Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.
If you cannot find an answer then contact us or click the chat button on the lower right..
-
Artificial Intelligence (AI)
-
CMMC Fundamentals
-
CMMC Levels & Requirements
-
The 14 Control Families
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- CMMC Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
-
Implementation Roadmaps
-
Industry-Specific Guides
-
CMMC Documentation & Evidence
-
SPRS & Self-Assessment
-
CMMC Costs & Budgeting
-
Technology & Tools
-
CMMC Training & Awareness
-
Policies & Procedures
- How to Submit Your SPRS Score: PIEE Step-by-Step Guide [2026 Update]
- CMMC Policies and Procedures: What Documentation You Need
- How to Write a System Security Plan: The Owner's Guide to the One Document That Gates Everything
- Creating a Plan of Action and Milestones for CMMC
- Documenting Evidence for CMMC Assessment
-
Supply Chain & Third-Party Risk
-
Incident Response & Breach Reporting
-
Common Mistakes & Failures
-
Advanced Topics & Level 2
-
Updates & Regulatory Changes
CMMC Level 1 vs Level 2 Costs
The cost difference between CMMC Level 1 and Level 2 is substantial—often 10x or more. Understanding which level you actually need prevents both overspending on unnecessary certification and underspending on insufficient compliance.
CMMC stands for Cybersecurity Maturity Model Certification—the DoD’s mandatory cybersecurity program for defense contractors.
This guide compares costs between levels and helps you determine which certification your contracts require.
Quick Cost Comparison
| Cost Category | Level 1 | Level 2 |
|---|---|---|
| Requirements | 15 | 110 |
| Gap Assessment | $0 – $5,000 | $5,000 – $25,000 |
| Remediation | $1,000 – $10,000 | $20,000 – $100,000+ |
| Documentation | $500 – $3,000 | $5,000 – $20,000 |
| Technology | $500 – $3,000/year | $15,000 – $50,000/year |
| Assessment | $0 (self) | $15,000 – $50,000+ (C3PAO) |
| Total First Year | $3,000 – $15,000 | $50,000 – $150,000+ |
| Annual Ongoing | $1,000 – $5,000 | $15,000 – $50,000 |
Determining Which Level You Need
Your required level depends on the information you handle—not your preference or budget.
Level 1: Federal Contract Information Only
Level 1 applies if you handle only Federal Contract Information (FCI):
- Basic contract information
- Purchase orders and invoices
- Delivery schedules
- General correspondence
FCI stands for Federal Contract Information—information provided by or generated for the government under contract, not intended for public release.
If your contracts do not include technical specifications, drawings, or other sensitive data, Level 1 may be sufficient.
Level 2: Controlled Unclassified Information
Level 2 applies if you handle Controlled Unclassified Information (CUI):
- Technical drawings and specifications
- Engineering data
- Test results
- Manufacturing processes
- ITAR-controlled information
CUI stands for Controlled Unclassified Information—sensitive government data requiring protection but not classified as secret.
How to Check Your Contracts
Look for these indicators in your contracts:
- DFARS 252.204-7012: If present, you handle CUI and need Level 2
- CUI markings on documents: Technical data marked with distribution statements indicates CUI
- Contract language: Look for references to “controlled unclassified information” or specific CUI categories
DFARS stands for Defense Federal Acquisition Regulation Supplement—contract clauses specific to DoD contracts.
When in doubt, ask your contracting officer or prime contractor.
Level 1 Cost Details
Level 1 is designed to be achievable for small businesses with minimal investment.
What You Are Implementing
15 basic security practices from FAR 52.204-21:
- Access control basics
- User identification and authentication
- Media sanitization
- Physical protection
- Boundary protection
- Malware protection
Why Costs Are Lower
- Fewer requirements (15 vs 110)
- Self-assessment allowed (no C3PAO fees)
- Basic security practices most businesses already have
- Less documentation required
- Simpler technology needs
Typical Level 1 Budget
Minimum viable budget: $3,000 – $5,000
- Use free DoD templates
- Leverage existing security tools
- Self-conduct assessment
- Minimal consulting
Comfortable budget: $8,000 – $15,000
- Professional gap assessment
- Documentation assistance
- Security tool upgrades
- Training platform
Timeline
Most organizations achieve Level 1 in 2-4 weeks with focused effort.
Level 2 Cost Details
Level 2 requires significant investment but protects more sensitive information.
