Skip to content
Article

CMMC Level 1 vs Level 2: How to Choose Your Path

By Fortwise Team

Quick overview: CMMC Level 1 vs Level 2

CMMC Level 1 (Foundational) provides basic cybersecurity hygiene for Federal Contract Information (FCI). It covers 17 security practices, allows self-assessment, has a faster implementation timeline, and requires a lower upfront investment.

CMMC Level 2 (Advanced) provides enhanced protection for Controlled Unclassified Information (CUI). It covers 110+ security practices aligned with NIST SP 800-171, requires a C3PAO audit for most contracts (with limited self-assessment exceptions), typically takes 12-18 months of preparation, and demands a higher investment in technology, processes, and assessment.

When do you need CMMC Level 1?

CMMC Level 1 applies to contractors handling Federal Contract Information—basic government information not intended for public release. Level 1 requirements include access control for authorized users, basic incident response procedures, system and information integrity controls, physical protection of computing resources, system and communications protection, and personnel security measures.

The Level 1 self-assessment process

  1. Internal evaluation of the 17 required security practices
  2. Documentation of implemented controls
  3. Attestation of compliance in System for Award Management (SAM) registration
  4. Annual reassessment to maintain certification status

When do you need CMMC Level 2?

CMMC Level 2 is required for contracts involving Controlled Unclassified Information—sensitive government information requiring protection but not classified. Level 2 covers all Level 1 controls plus 93 additional practices: advanced access controls and authentication, comprehensive audit and accountability measures, enhanced incident response capabilities, supply chain risk management, and advanced malware protection and monitoring.

Level 2 assessment requirements

Most Level 2 certifications require a C3PAO assessment: third-party evaluation by certified assessors, on-site or virtual assessment of your environment, evidence collection and control validation, certification valid for 3 years, and annual self-assessments between C3PAO reviews.

Limited exception: some lower-risk contracts may allow self-assessment for Level 2, but this is rare and contract-specific.

Decision checklist: Level 1 vs Level 2

Contract analysis: Review current DoD contracts for CMMC requirements, identify whether you handle FCI only (Level 1) or CUI (Level 2), check upcoming solicitations you plan to pursue, and assess contract values and risk levels.

Information assessment: Catalog all government information in your systems, determine CUI markings and classification levels, map information flows through your organization, and identify systems that process government data.

Current security posture: Conduct a gap analysis against the 17 Level 1 practices, evaluate readiness for the 110+ Level 2 practices, assess existing cybersecurity investments, and review current policies and procedures.

Business impact evaluation: Calculate potential contract opportunities at each level, estimate implementation costs and timeline, analyze the competitive advantage of early certification, and consider supply chain partnership requirements.

C3PAO vs self-assessment: what to expect

Self-assessment path (primarily Level 1)

Advantages: lower cost and faster timeline, internal control over the assessment process, and flexibility in implementation approach. Requirements: honest evaluation of security controls, proper documentation and evidence, understanding of CMMC requirements, and ongoing compliance monitoring.

C3PAO assessment path (Level 2 and some Level 1)

Advantages: independent validation of controls, higher credibility with government buyers, professional guidance on implementation, and a clear compliance roadmap. The process runs from pre-assessment readiness review through formal assessment engagement, evidence collection and testing, certification decision and reporting, and ongoing surveillance requirements.

Implementation timeline comparison

CMMC Level 1 timeline: assessment preparation takes 3-6 months, self-assessment completion 1-2 months, and documentation and attestation 1 month — roughly 5-9 months total.

CMMC Level 2 timeline: gap analysis and planning takes 3-4 months, control implementation 6-12 months, C3PAO assessment preparation 2-3 months, and the formal assessment process 1-2 months — roughly 12-21 months total.

Cost considerations

Level 1 investment areas: basic security tools and software, policy development and training, self-assessment documentation, and minimal third-party consulting.

Level 2 investment areas: advanced security technologies, system architecture changes, extensive staff training, C3PAO assessment fees ($50,000-$200,000+), and ongoing compliance management.

Next steps: choose your CMMC path

If you need Level 1: conduct a self-assessment against the 17 required practices, document gaps and create a remediation plan, implement missing controls with a focus on quick wins, prepare attestation documentation, and consider a readiness sprint for accelerated preparation.

If you need Level 2: perform a comprehensive gap analysis against the 110+ controls, develop an implementation roadmap with a realistic timeline, begin control implementation starting with foundational areas, engage a C3PAO early for assessment planning, and coordinate assessment preparation through expert guidance.

If you're unsure: analyze contract requirements and future opportunities, assess your information handling to determine FCI vs CUI, evaluate the business case for each certification level, and consult CMMC experts for strategic guidance.

Get expert guidance on your CMMC journey

Choosing between CMMC Level 1 and Level 2 is a strategic business decision that impacts your competitive position, costs, and timeline. Expert guidance can streamline the certification process and reduce implementation risks — book a readiness call to confirm your level, scope, and path.

Free 30-minute readiness call

Walk into your CMMC assessment ready.

Book a 30-minute readiness call with a Fortwise advisor. No high-pressure sales — just a clear read on where you stand and what it takes to certify.

  • Confirm which CMMC level your contracts actually require
  • Pinpoint the gaps most likely to fail your assessment
  • Leave with a clear, prioritized path to certification

One-on-one with a CMMC advisor · No obligation · We never store your CUI