CMMC Level 1 vs Level 2 Checklist — The 17 vs 110 Controls Compared Side by Side

This is the side-by-side. Level 1 is FAR 52.204-21's 17 basic safeguarding requirements. Level 2 is NIST 800-171 Rev 2's full 110 controls. Knowing which level applies to which contract drives the entire compliance budget. Most SMBs over- or under-shoot. This guide tells you the rule and the exceptions.

The decision rule

You handle	Required level
FCI only, no CUI	Level 1 self-assessment
CUI of moderate sensitivity	Level 2 (Self-Assessment OR Certified — contract specifies)
CUI of higher sensitivity / critical programs	Level 2 Certified (C3PAO required)
Highest-priority CUI / 800-172-required	Level 3 (DIBCAC assessment)

The contract clause specifies. If the contract says "Level 1," that's the floor. If it says "Level 2," you commit to the 110-control implementation. Don't aim for Level 1 if your contract requires Level 2 — the contracting officer reads the SPRS posting and your bid is rejected.

Level 1 — the 17 controls

Level 1 implements FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). These 17 controls are basic IT hygiene, summarized:

Control	Plain English
1. Limit access to authorized users	User accounts, role-based access
2. Limit access to authorized functions	Don't give every user admin
3. Verify and control connections	Know what's on your network
4. Control external system connections	VPN, partner network access controls
5. Control public-facing information	Review what gets posted publicly
6. Identify users and processes	Unique IDs, no shared accounts
7. Authenticate users	Passwords or stronger
8. Sanitize media before disposal	Wipe drives before recycling laptops
9. Limit physical access	Locked offices, visitor controls
10. Escort visitors	Don't leave guests alone in CUI areas
11. Maintain audit logs	Logging on critical systems
12. Control physical access devices	Manage keys/badges
13. Monitor and control communications at boundaries	Firewall basics
14. Implement subnetworks for publicly accessible components	DMZ pattern
15. Identify and report system flaws	Patching basics
16. Provide protection from malicious code	Antivirus
17. Update protection mechanisms	Keep antivirus current

Assessment: annual self-assessment. Score posted to SPRS. No external verification.

Realistic preparation effort: 20–80 hours for a small contractor that's already running basic IT hygiene. Most of the time is documentation, not new implementation.

Realistic cost: $2K–$10K Year 1, primarily internal time. No special tools required beyond basic IT (firewall, antivirus, MFA).

Level 2 — the 110 controls

Level 2 implements NIST 800-171 Rev 2. The 110 controls span 14 families:

Family	Controls	Theme
3.1 Access Control	22	Who can do what, where, when
3.2 Awareness and Training	3	Annual security training
3.3 Audit and Accountability	9	Logging, retention, review
3.4 Configuration Management	9	Approved baselines, change control
3.5 Identification and Authentication	11	MFA, account lifecycle
3.6 Incident Response	3	Detection, 72-hour reporting, recovery
3.7 Maintenance	6	Authorized maintenance, remote access controls
3.8 Media Protection	9	CUI on removable media, sanitization
3.9 Personnel Security	2	Background screening, offboarding
3.10 Physical Protection	6	Facility, alternate work sites
3.11 Risk Assessment	3	Annual risk review, vulnerability scanning
3.12 Security Assessment	4	Self-assessment + POA&M discipline
3.13 System and Communications Protection	16	FIPS encryption, network boundaries
3.14 System and Information Integrity	7	Patching, malware, monitoring

See the NIST 800-171 compliance guide for the full breakdown of which family kills SMB scores and where DCAA-compliant accounting overlaps.

Assessment: depends on contract.

• Level 2 Self-Assessment: annual self-score posted to SPRS. Same methodology as DFARS 7012.
• Level 2 Certified: C3PAO assessment every 3 years. Posted to SPRS with C3PAO attestation.

Realistic preparation effort:

• If you're already DFARS 7012-compliant: 100–300 hours for the maturity dimension and POA&M-prohibited control gaps.
• If you're starting from scratch: 1,000–2,000 hours over 6–12 months.

Realistic cost:

• Level 2 Self-Assessment (already DFARS 7012-compliant): $5K–$15K incremental Year 1.
• Level 2 Self-Assessment (starting fresh): $22K–$62K Year 1 (per the NIST 800-171 guide).
• Level 2 Certified: add $20K–$80K for the C3PAO assessment + 6–12 months prep.

