Understanding the Difference Between CMMC Level 1 vs Level 2

Image Source: MF3d / Getty Images

As you set your sights on Cybersecurity Maturity Model Certification (CMMC) goals, understanding the different compliance tiers is crucial. Today, let's dive into the distinction between CMMC Level 1 and CMMC Level 2.

About CMMC:

CMMC, short for Cybersecurity Maturity Model Certification, was established by the Department of Defense (DoD) to enhance and standardize cybersecurity practices within the Defense Industrial Base (DIB). It's mandatory for any contractor or subcontractor engaged with the DoD that will be handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Understanding CMMC Level 1

CMMC Level 1 centers around safeguarding Federal Contract Information (FCI) and encompasses fundamental protection requirements outlined in the Federal Acquisition Regulation (FAR) Clause 52.204-21. According to FAR, FCI refers to information provided by or generated for the Government under a contract, excluding public release or simple transactional data.

Understanding CMMC Level 2

In contrast, CMMC Level 2 extends its focus to safeguarding Controlled Unclassified Information (CUI). CUI, as defined by the National Archives and Record Administration (NARA), refers to information that requires safeguarding or dissemination controls in accordance with laws, regulations, and policies, without warranting classified status. The practices at CMMC Level 2 align with the 110 security requirements specified in NIST SP 800-171 Rev 2. CUI has marking and labeling requirements. If your organization handles data covered by ITAR, US citizenship requirements, export control, or covered information with sovereignty – additional requirements and controls apply as well.

Comparing CMMC Level 1 and CMMC Level 2


The primary distinction between CMMC Level 1 and CMMC Level 2 lies in their scope. While Level 1 is tailored for FCI protection, Level 2 is geared towards safeguarding CUI. Additionally, the number of practices required varies significantly between the two levels. Level 1 necessitates adherence to 17 practices, whereas Level 2 mandates compliance with 110 practices. Each practice has 2 to 6 or more objectives- that clarify the requirements. This translates into a total of 320 objectives to meet for Level 2 compliance.

Certification procedures differ between CMMC Level 1 and Level 2. Level 1 certification is achieved through annual self-assessments, while Level 2 compliance necessitates triennial third-party assessments, supplemented by annual self-assessments for select programs. Level self-assessments will have periodic review, may be subject to spot-checks, and have significant consequences if false claims are made.

Looking for Compliance Assistance?

At Hoop5, we can help your organization navigate and seek CMMC compliance. Whether you're aiming for CMMC Level 1 or Level 2 compliance, our team of CMMC Registered Practitioners are here to assist you. Contact us today!

For more tips and tech info, follow us on LinkedIn, Twitter, Facebook, and Instagram. 

Previous
Previous

CMMC Fundamentals: 4 Key Steps for Achieving Compliance

Next
Next

Strategic Approaches for Minimizing Cloud Waste in Your Business