CMMC Level 2 vs Level 1: Key Differences for DoD Contractors 2026

By Ken Satkunam, CISM  ·  President & Founder, NorthStar Technology Group

March 2026  ·  10 min read

If you hold or pursue Department of Defense contracts, CMMC is no longer a future concern. It’s a present reality.

CMMC requirements are appearing in contracts now. And by 2028, they’ll be in every applicable DoD contract across the defense industrial base. The question isn’t whether you’ll need to comply. It’s whether you’ll be ready when your contract requires it.

The confusion I hear most often from contractors is about the difference between Level 1 and Level 2 — what each requires, who needs which, and what it actually takes to get there. This article breaks that down clearly.

CMMC is not a cybersecurity improvement program. It’s a revenue gate. If you can’t demonstrate compliance, you can’t hold the contract.

Level 1 vs Level 2: the core difference

CMMC Level 1 — foundational

Level 1 applies to contractors who handle Federal Contract Information (FCI) — any information provided by or generated for the government under a contract that isn’t publicly available.

It requires 17 practices drawn from FAR 52.204-21. These are basic cyber hygiene: access controls, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. The assessment is an annual self-assessment. No third-party assessor is required.

If you think 17 practices sounds manageable, you’re right. But “manageable” and “documented and demonstrable” are different things. Many contractors who only handle FCI still lack written evidence that these 17 practices are implemented.

CMMC Level 2 — advanced

Level 2 applies to contractors who handle Controlled Unclassified Information (CUI) — information that requires safeguarding per law, regulation, or government policy.

It requires all 110 practices from NIST SP 800-171, organized across 14 domains: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

The assessment is a triennial third-party evaluation by a Certified Third-Party Assessment Organization (C3PAO). You must produce a System Security Plan (SSP), a Plan of Action and Milestones (POA&M), and evidence supporting all 110 practices. This is not a self-certification. An independent assessor examines your environment and documentation.

Where contractors actually stand

In our experience conducting gap assessments for DoD contractors, the most common starting position is significantly below compliance for Level 2 and partially compliant for Level 1. The issues are predictable.

No multi-factor authentication on critical systems

NIST 800-171 requires MFA. Many contractors still rely on passwords alone for remote access, admin accounts, and cloud services. This is control 3.5.3, and it’s one of the first things an assessor checks.

CUI stored without encryption or access controls

Contractors often don’t know exactly where CUI lives. Shared drives, email, laptops, personal devices. They haven’t applied encryption or restricted who can access it. Scoping CUI is the foundation of Level 2 — and most contractors haven’t done it.

No System Security Plan

Level 2 requires a documented SSP covering all 110 controls. It must describe how each control is implemented in your specific environment. Most small and mid-size contractors have never written one.

No formal incident response plan

Controls 3.6.1 and 3.6.2 require documented incident response capability. Most contractors have no written plan and no defined escalation path. When something goes wrong, they improvise. Assessors don’t accept improvisation.

Inadequate audit logging

Level 2 requires audit logs to be generated, reviewed, and protected. Contractors frequently have logging disabled, logs that are never reviewed, or logs stored where they could be deleted by the same person who created them.

Commercial Microsoft 365 used for CUI

Standard commercial Microsoft 365 is not authorized for CUI. Contractors handling CUI who use commercial M365 are operating out of scope. The path is either Microsoft 365 GCC or GCC High, depending on the data classification. This migration is not trivial, and many contractors don’t realize it’s required.

SPRS scores and why they matter

Every DoD contractor handling CUI must submit a NIST SP 800-171 self-assessment score to the Supplier Performance Risk System (SPRS). A perfect score is 110. Contracting officers can and do check SPRS scores before awarding contracts.

If your score is low — or missing entirely — you may be disqualified from consideration before the evaluation even begins. Accurate scoring, documentation, and a clear improvement roadmap are essential.

The timeline is real

CMMC Phase 1 is active. The requirements are appearing in new contracts now. By 2028, the requirement will be in all applicable DoD contracts.

Preparation for a Level 2 assessment typically takes 9 to 12 months for organizations starting from a moderate baseline. If you’re starting from scratch — no SSP, no documented controls, no scoped CUI environment — you’re looking at 12 to 18 months of work.

That means contractors who haven’t started are already behind. Not impossibly behind. But the window is narrowing.

The contractors who start preparation now will have a competitive advantage for every contract that includes CMMC requirements. The ones who wait will be scrambling while their competitors are already certified.

What the path forward looks like

The process is straightforward, even if the execution is substantial.

•        Gap assessment against Level 1 (17 practices) or Level 2 (110 practices)

•        CUI scoping — identify where CUI lives and limit its exposure

•        Remediation of identified gaps across all applicable controls

•        SSP and POA&M development and maintenance

•        SPRS score calculation and submission

•        C3PAO assessment preparation (Level 2)

•        Ongoing compliance management — CMMC is not a one-time certification

Every engagement we do starts with a gap assessment. No assumptions. No sales pitch. A structured evaluation of where you stand against the requirements, your current SPRS score estimate, and a prioritized remediation plan.

Because the worst position for a DoD contractor is finding out they’re not compliant from their assessor. Or worse, from a contracting officer.

Know where you stand before your assessor does

Run a free CMMC gap assessment at northstartechnologygroup.com/security-check • 866-337-9096

ABOUT THE AUTHOR

Ken Satkunam, CISM

President & Founder, NorthStar Technology Group

Ken has spent over 25 years in IT leadership, serving in roles from technical support to CIO for organizations as large as 23,000 employees. He founded NorthStar Technology Group in 2000 to help regulated organizations build secure, compliant, and operationally resilient technology environments. Ken holds the CISM credential from ISACA and is the co-author of the Amazon best-seller Cyber Attack Prevention. NorthStar has been recognized on the Inc. 5000 list in 2024 and 2025.

CISM   •   Inc. 5000   •   MSP 500   •   Published Author   •   25+ Years