Comparison Guide
Level 1 vs Level 2
Understand the differences between CMMC levels to determine which certification your organization needs
Quick Comparison
| Aspect | Level 1 | Level 2 |
|---|---|---|
| Total Requirements | 15 | 110 (includes all Level 1) |
| Data Type Protected | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) |
| Assessment Type | Self-assessment or basic assessment | Third-party C3PAO assessment required |
| Documentation | Simplified System Security Plan (SSP) | Comprehensive SSP (100+ pages) |
| Documentation Requirements | Basic documentation required | Comprehensive documentation across all domains |
| Evidence Required | Basic artifacts (~20-30) | Comprehensive evidence (~110+ artifacts) |
| Typical Cost | $5,000-$15,000 | $25,000-$100,000+ |
| Implementation Timeline | 2-4 months | 6-12 months |
| Assessment Cost | $3,000-$8,000 | $15,000-$50,000+ |
| Validity Period | 3 years | 3 years |
Practice Breakdown by Domain
| Domain | Level 1 | Level 2 Only | Total in L2 |
|---|---|---|---|
| 🔐 AC - Access Control | 2 | +20 | 22 |
| 🎓 AT - Awareness and Training | — | +3 | 3 |
| 📊 AU - Audit and Accountability | — | +9 | 9 |
| 🔍 CA - Assessment, Authorization, and Monitoring | — | +4 | 4 |
| ⚙️ CM - Configuration Management | — | +9 | 9 |
| 🎫 IA - Identification and Authentication | 2 | +9 | 11 |
| 🚨 IR - Incident Response | — | +3 | 3 |
| 🔧 MA - Maintenance | — | +6 | 6 |
| 💾 MP - Media Protection | — | +9 | 9 |
| 🏢 PE - Physical Protection | 2 | +4 | 6 |
| 👤 PS - Personnel Security | — | +2 | 2 |
| ⚠️ RA - Risk Assessment | — | +3 | 3 |
| 🛡️ SC - System and Communications Protection | 3 | +13 | 16 |
| ✓ SI - System and Information Integrity | 5 | +2 | 7 |
| Total | 14 | +96 | 110 |
Which Level Do You Need?
Choose Level 1 if:
- ✓ Your contracts only involve Federal Contract Information (FCI)
- ✓ You don't handle Controlled Unclassified Information (CUI)
- ✓ Your contracts don't specifically require Level 2
- ✓ You're a lower-tier subcontractor with limited scope
Choose Level 2 if:
- ✓ Your contracts involve Controlled Unclassified Information (CUI)
- ✓ You're subject to DFARS 252.204-7012
- ✓ You're a prime contractor or critical subcontractor
- ✓ Your contract specifically requires CMMC Level 2
- ✓ You handle technical data, blueprints, or sensitive DoD information
Not sure? Check your contract requirements or ask your Contracting Officer. Most DoD contractors handling technical data or CUI will need Level 2.
Ready to Get Started?
Browse practices for your target level or contact us for implementation guidance.