CMMC Level 1 vs. Level 2: Which Applies to Your Business? | Overwatch Tools

📋 CMMC: The L2 Decision Series — Article 1 of 6

CMMC Compliance Guide for Defense Contractors

CMMC Level 1 vs. Level 2: Which Applies to Your Business?

Published by Overwatch Tools · March 2026 · 12 min read

Before you can comply with CMMC, you need to know which level actually applies to you. For a lot of small contractors, the answer isn't what they expect — and it's not just one level.

Many small defense contractors assume they only need to worry about CMMC Level 1. Some have never heard of Level 2 at all. A few have heard of it and assume it's only for large prime contractors running classified programs. Most of these assumptions are wrong.

The key distinction that determines your CMMC level isn't your company size, your revenue, or how long you've been in the defense industrial base. It comes down to one question: What kind of federal information do you handle?

The answer to that question — FCI, CUI, or both — determines whether you need Level 1, Level 2, or both stacked together. Let's break it down clearly.

What Is FCI? (And Why It Triggers Level 1)

Federal Contract Information (FCI) is information provided by or generated for the federal government under a contract to develop or deliver a product or service — but not intended for public release.

In plain terms: if your company performs work on a DoD contract, you almost certainly handle FCI. It includes things like:

Contract deliverables and performance data
Pricing, cost, and schedule information from your contract
Communications with contracting officers about your work
Project documentation created for government use
Proposals, reports, and status updates tied to a contract

FCI is not classified. It's not necessarily sensitive in an intelligence sense. But it's not meant to be publicly shared, and it needs to be protected.

CMMC Level 1 Applies If You Handle FCI

If your company holds or performs a DoD contract, you almost certainly handle FCI — which means CMMC Level 1 applies to your entire organization. Level 1 requires 15 cybersecurity practices drawn from FAR 52.204-21 and is satisfied through an annual self-assessment. There is no third-party assessment option for Level 1 — it is always self-assessed.

The Overwatch Tools L1 Turnkey Package ($2,495/year) is built specifically for this: 15 practices mapped to 142 required artifacts, platform-specific templates for Microsoft 365 or Google Workspace, bi-weekly consulting sessions, and SPRS reporting. Most clients complete their Level 1 assessment in 2–4 weeks.

What Is CUI? (And Why It Triggers Level 2)

Controlled Unclassified Information (CUI) is a step above FCI in sensitivity. It's information the government has designated as requiring safeguarding under law, regulation, or government-wide policy — but it's not classified.

CUI is identified in your contract documents — often in a DD Form 254 (Contract Security Classification Specification) or in the contract's performance work statement. If your work involves any of the following, there's a strong likelihood CUI is in play:

Technical drawings, design specifications, or engineering data
Export-controlled data (ITAR/EAR-related information)
Research and development information under DoD programs
Certain contract performance data explicitly marked as CUI
Information marked with CUI category labels (e.g., "CUI//SP-CTI" or "CUI//PRVCY")
Data shared under a controlled distribution notice

If you receive, generate, store, process, or transmit any of this kind of information as part of your contract, CMMC Level 2 also applies to your organization — specifically to the systems and devices that touch that CUI.

⚠️ "I Don't Think I Handle CUI" Is Not the Same as "I Don't Handle CUI"

Many contractors are surprised to find out they handle CUI. It's often not labeled clearly in the day-to-day work. Technical drawings from a prime contractor, performance data under certain programs, and engineering specifications can all constitute CUI without a visible label on every document. If your contract includes a DD Form 254, there's a strong chance CUI is involved. When in doubt, a 30-minute scope review with an expert is the fastest way to know for sure.

FCI vs. CUI: A Side-by-Side View

CMMC LEVEL 1

Federal Contract Information (FCI)

What it is: General contract work product not for public release
Who has it: Virtually all DoD contractors
Examples: Deliverables, schedules, pricing, status reports
Assessment: Annual self-assessment only
Practices: 15 practices
Scope: Entire company environment
Investment: $2,495/year (L1 Turnkey)

CMMC LEVEL 2 (ADDITIONAL)

Controlled Unclassified Information (CUI)

What it is: Sensitive data requiring enhanced protection
Who has it: Contractors with marked CUI in their contracts
Examples: Tech drawings, ITAR data, R&D specs, marked contract data
Assessment: Self-assessment (eligible programs) or C3PAO
Practices: 110 practices → 182 artifacts
Scope: CUI enclave only
Investment: $3,495/year (L2 CUI Enclave)

The critical insight here: Level 2 does not replace Level 1. It is applied on top of it — to your CUI environment specifically.