What You Are Implementing
110 security requirements from NIST SP 800-171 covering:
- Access control (22 requirements)
- Audit and accountability (9 requirements)
- Configuration management (9 requirements)
- Identification and authentication (11 requirements)
- And 10 additional control families
NIST SP 800-171 is the federal standard specifying 110 security requirements for protecting CUI.
Why Costs Are Higher
- Seven times more requirements (110 vs 15)
- Third-party assessment often required ($15,000 – $50,000+)
- Enterprise-grade security tools needed
- Extensive documentation (SSP, policies, procedures)
- Ongoing monitoring and maintenance
Typical Level 2 Budget
Lean budget (security-mature organization): $50,000 – $75,000
- Minimal remediation needed
- Efficient documentation approach
- Smaller scope
- Self-assessment if the contract allows
Standard budget: $75,000 – $125,000
- Moderate remediation
- Professional consulting support
- C3PAO certification assessment
- Managed security services
Comprehensive budget: $125,000 – $200,000+
- Significant remediation from a low starting point
- Full consulting engagement
- Enterprise security tools
- Large scope or complex environment
Timeline
Most organizations need 6-18 months to achieve Level 2, depending on the starting point.
Cost Drivers: Level 1 vs Level 2
Assessment Costs
| Type | Level 1 | Level 2 |
|---|---|---|
| Self-Assessment | Allowed (all) | Allowed (some contracts) |
| C3PAO Assessment | Not required | $15,000 – $50,000+ |
The C3PAO assessment alone can exceed total Level 1 costs.
C3PAO stands for Certified Third-Party Assessment Organization—companies authorized to conduct official CMMC assessments.
Technology Requirements
Level 1 needs basic security tools. Level 2 requires enterprise capabilities:
| Capability | Level 1 | Level 2 |
|---|---|---|
| Antivirus | Basic | Advanced EDR |
| Logging | Basic | SIEM/central logging |
| Authentication | Passwords | Multi-factor required |
| Encryption | Optional | Required for CUI |
| Monitoring | Minimal | Continuous |
EDR stands for Endpoint Detection and Response—advanced security software that monitors and responds to threats on computers.
SIEM stands for Security Information and Event Management—software that collects and analyzes security logs.
Documentation Requirements
| Document | Level 1 | Level 2 |
|---|---|---|
| System Security Plan | Recommended | Required |
| Policies | Basic | Comprehensive |
| Procedures | Minimal | Detailed |
| Evidence | Limited | Extensive |
Ongoing Costs
Level 2’s ongoing costs reflect continuous compliance requirements:
| Ongoing Cost | Level 1 | Level 2 |
|---|---|---|
| Tool subscriptions | $500 – $2,000/year | $15,000 – $40,000/year |
| Managed services | Optional | Often needed |
| Reassessment | Annual self | Triennial C3PAO |
| Staff time | Minimal | Significant |
Making the Right Investment
Do Not Over-Certify
If Level 1 meets your contract requirements, do not spend Level 2 money. Verify your actual requirements before investing.
Do Not Under-Certify
If contracts require Level 2, Level 1 certification does not satisfy the requirement. Insufficient certification means contract ineligibility.
Consider Future Contracts
If you plan to pursue contracts requiring Level 2, factor future certification into your business planning. Level 1 today does not preclude Level 2 later.
Start Where You Are
Begin with an honest assessment of your current security posture. Organizations with mature security practices will spend less on remediation regardless of level.
Key Takeaways
CMMC Level 1 costs $3,000 – $15,000 and covers basic security for FCI. Level 2 costs $50,000 – $150,000+ and covers comprehensive security for CUI.
Your required level is determined by the information you handle, not your budget preference. Check your contracts for DFARS 252.204-7012 and CUI markings to determine your actual requirement.
Level 1 allows self-assessment while Level 2 often requires expensive C3PAO certification. This assessment cost difference alone accounts for significant budget impact.
Choose the right level for your contracts—not more, not less.
Related Articles:
- What is CMMC Level 2?
- CMMC Access Control Requirements for Level 2
- How Much Does CMMC Certification Cost?
- CMMC Level 1 Self-Assessment Guide
- 32 CFR Part 170 – CMMC Program Rule
Official Sources: This article is based on 32 CFR Part 170, FAR 52.204-21, NIST SP 800-171, and industry cost data. Actual costs vary by organization.
Need help determining your CMMC level and budget? Contact Greypike for expert guidance on Level 1 and Level 2 certification, or get started with Obolix to streamline your compliance journey.