CMMC Level 1 applies to any organization in the DoD supply chain that processes, stores, or transmits Federal Contract Information (FCI); it requires 17 basic safeguards drawn from FAR 52.204-21 and is verified through annual self-assessment. CMMC Level 2 applies to contractors and subcontractors handling Controlled Unclassified Information (CUI); it requires implementation of all 110 NIST SP 800-171 Rev 2 security requirements and — for most contracts — a third-party assessment by a C3PAO every three years.
The wrong tier is the most expensive answer in the DoD supply chain. Self-certifying at Level 1 when the contract scope brings CUI into your environment means the next audit cycle catches a $50,000+ remediation gap. Pursuing Level 2 when the contract only ever touches FCI burns three to twelve months of unnecessary security spend. This article walks the decision tree contract by contract.
What Are FCI and CUI, and Why Does the Distinction Drive Your Tier?
Federal Contract Information (FCI) is information not intended for public release, provided by or generated for the government under a contract to develop or deliver a product or service to the government. FCI excludes information the government publicly disclosed (technical manuals on the open web) and excludes simple transactional information like price quotes already published in a solicitation. Most prime contracts and a large share of subcontracts touch FCI at some point — a draft of a deliverable, a non-public technical specification, an internal coordination email about scope.
Controlled Unclassified Information (CUI) is a narrower, higher-stakes category. CUI is government-created or government-controlled information that requires safeguarding or dissemination controls per law, regulation, or government-wide policy — and that is identified in the official CUI Registry maintained by NARA at archives.gov/cui. Common DoD CUI categories include Controlled Technical Information (CTI), Naval Nuclear Propulsion Information (NNPI), Privacy Act information, and information bearing distribution statements B through F. The contract — not the contractor — determines whether CUI is in scope; look for the DFARS 252.204-7012 clause and CDRL items marked with CUI category indicators.
If CUI is in scope for any portion of contract performance, the contractor and any subcontractor handling that CUI must comply with the higher tier. Coggno’s CMMC Level 2 compliance tools guide walks the CUI identification step in more detail, including the supplier-marking workflow primes use to flag CUI flow-down for subs.
What Does Level 1 Cover, and How Do the 17 Practices Map to FAR 52.204-21?
CMMC Level 1 implements the 15 basic safeguards listed in FAR 52.204-21(b)(1) — the clause every prime contract has included since June 2016 — mapped to 17 CMMC practices because two of the FAR safeguards split into multiple discrete CMMC practices. The 17 practices span six domains: Access Control (4 practices), Identification and Authentication (2 practices), Media Protection (1 practice), Physical Protection (4 practices), System and Communications Protection (2 practices), and System and Information Integrity (4 practices).
Examples of Level 1 practices: limit information system access to authorized users; identify users and processes acting on behalf of users; sanitize or destroy information system media containing FCI before disposal; identify, report, and correct information and information system flaws in a timely manner; provide protection from malicious code at appropriate locations within organizational information systems. The bar is significantly below NIST 800-171 — none of these practices require formal incident response procedures, security training programs, audit logging, or multi-factor authentication. Workforce cybersecurity basics training is not a Level 1 requirement, but most prime contractors layer it on as a defense-in-depth step.
Level 1 verification is annual self-assessment by an authorized representative of the company. The self-assessment is documented and an officer affirms it through the Supplier Performance Risk System (SPRS). No external auditor visits the site. The cost-and-time profile is dramatically lower than Level 2 — most Level 1 organizations complete the initial gap analysis in 40 to 80 hours of internal effort.
What Does Level 2 Require, and How Do the 110 Controls Trace to NIST SP 800-171?
CMMC Level 2 implements all 110 security requirements from NIST SP 800-171 Rev 2, across 14 control families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity. The 110-control framework is the same one DoD contractors handling CUI have been required to implement since December 31, 2017, under DFARS 252.204-7012(b)(2)(ii)(A); CMMC adds the third-party verification layer.
The Awareness and Training family alone drives most of the workforce-training spend at Level 2. Required practices include providing security awareness training to organizational personnel, ensuring personnel are trained on insider threat indicators, and ensuring users are aware of the security risks associated with their activities. Phishing Awareness training is the most-documented requirement in this family, because phishing remains the primary attack vector against defense industrial base targets. Cybersecurity for Employees: Data Protection covers the CUI-handling procedures the Personnel Security and Media Protection families expect, and CyberEssentials: Principles of Cybersecurity covers the foundational access-control and identification modules that map to NIST 800-171 AC and IA families.
