If you have a DoD contract, or if you are working toward one, you have almost certainly encountered the acronym CMMC. And you have probably asked yourself: which level applies to me? Level 1 or Level 2?
It is one of the most common questions small manufacturers and subcontractors ask when they first start navigating CMMC. The answer depends on the type of information your work involves: specifically whether you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Here is how to tell the difference.
Have questions about this topic?
Book a call with us and get your questions answered directly.
Book a Call with Us →What Is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. It is a framework created by the Department of Defense to verify that companies in the defense supply chain have adequate cybersecurity protections in place. Unlike previous frameworks that relied on self-reporting, CMMC requires independent verification: a certified third party will assess your organization and confirm whether you meet the required controls. See the DoD CMMC official site for program details.
CMMC Level 1: The Baseline
CMMC Level 1 applies to any organization that handles Federal Contract Information. Level 1 requires compliance with 15 basic cybersecurity practices drawn from FAR Clause 52.204-21, including using antivirus software, limiting system access to authorized users, sanitizing media before disposal, and reporting cybersecurity incidents. Level 1 compliance is satisfied through an annual self-assessment submitted to SPRS. CGA offers a CMMC Level 1 Gap Assessment Grant to help FCI-only companies confirm they meet all 15 controls before self-reporting.
CMMC Level 2: The Standard for CUI
CMMC Level 2 applies to organizations that handle Controlled Unclassified Information: technical drawings, specifications, test data, engineering designs, and contract details often fall into this category. Level 2 requires compliance with all 110 security controls in NIST SP 800-171, covering 14 control domains.
Key difference: Level 1 is 15 controls and self-assessed. Level 2 is 110 controls and, for most companies, requires a third-party assessment by a C3PAO.
How Do I Know Which Level I Need?
Ask yourself these questions:
- Does your contract include DFARS clause 252.204-7012? If yes, you likely handle CUI and need Level 2.
- Do you receive technical drawings or specifications from the DoD or a prime contractor? That is almost certainly CUI.
- Are you a subcontractor? Check your subcontract for the specific CMMC clause; your prime is required to flow down requirements to you.
When in doubt, assume Level 2. It is far safer to prepare for the more rigorous standard than to discover mid-assessment that your contracts require it. See our CMMC resources for more on flow-down requirements.
What Does the November 2026 Deadline Mean for Me?
Starting November 10, 2026, DoD solicitations may require CMMC Level 2 certification as a condition of contract award. Given that C3PAOs are already reporting 6-month assessment backlogs, companies just beginning the process today are cutting it close. See our full breakdown of what the November 2026 deadline means and what to do now. The first step before any remediation is a gap assessment to understand where you stand against the 110 controls.
Not Sure Where You Stand? Start with a Free Gap Assessment.
Cyber Grants Alliance offers fully funded CMMC Gap Assessment Grants for qualifying DIB manufacturers. Find out exactly which controls you meet and which ones need work before the deadline.
Apply for the Grant →Have Questions? Book a Call with Us.
Cyber Grants Alliance of Cyber Grants Alliance, can help you understand which CMMC level applies to your contracts and what steps to take next. All calls are by scheduled appointment.
Schedule a Call →