CMMC Level 1 vs Level 2 Self-Assessment: Avoid Mistakes
If you are comparing CMMC Level 1 vs Level 2 Self-Assessment, you are asking the right question at the right time. The Department of Defense is now in Phase 1 of CMMC implementation, and that phase focuses primarily on Level 1 and Level 2 self-assessments from November 10, 2025 to November 9, 2026.
For most contractors, the answer comes down to one issue: what kind of information is in scope. If your business handles Federal Contract Information (FCI), you are usually looking at Level 1. If your systems handle Controlled Unclassified Information (CUI), you are generally looking at Level 2. The current CMMC rule says Level 1 uses the 15 Level 1 requirements from 48 CFR 52.204-21, while Level 2 uses the 110 Level 2 requirements from NIST SP 800-171 Rev. 2.
This CMMC Level 1 vs Level 2 Self-Assessment guide explains the difference in plain language, shows when each path applies, and helps US contractors avoid the common mistake of preparing for the wrong assessment model.
Table of Contents
What is CMMC Level 1 Self-Assessment?
CMMC Level 1 Self-Assessment is the entry-level assessment route under the CMMC program. It is meant for organizations that process, store, or transmit FCI and must meet the basic safeguarding requirements connected to 48 CFR 52.204-21. The rule says an organization must achieve a MET result for all applicable Level 1 security requirements to achieve Final Level 1 (Self).
The official DoD Level 1 assessment guide also says that, for a Level 1 self-assessment, assets that process, store, or transmit FCI are considered in scope. That makes scoping one of the first things a contractor should review before starting any Level 1 work.
In practical terms, Level 1 usually fits organizations in the defense supply chain that do business with DoD but do not handle CUI. If your environment only touches FCI, then CMMC Level 1 vs Level 2 Self-Assessment often ends quickly because Level 1 is the likely path.
link: 32 CFR Part 170 CMMC Rule
What is CMMC Level 2 Self-Assessment?
CMMC Level 2 Self-Assessment applies to organizations that handle CUI and must meet the security requirements of NIST SP 800-171 Rev. 2. The CMMC rule identifies Level 2 as the 110 Level 2 requirements from NIST SP 800-171 Rev. 2, and NIST’s publication remains the main source for those requirements.
This is where the CMMC Level 1 vs Level 2 Self-Assessment comparison becomes more important. Many companies assume every Level 2 environment requires a third-party assessment. That is not always true. The current rule and DoD implementation materials show that Level 2 can be a self-assessment in some cases, while other Level 2 cases require a C3PAO assessment.
CUI also has a formal federal framework. The National Archives says the CUI Registry is the government-wide online repository for Federal-level guidance regarding CUI policy and practice. That is why contractors should verify whether they truly handle CUI instead of relying on guesses or informal labels.
links: NIST SP 800-171 Rev. 2 | National Archives CUI Guidance
CMMC Level 1 vs Level 2 Self-Assessment: Main Difference
The biggest difference in CMMC Level 1 vs Level 2 Self-Assessment is not just the number of controls. The real difference is the kind of information you handle and the assessment path required by the contract.
If your systems only handle FCI, Level 1 is usually the right starting point. If your systems handle CUI, Level 2 is usually the correct level to review. The difference matters because CMMC is built around protecting those two information types at different levels of rigor.
The second major difference is the route to compliance. Level 1 is a self-assessment path. Level 2 may be a self-assessment or a C3PAO assessment. That is why every contractor comparing CMMC Level 1 vs Level 2 Self-Assessment should read the contract language carefully before planning a roadmap, budget, or timeline.
For many organizations, the CMMC Level 1 vs Level 2 Self-Assessment decision starts with a simple question: do we actually have FCI only, or is CUI in scope somewhere in the environment?
link: DoD CMMC Resources and Documentation
7 Key Differences Between Level 1 and Level 2
1. Information in scope
Level 1 is generally tied to FCI. Level 2 is generally tied to CUI. That is the first filter in any CMMC Level 1 vs Level 2 Self-Assessment decision.
2. Requirement count
Level 1 uses the 15 Level 1 requirements. Level 2 uses the 110 Level 2 requirements from NIST SP 800-171 Rev. 2. That makes Level 2 much broader and more demanding.
3. Assessment depth
A Level 1 self-assessment is typically more basic because it focuses on foundational safeguarding. A Level 2 self-assessment is more involved because it expects stronger security implementation and documentation across the organization. This is a practical inference from the rule structure and the NIST-based Level 2 requirement set.
4. Assessment route
Level 1 is self-assessed. Level 2 may be self-assessed or assessed by a C3PAO. This is one of the most important points in the CMMC Level 1 vs Level 2 Self-Assessment comparison.
5. Scope review
For Level 1, the DoD guide says assets that process, store, or transmit FCI are in scope. For Level 2, contractors must scope around where CUI exists in the environment.
6. Relationship to NIST
Level 2 directly maps to NIST SP 800-171 Rev. 2, which is why it tends to require more policy, technical, and evidence work than Level 1. NIST states that the publication provides recommended security requirements for protecting CUI in nonfederal systems and organizations.
7. Business impact
Choosing the wrong level can delay contract readiness, increase remediation costs, and create avoidable compliance work. That is an inference, but it follows directly from the contract-driven structure of the CMMC rule and the current phased rollout.
Which CMMC Self-Assessment Applies to You?
Start with your data, not your assumptions.
If your company only handles FCI, then CMMC Level 1 Self-Assessment is usually the first path to review. If your company handles CUI, then Level 2 is usually the relevant level. But the CMMC Level 1 vs Level 2 Self-Assessment decision does not stop there. You still need to confirm whether the contract requires Level 2 (Self) or Level 2 (C3PAO).
Before making a final decision, review:
- the solicitation and contract clauses
- subcontractor flow-down requirements
- system boundaries
- where FCI or CUI is stored, processed, or transmitted
- whether your environment has already been mapped against NIST SP 800-171
This CMMC Level 1 vs Level 2 Self-Assessment guide is most useful when matched against your real environment. Use this CMMC Level 1 vs Level 2 Self-Assessment comparison before choosing a compliance roadmap, budget, or assessment plan.
Learn: Cybersecurity Compliance News and Updates
link: DoD CMMC Phase Implementation Resources
Final Verdict
When comparing CMMC Level 1 vs Level 2 Self-Assessment, the simplest rule is this:
- choose Level 1 if you handle FCI only
- choose Level 2 if you handle CUI
- confirm whether Level 2 is self-assessed or C3PAO-assessed by checking the contract requirement
That approach aligns with the current CMMC rule, current DoD implementation guidance, and the federal CUI framework.
For US contractors, the safest move is to define scope correctly before investing in tools, consultants, or remediation. That helps avoid delays and expensive mistakes.
FAQ
Is CMMC Level 2 always a self-assessment?
No. Level 2 may be either a self-assessment or a C3PAO assessment, depending on the contract requirement.
Does Level 1 apply to FCI?
Yes. The DoD Level 1 assessment guide says assets that process, store, or transmit FCI are in scope for a Level 1 self-assessment.
Does Level 2 apply to CUI?
Yes. The CMMC rule ties Level 2 to the 110 requirements from NIST SP 800-171 Rev. 2, which protects CUI in nonfederal systems and organizations.
Is CMMC active now?
Yes. The eCFR entry is current as of March 2026, and DoD says phased implementation began on November 10, 2025.
