Skip to content
JITServices Managed Security
GovCon · 7 min read

CMMC Level 1 vs Level 2: Which One Do You Actually Need?

A plain-English breakdown of CMMC Level 1 and Level 2 for small DoD subcontractors — what triggers each level, what it costs, and how long it takes to get there.

By JITServices Team

If you’re a small government contractor and someone has mentioned CMMC, you’ve probably also heard a panicked rumor: “Level 2 will take a year and cost you six figures.” Sometimes that’s true. Often it isn’t. And in many cases, Level 2 isn’t even what you need.

Here’s how to figure out which CMMC level actually applies to your business — and what it takes to get there.

What CMMC is, in one sentence

CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense’s framework for verifying that contractors handling federal information apply the right cybersecurity controls — and can prove it.

The two levels that matter for small business

There are three CMMC levels in the current model. The vast majority of small contractors land in one of two:

CMMC Level 1: Basic safeguarding of FCI

Applies when: Your contracts involve Federal Contract Information (FCI) but not Controlled Unclassified Information.

  • Controls: 17 basic safeguarding practices (drawn from FAR 52.204-21)
  • Assessment: Annual self-assessment with executive affirmation in SPRS
  • Typical effort: 1–3 months to readiness for an SMB that already has decent IT hygiene
  • Typical cost: Low five figures, mostly for documentation and basic control implementation

CMMC Level 2: Protection of CUI

Applies when: Your contracts involve Controlled Unclassified Information (CUI) — anything DoD has flagged as needing controlled handling.

  • Controls: 110 controls from NIST SP 800-171
  • Assessment: Triennial assessment by a Certified Third-Party Assessor Organization (C3PAO) for most contracts; some are self-assessment
  • Typical effort: 6–12 months to readiness for a small contractor with existing IT but no formal security program
  • Typical cost: Mid-five to low-six figures for readiness, plus the C3PAO assessment fee

How to figure out which one you need

Start with your contracts:

  1. Read your prime’s flow-down clauses. DFARS 252.204-7012 and the new 252.204-7021 will tell you exactly what’s required.
  2. Ask your prime contracting officer or CO if you actually handle CUI or only FCI. This is the single most important question. Many small subs assume they handle CUI when they don’t — and many assume they don’t when they do.
  3. Check what you actually receive and store. Drawings, specs, test results, or documents marked CUI or with distribution restrictions almost always trigger Level 2. Generic emails and contract paperwork usually don’t.

If you only handle FCI, Level 1 is your target — and you don’t need a C3PAO assessment.

If you handle CUI, Level 2 is your target — and most of you will need a C3PAO assessment.

What an SMB Level 2 program actually looks like

A small contractor at Level 2 readiness has, at minimum:

  • A clearly scoped CUI environment — sometimes the whole company, often a separated enclave
  • MFA on every account, with conditional access policies enforcing it
  • EDR on every endpoint, with logs centralized and retained
  • Documented incident response, with tested procedures
  • A System Security Plan (SSP) and a current Plan of Action and Milestones (POA&M)
  • A current SPRS score reflecting actual implementation status
  • Security awareness training delivered annually with documented completion
  • Vulnerability management running on a defined cadence
  • A vendor and supply-chain inventory tracking CUI handling

This is not a binder. It’s an operating discipline. The companies that succeed treat compliance as a side-effect of running a properly secured business — not a separate project.

How long does it really take?

For a typical small DoD subcontractor (25–75 employees, modest existing IT maturity):

  • Months 1–2: Scoping, gap assessment, asset inventory, SPRS baseline
  • Months 3–6: Foundational control implementation (MFA, EDR, logging, identity hardening, backup, training)
  • Months 6–9: Policy authoring, evidence collection, internal audit
  • Months 9–12: C3PAO selection, mock assessment, remediation, formal assessment

If your IT environment is already in good shape and you have a partner running the program, this compresses. If you’re starting from scratch and trying to do it internally, it stretches — sometimes indefinitely.

What to do this week

If you suspect CMMC applies to your business and you don’t have a clear answer yet:

  1. Pull your active and pipeline contracts. Look for DFARS clauses 7012, 7019, 7020, and 7021.
  2. Check your current SPRS score. If you don’t have one, that itself is a finding.
  3. Run a gap assessment. Self-assess or get a partner — but stop guessing. The longer you guess, the worse the eventual cost.

Where JITServices fits

We take small GovCons from “we think CMMC applies to us” to “certified, with the evidence to keep it.” If you’re not sure where you stand, schedule a consultation — we’ll tell you honestly which level applies, what’s realistic, and what we’d do first.

#CMMC #GovCon #Compliance #NIST 800-171
All resources

Want to talk this through?

If something in this article maps to a real problem on your plate, we'd be happy to walk it through together — no pitch, just clarity.

Schedule a Consultation 571-406-8816

What happens next

  1. 1 You share what's on your plate — compliance, an audit, a recent incident, or just a feeling.
  2. 2 We map your situation to the controls and outcomes that actually matter.
  3. 3 You leave with a clear, prioritized next step — whether or not we work together.