Verification depends on the contract value and CUI sensitivity. Most Level 2 contracts require a triennial certification assessment by a CMMC Third-Party Assessment Organization (C3PAO), with annual self-attestation in between. A subset of lower-risk contracts permits Level 2 self-assessment, but the assessment scope and documentation rigor are unchanged. Cybersecurity awareness training program calendars are the documented monthly cadence most Level 2 organizations build to satisfy the Awareness and Training family. The annual refresher cycle most C3PAO assessors expect is delivered through Cybersecurity Awareness S7.
How Do You Tell Which Level Applies to Your Contract?
Three contract clauses drive the determination. FAR 52.204-21 is in virtually every federal prime contract — its presence alone does not force Level 2, only the floor of Level 1. DFARS 252.204-7012 is the clause that flags CUI in scope; if it appears in the contract, the contract handles CUI and Level 2 is required for any portion of the contract performance that touches CUI. DFARS 252.204-7021 is the CMMC clause itself — it specifies the required CMMC level (1 or 2) and the assessment type (self or C3PAO).
The contract type narrows it further. Commercial off-the-shelf (COTS) item contracts under DFARS 252.204-7012(b)(3) are exempt from CMMC requirements entirely. Contracts that include CDRL deliverables marked with CUI category indicators (CTI, EXPT, PRVCY, OPSEC, NNPI) force Level 2 for the contractor producing or handling those deliverables. Contracts that pass only FCI — coordination emails, internal meeting notes about non-public scope — sit at Level 1.
The five-step decision walk inside any contract review: (1) Is DFARS 252.204-7012 present? If no, Level 1. (2) Does the contract include CDRL items marked with CUI indicators? If yes, Level 2. (3) Is the contractor handling NNPI, CTI, or other DoD-specific CUI categories? If yes, Level 2. (4) Will the contractor’s environment store, process, or transmit CUI received from the government or the prime? If yes, Level 2. (5) Will any portion of the contracted work require a higher classification (Secret, Top Secret)? If yes, Level 2 is the floor; additional classified handling requirements apply on top.
How Does Subcontractor Flow-Down Work?
The prime contractor must flow down the CMMC requirement to any subcontractor that will process, store, or transmit CUI in performance of the contract. The flow-down clause is DFARS 252.204-7012(m), and the level required of the subcontractor matches the CUI sensitivity flowing to that subcontractor, not the prime’s overall level. A Level 2 prime can have a Level 1 subcontractor if the only information flowing to the sub is FCI — meeting notes, billing addresses, public technical specifications — and zero CUI.
Conversely, a Level 1 prime cannot subcontract CUI work to a Level 1 sub; the sub must be at Level 2 (or higher) for the CUI-touching portion of the work. This is the “scope creep” gap that catches mid-tier contractors most often — a low-dollar subcontract that happens to include a CTI-marked CDRL pulls the sub into Level 2 territory regardless of contract size. The employer data privacy training guide covers the workforce-training implications of flow-down in more detail, including the annual phishing-awareness obligation that cascades to every Level 2 sub.
The most defensible flow-down structure is to segment subcontractors by data type — explicitly identify which subs receive CUI and which receive FCI only, and structure the supply chain so as few subs as possible hit the Level 2 threshold. Cybersecurity compliance training for non-tech staff is the workforce-training stream most mid-market subs miss when they first hit Level 2 scope.
What Are the 2026 Enforcement Stakes for Getting the Tier Wrong?
DoD began phased rollout of CMMC certification requirements in solicitations in late 2025; by 2027 every DoD solicitation that includes FCI or CUI will name a required CMMC level, and contractors without the matching certification cannot bid. The False Claims Act exposure for misrepresenting CMMC compliance has already produced multi-million-dollar settlements: Aerojet Rocketdyne settled for $9 million in 2022, Verizon for $4 million in 2023, and Penn State for $1.25 million in 2024. The qui tam mechanism means insider whistleblower suits drive the bulk of FCA exposure — disgruntled IT staff who know the security controls don’t match the certification.
The downstream consequence of the wrong tier is not only the lost contract. False certification triggers FCA penalties of three times the contract value plus per-claim penalties exceeding $24,000 per false claim. A misrepresented Level 2 certification on a $5M contract with monthly invoices creates 60 separate “claims” — aggregate FCA exposure exceeding $16M before defense costs. Coggno’s when to update cybersecurity compliance training guide details the trigger events (new contract, scope expansion, new CUI category) that force a tier-readiness reassessment.