Do You Handle CUI? A Plain-Language Self-Check

Use the following checklist to help you identify whether CUI is likely part of your contract. This is not a definitive legal assessment — it's a practical starting point.

CUI Self-Identification Checklist

◆ My contract includes a DD Form 254 (Contract Security Classification Specification)
◆ I receive or access technical drawings, specifications, or engineering data from the government or a prime contractor
◆ My work involves items on the ITAR U.S. Munitions List or EAR Commerce Control List
◆ I generate or store research and development data under a DoD-funded program
◆ I've received documents or files marked "CUI," "FOUO," "Controlled," or similar markings
◆ My prime contractor or customer has mentioned CUI handling or DFARS 252.204-7012 in my contract
◆ My work involves design, development, testing, or production of defense systems or components

If you checked even one of these, CUI may be in scope for your business. A free 30-minute scope review is the fastest way to confirm.

Not Sure Which Level Applies to Your Contracts?

Start with the free CMMC Assessment Tool — no credit card, no obligation. Results in under 30 minutes. It evaluates all 15 Level 1 practices, identifies gaps, and flags whether Level 2 may apply to your contracts.

Start Your Free Assessment → Book a Free 30-Min Scope Review

Why Most CUI Handlers Need Both Levels

Here's the part that surprises many contractors: if you handle CUI, you don't get to skip Level 1. Level 1 applies to your entire business environment. Level 2 applies additionally to the specific systems and devices where CUI lives.

Think of it as two layers of compliance working at different scopes:

CMMC Level	What It Covers	Assessment Type	Annual Cost (Overwatch Tools)
Level 1	Your entire company environment — all devices and systems used for contract work	Annual self-assessment	$2,495/yr
Level 2	Your CUI enclave only — the dedicated, isolated environment where CUI is handled	Annual self-assessment (eligible programs) or C3PAO	$3,495/yr
Both Combined	Full FCI + CUI coverage — complete CMMC posture for CUI-handling contractors	Self-assessment for both levels	$5,990/yr

The combined investment of $5,990/year covers both your Level 1 and Level 2 self-assessments — full CMMC posture for a small contractor handling CUI. Compare that to a C3PAO third-party assessment, which runs $50,000 or more and is required if your program is not eligible for self-assessment at Level 2.

✓ The Math Is Straightforward

$5,990/year for complete FCI + CUI coverage through self-assessment. A C3PAO third-party assessment for Level 2 programs not eligible for self-assessment runs $50,000+ — and that doesn't include implementation support. For small contractors with programs eligible for self-assessment, the numbers make the decision easy.

A Brief Introduction to the CUI Enclave

When we talk about Level 2 applying to your CUI footprint, what does that actually mean in practice? The short answer: a CUI enclave.

A CUI enclave is a dedicated, isolated environment — separate from your general business systems — where all CUI is stored, processed, and transmitted. Think of it as a walled-off digital workspace that only handles CUI, running on separate devices or accounts that never touch your everyday business tools.

For a small contractor, this doesn't mean building an enterprise data center. It means setting up a focused, right-sized environment using a government-grade cloud platform — either Google Workspace for Government or Microsoft 365 GCC High — on dedicated devices (Windows laptops or Chromebooks). No Active Directory. No SIEM. No full-time IT staff required.

The Overwatch Tools L2 CUI Enclave Package is built specifically for this: 110 practices mapped to 182 defined artifacts, dedicated enclave configuration guides for both platforms, a pre-filled System Security Plan, and 12 bi-weekly consulting sessions — all implementable part-time, with time estimates on every task.

We cover the CUI enclave in much greater depth in Article 2 of this series: "What Is a CUI Enclave and Do You Need One?"

