The Honest Answer in One Sentence
If you receive engineering drawings, specifications, CAD files, test data, or anything with a distribution statement from your prime contractor — that's Controlled Unclassified Information. You need CMMC Level 2.
Most defense manufacturers, machine shops, aerospace subcontractors, and electronics firms reading this page fall into Level 2. Level 1 is real, but it applies to a narrower set of contractors than most people think. Let's break down both levels so you can know for sure.
Do you receive engineering drawings, specs, CAD files, test data, or anything marked with a distribution statement from your prime contractor or the DoD?
If yes: You need Level 2. That technical data is CUI — Controlled Unclassified Information. You're required to protect it under DFARS 252.204-7012 and CMMC Level 2 requires formal third-party certification. Stop reading here and start your Level 2 plan.
Level 1 vs Level 2 Side by Side
Here's everything that actually matters about the difference between the two levels, in one place.
| Factor | Level 1 | Level 2 |
|---|---|---|
| Data type protected | FCI only — basic contract information | CUI — technical data, drawings, specs |
| Number of controls | 17 practices | 110 practices (all of NIST 800-171) |
| Assessment type | Annual self-assessment — you score yourself | Third-party C3PAO assessment — required |
| Typical total cost | $5K–$25K (mostly internal time) | $50K–$200K+ depending on company size |
| Timeline | Weeks to a few months | 9–18 months start to finish |
| Who needs it | Contractors handling only basic contract info | Anyone handling controlled technical data |
| SPRS score required | Yes — annual self-assessment score | Yes — C3PAO-verified score |
| Common examples | Janitorial services, office supplies, food services with DoD contracts | Machine shops, aerospace subs, electronics manufacturers, engineering firms |
Our free readiness check asks about the specific type of work you do and data you receive. You'll get a clear answer about your required level — and what you need to do next — in about 2 minutes.
Take the Free Readiness Check →FCI vs CUI: What's the Difference?
Think of FCI and CUI like two different kinds of information you might receive from a business relationship. FCI is the business stuff. CUI is the technical stuff that actually tells someone how things work.
FCI — Federal Contract Information
FCI is information you receive as part of a government contract — but it's information about the business of the contract, not the technical substance of what's being built. Think: purchase orders, delivery schedules, price lists, contract terms. The kind of stuff that's in your email with your contracting officer that's about logistics and money.
If someone got their hands on your FCI, they'd know you have a contract with the DoD, what you're getting paid, and when to deliver. That's sensitive, sure, but it's not the kind of thing that helps an adversary build a weapon system.
CUI — Controlled Unclassified Information
CUI is the technical data. This is the information that, in the wrong hands, could actually compromise national security or give a foreign adversary meaningful insight into weapons systems, materials, or defense capabilities.
For most manufacturing and engineering contractors, CUI shows up as:
- Engineering drawings and technical data packages from your prime
- 3D models and CAD files (.STEP, .IGES, .SolidWorks)
- Material specifications and processing requirements
- Test data, inspection reports, and qualification results
- Research and development outputs
- Anything with a DISTRIBUTION STATEMENT or CUI marking
Here's the neighbor explanation: FCI is like knowing your neighbor works at a military base. CUI is like knowing the exact dimensions and materials of what they're building. One is sensitive information. The other is what foreign intelligence services are actually trying to steal.
The distinction matters because FCI alone triggers Level 1. CUI triggers Level 2. And most defense manufacturers handle CUI — it's basically the core of what makes defense manufacturing different from commercial work.
What If I'm Not Sure?
You're not alone — this is one of the most common questions we hear. The good news is there are concrete ways to find out.
This is the DFARS clause called "Safeguarding Covered Defense Information." If it's in your contract, you're handling CUI and you need Level 2 compliance with NIST 800-171. Search for "252.204-7012" in your contract documents — it's usually in the clauses section at the back.
Open the next package of drawings or specs your prime sends you. If you see "DISTRIBUTION STATEMENT" at the top or bottom of the page, that document is CUI. If you see "CUI" in the header, same thing. If your drawings have any kind of access restriction language, that's your answer.
Email your CO or your prime's supply chain compliance team and ask: "Does my work on this contract involve Controlled Unclassified Information?" Get the answer in writing. They're required to tell you what level of CMMC your subcontract demands. This is the most authoritative answer you can get.
If you work in defense manufacturing and you're genuinely uncertain, assume Level 2. The downside of undercertifying — potential contract loss and False Claims Act exposure — is far worse than the downside of overcertifying. A CMMC consultant can scope your environment and give you a definitive answer in a few hours.
Our readiness assessment maps your actual operation — what data you handle, how your systems are set up, what you've already got in place — to the specific controls that apply to you. Takes 2 minutes, gives you a clear picture.
Take the Free Readiness Check →Common Misconceptions — And the Real Story
There's a lot of wishful thinking floating around in the defense supply chain right now. Here are the ones we hear most often, and what's actually true.
"I only do a little defense work, so I probably don't need Level 2."
