CUI and need Level 2. Also look for DFARS 252.204-7021 (the CMMC clause itself), which will specify the required CMMC level.
If you are a subcontractor, your prime contractor should be flowing down the appropriate DFARS clauses and specifying the type of information you will receive. If they are not, ask them directly: "Will we receive CUI under this subcontract?"
Level 1: The 17 Practices
Level 1 covers basic cyber hygiene: use antivirus, limit physical access, authenticate users, sanitize media before disposal, and similar fundamental controls. Most companies with basic IT practices already meet many of these requirements. The self-assessment is straightforward, and no third-party assessment is required.
Level 2: The Full 110
Level 2 is a different animal. The 110 security requirements in NIST SP 800-171 cover access control, audit logging, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Implementation requires real technical controls, documented processes, and continuous monitoring.
A Common Misconception
Some contractors believe they can avoid Level 2 by refusing to accept CUI. In theory, this works — but in practice, it often means losing contracts. If the work requires CUI access, the government will find a contractor who can handle it securely. The better strategy is to invest in Level 2 compliance and position your company as a reliable partner in the defense supply chain.
The Decision Framework
Review every active contract and pending proposal. If any involve CUI, plan for Level 2. If all involve only FCI, Level 1 is sufficient. When in doubt, assume Level 2 — it is always better to be over-prepared than to lose a contract because you cannot meet the security requirements.