CMMC Level 1 vs Level 2: Which Applies to You?

If you’re a small or mid-sized manufacturing company supplying products to the U.S. Department of Defense (DoD), chances are you’ve heard about the Cybersecurity Maturity Model Certification (CMMC). But with multiple levels and varying requirements, it can be confusing to determine which level applies to your business. Let’s break down the differences between CMMC Level 1 and Level 2 and help you understand which one is right for you.

What is CMMC?

The CMMC is a new framework designed to ensure that companies in the defense supply chain are safeguarding Controlled Unclassified Information (CUI). It’s a cybersecurity requirement that contractors must meet to qualify for DoD contracts. The goal is to improve cybersecurity across the defense industrial base.

Understanding the Levels: An Overview

The CMMC framework is divided into five levels, each building on the previous one. For now, most small and mid-sized companies will deal with Level 1 and Level 2, which are more straightforward.

CMMC Level 1: Basic Cyber Hygiene

This level is the most basic and applies to companies that handle FederalContractor Sources that do not require access to Controlled Unclassified Information (CUI). The main focus is on protecting Federal Contract Information (FCI), which is information related to the contract that the government shares with contractors but is not classified as CUI.

• Requirements: Conduct basic cybersecurity practices like:

  • Implementing basic access controls

  • Using antivirus software

  • Maintaining password protections

  • Employee cybersecurity awareness

This level requires only the use of 15 practices from the National Institute of Standards and Technology (NIST) Special Publication 800-171.

Who needs Level 1? If your company handles just FCI and doesn't access CUI, then CMMC Level 1 is sufficient. The certification is relatively straightforward and often less expensive to achieve.

CMMC Level 2: Foundations for Advanced Security

This level introduces a more structured approach and is aligned with NIST SP 800-171, which contains 110 security controls. Level 2 acts as a stepping stone toward full compliance with federal cybersecurity standards.

• Requirements: Implementing the 110 controls outlined in NIST SP 800-171. These include:

  • Enhanced access controls

  • Auditing and monitoring capabilities

  • Incident response plans

  • Physical security measures

In essence, achieving Level 2 indicates that your company is following cybersecurity practices consistent with protecting CUI. While it’s more comprehensive than Level 1, it’s still manageable for many small and mid-sized manufacturers with proper planning.

Who needs Level 2? If your company accesses, processes, or stores CUI for the Department of Defense, then you fall under the Level 2 requirements. This level is usually a prerequisite for many DoD contracts, especially those involving sensitive information.

Which Level Applies to Your Company?

To determine which level applies, ask yourself:

• Do I handle CUI? If yes, you likely need Level 2 certification.

• Do I only handle FCI? If yes, Level 1 may suffice unless future contracts require CUI access.

• Am I planning to bid on more complex contracts? Many higher-tier contracts will require Level 2 or higher.

Steps to Get Started

1. Assess your current cybersecurity practices. Know where you stand relative to CMMC requirements.

2. Implement missing controls. Focus on basic practices first for Level 1, and then tighten security controls for Level 2.

3. Work with a certifier. Find a third-party assessor familiar with CMMC to validate your compliance.

4. Stay updated. The requirements can evolve. Keep track of official DoD guidance.

Final Thoughts

Understanding the difference between CMMC Level 1 and Level 2 is essential for ensuring your company stays eligible for defense contracts. Keep it simple: if you only handle FCI, Level 1 might be enough. If you process CUI or want to pursue more sensitive work, you’ll need to meet Level 2 standards. Start with a cybersecurity self-assessment, and don’t hesitate to seek help from experts familiar with the process. Protecting your data—and your business—is worth the effort.