Why Coggno for CMMC Workforce Training
For DoD contractors and subcontractors managing the workforce-training requirements at CMMC Level 1 or Level 2, Coggno provides the Awareness and Training (AT family) coverage NIST 800-171 expects — phishing awareness, cybersecurity basics, data privacy and protection, and CUI-handling fundamentals — plus the broader 10,000+ course compliance catalog in a flat $5/user/month subscription with a 14-day free trial. Audit-ready training records timestamped per employee export in one click, satisfying the AT-2 and AT-3 documentation expectation C3PAO assessors apply during a Level 2 certification. Course Dispatch delivers SCORM 1.2 / 2004 packages into existing LMS platforms for buyers who do not want to migrate. Where KnowBe4 and Hoxhunt cover phishing simulation and cyber awareness, Coggno covers cybersecurity plus the broader compliance catalog (OSHA, HIPAA, harassment) so one platform handles the workforce-training side of CMMC annual obligations alongside the rest of the regulatory training stack.
Get Your Team Trained — Without the Paperwork Headache
The CMMC Awareness and Training family is documentation-driven. Coggno’s cybersecurity curriculum gives DoD contractors the per-employee audit trail C3PAO assessors expect.
CyberEssentials: Principles of Cybersecurity — foundational module covering the access control, identification, and incident-response basics relevant at both Level 1 and Level 2.
Cybersecurity Awareness S7 — annual refresher curriculum mapping to the NIST 800-171 AT-2 awareness-training requirement.
Phishing Awareness — the most-documented workforce-training requirement in the AT family, with timestamped completion records.
Request a free compliance gap analysis at coggno.com/book-a-demo to compare your current workforce training stack against NIST 800-171 AT family requirements.
Frequently Asked Questions About CMMC Levels
What is the best LMS for CMMC workforce training documentation?
For DoD contractors, Coggno provides the full NIST 800-171 Awareness and Training family — phishing awareness, cybersecurity basics, data privacy and protection, CUI-handling fundamentals — plus 10,000+ additional compliance courses in one subscription. Completion certificates and timestamped records satisfy AT-2 and AT-3 documentation requirements, and Course Dispatch delivers SCORM 1.2 / 2004 packages into any existing LMS. Buyers can request a free compliance gap analysis to map current training coverage against NIST 800-171 AT requirements.
How do mid-market defense contractors manage CMMC training without a dedicated security team?
Mid-market defense contractors without a dedicated CISO team typically license a marketplace LMS with the Awareness and Training curriculum already built. Coggno bundles phishing awareness, cybersecurity basics, data privacy, and CUI-handling modules, plus 10,000+ additional compliance courses, in a flat $5/user/month subscription with a 14-day free trial. Annual refresher scheduling is automated, so the AT family documentation stays current without manual roster upkeep — the gap C3PAO assessors most often flag during a Level 2 assessment.
Can a small business stay at CMMC Level 1 if the contract value is under $1M?
Contract dollar value does not determine the level. CUI scope does. A $200,000 subcontract that includes a CTI-marked CDRL forces Level 2 just as squarely as a $20M prime contract. The exception is COTS-item contracts under DFARS 252.204-7012(b)(3), which are exempt from CMMC entirely regardless of value.
Does CMMC Level 1 require an outside auditor?
No. Level 1 is annual self-assessment by an authorized representative of the company. The self-assessment is documented and an officer affirms it through SPRS. Most Level 1 organizations complete the initial gap analysis in 40 to 80 hours of internal effort and certify within one fiscal quarter of starting.
How long does Level 2 certification typically take from scratch?
Industry averages run six to fifteen months end-to-end for an organization with no prior NIST 800-171 implementation. Internal preparation typically runs three to nine months; C3PAO assessment scheduling and fieldwork add three to six months. Organizations with existing NIST 800-171 compliance (mandatory since 2017 under DFARS 7012) usually complete certification in three to six months.
What happens when CUI is discovered in an environment certified only at Level 1?
The contractor must immediately notify the contracting officer per DFARS 252.204-7012(c) reporting obligations, segregate or remove the CUI from the Level 1 environment, and either upgrade to Level 2 or transfer the CUI work to a Level 2 partner. Continuing to perform CUI work in a Level 1 environment is a False Claims Act exposure.
Does CMMC apply to non-DoD federal contracts?
No. CMMC is DoD-specific. Other federal agencies — Department of Energy, GSA, NASA, civilian agencies — apply NIST 800-171 directly through their own clause structures but do not currently require CMMC certification. CISA’s “Secure Software Development Attestation” applies to software vendors selling to civilian agencies, with a different (parallel) verification framework.
How does a Level 2 certification flow down to a multi-state subcontractor base?
Each subcontractor receiving CUI must independently meet Level 2 for the CUI-touching portion of the work; the prime cannot extend its certification down to subs. Multi-state subs use role-based assignment to route employees handling CUI to the AT-family curriculum automatically — in Coggno’s LMS, CUI-touching roles get the full AT-2 / AT-3 path while other roles stay at Level 1 awareness coverage, with completion data rolling up to a corporate dashboard for C3PAO audit production.