A Note on Self-Assessment Eligibility

Not every CMMC Level 2 program qualifies for self-assessment. Under the CMMC framework, some programs are designated as requiring a Certified Third-Party Assessment Organization (C3PAO) — a formal, expensive, multi-day assessment process. These programs cannot self-assess at Level 2.

However, many Level 2 programs — particularly those at smaller contractors with limited CUI scope — are eligible for annual self-assessment. This is the window the Overwatch Tools L2 CUI Enclave Package is built for.

⚠️ Self-Assessment Programs Only

The Overwatch Tools L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope for this package. Not sure which category your program falls into? A 30-minute scope review can clarify this quickly.

How do you know if your program qualifies for self-assessment? The short answer: check your contract and your program designation. Your contracting officer or the prime contractor above you in the supply chain can often confirm this. A consultation with a CMMC specialist is also a fast and reliable way to determine your assessment path.

We cover self-assessment eligibility, how to confirm your program status, and what happens if requirements change in Article 3 of this series: "CMMC Level 2 Self-Assessment: Who Qualifies and What's Required?"

Putting It All Together: Which Level Applies to You?

Here's a simple decision map based on what your contracts involve:

Your Situation	CMMC Level Required	Assessment Type
You perform DoD contract work — no CUI identified in your contracts	Level 1 only	Annual self-assessment
You handle CUI under an eligible self-assessment program	Level 1 + Level 2	Self-assessment for both levels
You handle CUI under a program designated for C3PAO assessment	Level 1 + Level 2	L1 self-assessment + L2 C3PAO
You're not sure which category applies to your contracts	Start with the free assessment tool	Book a free scope review to confirm

The Short Version

If you're a DoD contractor, you need Level 1 at minimum. If your contracts involve CUI — and many do, often without contractors fully realizing it — you need Level 2 as well, scoped to your CUI enclave. The two levels cover different things and work together, not in place of each other.

What's Next in This Series

This article established the foundation: FCI vs. CUI, and how each maps to a CMMC level. The rest of the C Series goes deeper on each piece:

Article 2: What Is a CUI Enclave and Do You Need One? — A practical guide to understanding and scoping a CUI enclave for a small contractor.
Article 3: CMMC Level 2 Self-Assessment: Who Qualifies and What's Required? — Eligibility, program designation, and what the self-assessment process actually looks like.
Article 4: Google Workspace for Government vs. Microsoft 365 GCC High for Your CUI Enclave — A platform comparison for small contractors making this decision.
Article 5: 110 Practices, 182 Artifacts: What CMMC Level 2 Self-Assessment Actually Requires — A ground-level look at the documentation and evidence requirements.
Article 6: Scoping Your CUI Enclave: How to Limit What Level 2 Applies To — Right-sizing your CUI footprint to reduce compliance burden without cutting corners.

Ready to Confirm Which Levels Apply to Your Business?

The free CMMC Assessment Tool evaluates all 15 Level 1 practices, generates an instant gap analysis, and flags whether Level 2 may apply to your contracts. No credit card required. Results in under 30 minutes.

If you'd rather talk it through, our 30-minute scope review is the fastest way to get a clear answer on exactly which levels apply and what the path looks like.

Start Your Free Assessment → Schedule a Free Scope Review

Investment Summary

L1 Turnkey Package $2,495 per year · CMMC Level 1
15 practices · 142 artifacts
Limited time: Save $500

L2 CUI Enclave Package $3,495 per year · CMMC Level 2
110 practices · 182 artifacts
Self-assessment only

Combined L1 + L2 $5,990 per year · Full coverage
FCI + CUI compliance
vs. $50K+ C3PAO

⚠️ L2 Self-Assessment Programs Only

The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope. Consult your contract documents or schedule a free scope review to confirm your program's assessment designation.

About Overwatch Tools

Overwatch Tools specializes in CMMC Level 1 and Level 2 self-assessment compliance solutions for small defense contractors. Founded by government contracting veterans with 25+ years of experience. Based in Chesapeake, Virginia.

overwatchtools.com · info@overwatchtools.com