CMMC requirements are based on the type of data you handle, not how much defense revenue you generate. If you handle CUI — even on one small contract — you need Level 2. There's no "low volume" exception. The question you have to ask yourself is whether the defense revenue is worth the compliance investment. If it's not, stop doing that work. But you can't do it halfway.
"My prime hasn't asked about CMMC yet, so I have time."
They will. Phase 2 kicks in November 2026, and primes are already working through their supply chains. The shops that get the work after November 2026 are the ones that started early. C3PAO assessment slots are booking 12-18 months out. If your prime asks in October 2026 and you haven't started, there's no path to compliance before the deadline.
"Level 1 is good enough — I'll just do that and see what happens."
Level 1 is only appropriate if you genuinely handle zero CUI. If you process controlled drawings or technical data and certify at Level 1, you're making a false attestation on a federal contract. That's not just a compliance problem — it can be a legal one under the False Claims Act. Get your level right first. The quiz takes 2 minutes.
"CMMC Level 2 is impossible for a small shop to achieve."
Level 2 is hard but absolutely achievable for small shops. The key is scoping — keeping your CUI boundary tight to a small set of systems. Shops with 10-30 employees regularly complete Level 2 certification. The ones that struggle are the ones who scope their entire network and try to fix everything at once. Build a CUI enclave, scope it right, and the 110 controls become manageable.
What Each Level Actually Costs
The cost difference between Level 1 and Level 2 is significant. But the real comparison isn't Level 1 vs Level 2 — it's "cost of compliance" vs "cost of losing DoD contracts."
Level 1 Cost Breakdown
Level 1 requires 17 basic security practices — things like unique user accounts, password complexity, basic access controls. For most companies with any kind of IT in place, many of these are already done. The main costs are:
- Internal time to document existing controls and close gaps: $2K–$10K in labor
- Software tools if you need to close specific gaps: $1K–$5K/year
- Annual self-assessment: internal labor cost only
- Total range: $5K–$25K first year, $2K–$8K ongoing
Level 2 Cost Breakdown
Level 2 is a different undertaking. The 110 controls span access control, incident response, audit logging, configuration management, risk assessment, and more. The documentation alone is a major project. See the full breakdown in our CMMC Cost Guide.
- Gap analysis to find your starting point: $5K–$25K from a consultant, free with MyCMMC
- Documentation (SSP, policies, POA&M): $30K–$80K from a consultant, $1.5K–$19.5K with MyCMMC
- Technical remediation (depends heavily on your current state): $15K–$100K+
- C3PAO assessment: $30K–$75K
- Total range: $50K–$200K+ depending on size and starting point
The biggest lever you have on Level 2 cost is documentation. Consultants charge $30K–$80K to write your SSP and policies from scratch. Documentation built from your environment and reviewed by a certified practitioner covers the same deliverable for $1,500–$19.5K. That's where MyCMMC saves shops the most money.
Frequently Asked Questions
FCI (Federal Contract Information) is basic business information — purchase orders, delivery schedules, and contract terms. CUI (Controlled Unclassified Information) is more sensitive: technical drawings, engineering specifications, CAD files, test data, and similar technical data that needs protection under law or regulation. FCI alone triggers Level 1. CUI triggers Level 2.
For most Level 2 contracts, no. The DoD requires a third-party assessment by a C3PAO (CMMC Third Party Assessment Organization). There is a narrow self-assessment path for certain Level 2 contracts, but the overwhelming majority of defense contractors with CUI will need a C3PAO assessment. Verify with your contracting officer before assuming self-assessment is an option.
Check your contract for DFARS clause 252.204-7012. If it's there, you're handling CUI. Also look at the documents you receive: technical drawings, specifications, and test data with 'DISTRIBUTION STATEMENT' or 'CUI' markings are controlled. When in doubt, ask your contracting officer directly — they're required to tell you.
Yes — if you handle CUI, the volume of defense work doesn't matter. CMMC requirements are based on what data you handle, not how much defense revenue you generate. A shop that does 5% defense work and receives controlled drawings needs Level 2. Whether the defense revenue justifies the compliance investment is a separate business decision — but you can't do it halfway.
If you self-assess at Level 1 but actually handle CUI and should be Level 2, you're in violation of your contract — potentially including False Claims Act exposure if you knowingly certified inaccurate SPRS scores. The DoD takes this seriously. When you're uncertain, default to Level 2 and get it verified by a CMMC professional.
Level 1 is a self-assessment most companies can complete in a few weeks to a few months — it covers only 17 practices. Level 2 covers all 110 NIST 800-171 controls and requires a third-party C3PAO assessment. Start to certified, Level 2 typically takes 9–18 months for most small contractors. The C3PAO scheduling backlog alone can add 3–6 months.
Find Out Your Level in 2 Minutes
Our free readiness check asks the right questions about your actual operation and tells you exactly which level you need — and what to do about it.
Take the Free Readiness Check →Takes 2 minutes · Free · No consultant will call you