Level 1 or Level 2? How to Tell Which CMMC Level Your Contract Requires

If you do work for the Department of Defense, the question is not whether Cybersecurity Maturity Model Certification (CMMC) applies to you. If you are new to CMMC entirely, our overview of what CMMC 2.0 is and who it applies to is a good place to start before reading this one. It is which level applies. The short answer: your level is set by the type of government data you handle. If you only touch Federal Contract Information (FCI), you need Level 1. If you store, process, or send Controlled Unclassified Information (CUI), you need Level 2.

That sounds simple, and at the data level it is. The hard part is figuring out which type of data a given contract actually puts in your hands, because the answer is buried in contract language that is not always clear.

This post is for contractors and subcontractors who know CMMC applies to them but are not sure which level they need. We will cover how the level flows from data type, where the requirement is written in your contract, real scenarios for each level, what to do when the contract is silent, and how to handle the case where you hold both kinds of data. APT Security Management is a managed security services provider based in North Charleston, South Carolina, and helps DoD contractors sort out exactly this question before they commit to a timeline.

Your CMMC level is set by the data, not your company size

CMMC has three levels. The level you need is decided by the sensitivity of the government information involved in the contract, not by how big your company is or how much you do for the DoD.

Here is the mapping:

Level 1

Level 1 applies when you handle Federal Contract Information only. FCI is information provided by or generated for the government under a contract that is not intended for public release. It is the routine, non-public information that comes with doing the work. Level 1 covers 15 basic safeguarding requirements and is met through annual self-attestation.

Level 2

Level 2 applies when you store, process, or transmit Controlled Unclassified Information. CUI is government information that requires safeguarding under specific laws, regulations, or policies. Think technical drawings, specifications, and other sensitive but unclassified material. Level 2 aligns with the 110 controls in NIST Special Publication 800-171. Whether your Level 2 contract requires a third-party assessment by a certified C3PAO or allows self-attestation depends on how the DoD has designated the contract. The required path will be specified in DFARS 252.204-7021. If the clause is in your contract, read it carefully.

Level 3

Level 3 applies to a small number of contracts involving the most sensitive CUI, often tied to programs the DoD has prioritized. Most contractors will never see a Level 3 requirement.

A useful way to think about it: FCI almost always travels with CUI, but CUI does not always travel with FCI. If a contract gives you CUI, you are at Level 2, and the FCI you also hold is covered under the same effort. If a contract gives you FCI and nothing more, Level 1 is enough. For a fuller breakdown of the two data types, see our post on FCI vs CUI.

Where the requirement is actually written

You do not have to guess your level. By late 2025 the DoD began writing CMMC requirements directly into contracts, so for new awards the level is stated for you. Here is where to look.

The CMMC contract clause

The clause that triggers a CMMC requirement is DFARS 252.204-7021. When this clause appears in a solicitation or contract, it names the CMMC level you must hold to be eligible for the award. If you are bidding on or holding a contract with the 7021 clause, read it.

The required level is spelled out.

A related clause, DFARS 252.204-7012, requires safeguarding of covered defense information and is a strong signal that CUI is in scope. If 7012 is in your contract, you are very likely looking at a Level 2 requirement.

Prime flow-down language

If you are a subcontractor, your requirement usually comes from the prime contractor rather than directly from the DoD. Primes are required to flow CMMC obligations down to subs that will handle FCI or CUI. As a general rule, a subcontractor is expected to meet the same CMMC level the prime needs for the work you are doing. Check your subcontract agreement and any security exhibits the prime sent you. If the flow-down language is vague, ask the prime directly which level they expect.

DD Form 254 for classified work

If your contract involves classified information, the DD Form 254, the Contract Security Classification Specification, tells you how that information must be handled. CMMC covers unclassified information, so the DD Form 254 does not set your CMMC level on its own. It is still worth reviewing, because work that touches classified material almost always travels with CUI, and CUI puts you at Level 2.

Common Level 1 scenarios

Level 1 is the right fit when your work for the DoD never puts CUI in your hands. Examples:

A janitorial or facilities subcontractor that services a contractor site and only ever sees basic contract information such as a statement of work, schedules, and invoices.

A basic supplies vendor providing commercial goods, where the only government information involved is order and delivery data.

An IT support provider that maintains general office systems but has no administrative access to any system that stores or processes CUI.

The common thread is simple. These contractors handle non-public information tied to a federal contract, but none of it meets the definition of CUI. If that describes your work, Level 1 self-attestation is your path. Our post on when you can stop at Level 1 goes deeper on staying within that scope.

Common Level 2 scenarios

Level 2 is the right fit the moment CUI enters the picture. Examples:

A machine shop producing parts from government engineering drawings or specifications. Those drawings are typically CUI.

A software developer building or maintaining applications for the DoD, where source code, configurations, or program data qualify as CUI.

A professional services firm, such as an engineering, logistics, or analysis provider, whose deliverables or working files include CUI.

If your work involves technical data, designs, specifications, or any government information marked as CUI, plan for Level 2. If you are not sure whether the information in your contract qualifies as CUI, APT's free CUI Identifier tool walks you through the determination. It is a larger effort than Level 1, built on the 110 controls of NIST 800-171, and most Level 2 contracts require an assessment by a certified third party.

What to do if your contract is silent or unclear

Plenty of contracts, especially older ones and informal subcontract arrangements, do not state a CMMC level cleanly. If yours is unclear, do not assume the lighter answer. Work through these steps:

Check for the clauses

Search the contract for DFARS 252.204-7021 and 252.204-7012. The presence of either one tells you a lot.

Look at what data you actually receive

Set the paperwork aside for a moment and ask what government information you genuinely store, process, or transmit. If any of it is marked CUI, or would clearly qualify as CUI, you are at Level 2 regardless of what the contract language says.

Ask the contracting officer or the prime

For a direct DoD contract, the contracting officer can confirm the level. For subcontract work, ask the prime in writing. Getting the answer in writing protects you later.

When in doubt, assume Level 2

If you cannot get a clear answer and the information you handle looks like it could be CUI, prepare for Level 2. Guessing low is the expensive mistake, because it can leave you ineligible for award or in breach during performance.

The edge case: subs who handle both

Some subcontractors hold a mix of contracts. One job is pure FCI, another puts CUI in their environment. This is common and it raises a fair question: do you need two separate programs?

Usually not. CMMC levels are cumulative. Level 2 includes everything Level 1 requires and more. A contractor that meets Level 2 also satisfies the FCI-only obligations of the Level 1 contracts they hold. If any meaningful share of your DoD work involves CUI, the practical move is to build to Level 2 once and let it cover the rest.

The exception is scoping. You can choose to keep CUI inside a defined part of your environment, an enclave, so that only that segment carries the full Level 2 weight. That is a real strategy, but it has to be designed deliberately and documented carefully. It is not something to leave to chance.

What to Do Next

Start by finding the answer in writing. Pull your active contracts and any pending solicitations, look for the DFARS clauses, and confirm what government data each one actually puts in your hands. If a contract is unclear, ask the contracting officer or your prime and keep their answer on file.

Once you know your level, the next step is a gap assessment to see how your current environment measures against the practices that level requires. If you want a quick read on where you stand before booking time with someone, APT's free CMMC Readiness Quickcheck gives you a starting point in about five minutes. That tells you what work stands between you and compliance, and how long it will take.

Talk Through Your Situation With APT

Not sure whether your contracts put you at Level 1 or Level 2? Book a free 30-minute consultation with APT Security Management. We will review your situation and help you confirm the level you need before you commit to a plan.

Book a Free Consultation