Get compliant
Menu

FCI Badge

Level 1: Foundational (FCI)

Applies when your contract work involves Federal Contract Information (FCI) but not CUI. The goal is baseline
protection of the contractor information system that stores, processes, or transmits FCI.

Level 1 aligns to the basic safeguarding requirements in FAR 52.204-21 (implemented in CMMC as 17 practices).
It is validated through a Level 1 self-assessment with no POA&Ms permitted at this level.

Operationally, Level 1 is maintained through:

  • Self-assessment submission in SPRS to achieve “Final Level 1 (Self)”
  • Annual affirmation by an affirming official to attest ongoing compliance

Level 2: Advanced (CUI)

Protects Controlled Unclassified Information (CUI) by implementing the full set of NIST SP 800-171 requirements and demonstrating that those controls are operating effectively.

 

Most Level 2 work will require a C3PAO third-party assessment on a 3-year cycle, plus an annual affirmation of ongoing compliance.

 

In more limited cases, DoD may allow a Level 2 (Self) assessment instead of a C3PAO assessment. This is typically tied to the type/category of CUI involved and the acquisition’s risk profile, not a contractor preference. DoD guidance explains that the Program Manager / requiring activity determines whether Level 2 Self is sufficient or whether Level 2 Certification is required, and the Contracting Officer then reflects that requirement in the solicitation/contract.

 

Because this decision is contract-driven, it can shift over time as DoD refines implementation, mission risk changes, or the same contractor bids different programs. Treat it as a moving target until the solicitation/contract explicitly states “Level 2 (Self)” vs “Level 2 (C3PAO).” 

 

To date, we have seen very few contracts marked as Level 2 that allowed for “Self-Assessment” 

Level 3: Expert (CUI, highest risk)

Builds on Level 2 for organizations supporting the most sensitive CUI missions.
Expected when DoD requires stronger protection due to advanced threat risk, with additional controls beyond the Level 2 baseline.

CMMC Level 1 Requires 17 Safeguards 15 Controls

The official FAR clause lists 15 safeguards, but CMMC documentation often references 17 practices. Here is why: 

CMMC inherited the DoD’s earlier mapping from the DFARS 252.204-21 “Basic Safeguarding” table, where two of the FAR requirements were split into multiple CMMC practice IDs during modeling. They are not additional requirements—just a structural carryover from the original DoD-to-NIST mapping exercise.