Side-by-side feature comparison

Dimension	Level 1	Level 2
Underlying spec	FAR 52.204-21	NIST 800-171 Rev 2
Control count	17	110
Information protected	FCI	CUI
Assessment	Annual self	Self OR C3PAO (3-yr)
MFA required	Recommended	Yes (3.5.3)
FIPS-validated crypto	No	Yes (3.13)
Vulnerability scanning	No	Yes (3.11.2)
Incident response plan	Recommended	Yes (3.6)
72-hour breach reporting	No	Yes (DFARS 7012)
Background screening	No	Yes (3.9.1)
Documented SSP	Recommended	Yes
POA&M	Recommended	Yes
SPRS posting	Yes	Yes
Recurring annual cost	$2K–$10K	$15K–$62K
C3PAO assessment cost	n/a	$20K–$80K (Certified path only)

What FCI actually means

Federal Contract Information is information not intended for public release. Includes contract terms, basic deliverables, project artifacts that aren't designated CUI. Most federal contracts include FCI by default — even your basic services contracts.

What's NOT FCI:

• Press releases
• Public announcements
• Past performance data cleared for release

What IS FCI:

• Contract pricing details
• Internal project schedules
• Routine deliverables not marked CUI

If you have ANY federal contract today, you almost certainly handle FCI. Level 1 is the floor.

When Level 1 is enough

If every one of these is true, Level 1 is sufficient:

• You have no contracts with the DFARS 252.204-7012 clause
• You have no CUI source materials from any agency
• Your deliverables are not designated CUI
• You don't subcontract to anyone whose work involves CUI

Practically, this is most consulting/services contractors that don't touch defense, intelligence, or sensitive civilian work. Many SBIR Phase I awards are Level 1 only. Many GSA Schedule contracts for routine services are Level 1.

When you must move to Level 2

Any one of these triggers Level 2:

• Contract has the DFARS 7012 clause
• Contract designates deliverables as CUI
• Contract provides CUI source materials
• You subcontract to a prime requiring Level 2 flowdown

If you've handled CUI in the past 18 months, plan for Level 2 going forward. The work doesn't go away because the contract ended.

The "Level 2 Self vs Certified" question

The contract specifies. The pattern emerging from Phase 1/2 of CMMC rollout:

• Lower-sensitivity Level 2 contracts (most CUI, most contracts): Self-Assessment is acceptable
• Higher-sensitivity Level 2 contracts (designated programs, certain weapons systems support): Certified required

You don't choose your level. You implement the 110 controls either way. The difference is who verifies.

Annual vs 3-year cycles

• Level 1: annual self-assessment. Re-post to SPRS every year.
• Level 2 Self-Assessment: triennial self-assessment. Re-post every 3 years OR when material changes occur.
• Level 2 Certified: triennial C3PAO assessment. Annual surveillance reviews are not currently required for Level 2 (subject to change).

The triennial cycle for Level 2 is generous on paper but ruthless in practice — material changes (new CUI category, major architecture change, sponsoring agency change) reset the clock. Plan for assessment work every ~2 years in practice.

What POA&M-prohibited means

CMMC tightens what NIST 800-171 self-attestation allowed. Under DFARS 7012, you could post a SPRS score of 80 with several controls on the POA&M and bid for work. Under CMMC Level 2 Certified, certain controls are POA&M-prohibited — meaning the C3PAO will not certify you if those specific controls are not Implemented at assessment time.

The POA&M-prohibited list (subject to PMO clarification) covers controls around:

• Multi-factor authentication (3.5.3)
• FIPS-validated cryptography (multiple controls in 3.13)
• Incident response plan existence (3.6.1)
• Audit log retention (3.3.1)
• Background screening for CUI access (3.9.1)

If you can't demonstrate Implemented status for these, you fail the C3PAO assessment. You don't get a partial certification. You either pass or you don't.

What to do this week

1. Pull every active federal contract. Identify which are Level 1 (FCI only) and which are Level 2 (CUI involved).

2. For Level 1 contracts: confirm your annual self-assessment is current. If not, run it this week. It's 20–80 hours of work.

3. For Level 2 contracts: confirm your DFARS 7012 SPRS score is current and above 60. If not, that's your starting point — the same work satisfies CMMC Level 2 Self-Assessment.

4. Identify any contracts likely to require Level 2 Certified. Higher-sensitivity DoD work, certain civilian agency contracts. Start C3PAO conversation 6+ months ahead of expected requirement.

5. Document your maturity dimension. Implementation alone isn't enough at Level 2 Certified — show consistent application, evidence retention, repeatability across the organization.

Related reading

• CMMC 2.0 compliance for sub-50-employee contractors — full guide
• C3PAO assessment cost and timeline
• Affordable CMMC compliance tools for small business
• NIST 800-171 compliance for small government contractors
• DFARS clauses 7012, 7019, 7020, 7021 explained