What is CMMC Level 2 and who needs it?

CMMC Level 2 requires compliance with all 110 controls from NIST SP 800-171 Rev 2. Any Defense Industrial Base (DIB) contractor that handles Controlled Unclassified Information (CUI) on DoD contracts will need CMMC Level 2 certification. This affects an estimated 80,000+ contractors.

When is the CMMC certification deadline?

CMMC Phase 2 requires C3PAO third-party assessments starting November 2026. However, DoD is already including CMMC requirements in new contracts. Starting now gives you time to close gaps, build evidence, and avoid last-minute scrambles when every C3PAO is booked solid.

Can I use CMMC Command for my self-assessment?

Yes. The free tier gives you a complete 110-control NIST SP 800-171 assessment with real-time SPRS score calculation. You can document your status, identify gaps, and calculate your exact SPRS score — which you're already required to submit to SPRS.mil.

How does the AI compliance analyst work?

Our 8 AI features analyze your actual assessment data — not generic templates. The AI generates gap analysis narratives, remediation plans with effort estimates, SSP implementation statements, evidence sufficiency reviews, and realistic C3PAO interview questions. It never sees your uploaded documents or CUI — only control metadata.

Do you store CUI or sensitive documents?

No. CMMC Command stores compliance metadata — control statuses, SPRS scores, task assignments, and evidence references. Uploaded evidence files are scanned for CUI markers and we explicitly do not store controlled unclassified information.

How does CMMC Command compare to hiring a consultant?

A typical CMMC consultant charges $200–$400/hr, and most assessments require 80–200 hours ($16K–$80K). CMMC Command replaces the ongoing assessment tracking, gap analysis, document generation, and remediation planning — for $749/mo.

What integrations are supported?

We connect with 10 security tools: Microsoft Entra ID, Microsoft 365 & Defender, CrowdStrike Falcon, Google Workspace, AWS, SentinelOne, Tenable.io, KnowBe4, Jamf Pro, and Okta. Each integration auto-collects compliance evidence mapped to specific NIST controls.

Can I cancel anytime?

Yes. All plans are month-to-month with no long-term contracts. Annual plans offer 2 months free. If you cancel, you retain read-only access to your data for 30 days. We also support full data export.

CMMC Level 1 vs Level 2: Which Do You Need? Complete Comparison

The Two Levels That Matter

CMMC 2.0 streamlined the original five levels into three, but for most defense contractors, the decision comes down to Level 1 or Level 2. Here's the definitive comparison.

Level 1: Federal Contract Information (FCI)

Level 1 applies to contractors who handle Federal Contract Information (FCI) — information provided by or generated for the government under contract that isn't intended for public release.

Requirements

17 practices derived from FAR 52.204-21
Self-assessment only — no third-party audit required
Annual affirmation submitted to SPRS.mil
Covers basic cyber hygiene: antivirus, password policies, physical access, user awareness

Who Needs Level 1

If your contract includes FAR 52.204-21 but not DFARS 252.204-7012, you likely only need Level 1. This typically includes contractors who:

Provide commercial off-the-shelf (COTS) products
Perform services that don't involve sensitive technical data
Handle general contract correspondence but not CUI

Cost and Effort

Most contractors can achieve Level 1 in 2-4 weeks with minimal investment. The 17 practices are basic IT hygiene that most organizations already partially implement.

Level 2: Controlled Unclassified Information (CUI)

Level 2 is where it gets serious. This level applies to contractors who process, store, or transmit Controlled Unclassified Information (CUI) — technical drawings, specifications, test data, source code, and other sensitive-but-unclassified information.

Requirements

110 controls from NIST SP 800-171 Rev 2
C3PAO third-party assessment (for most contracts as of November 2026)
320 assessment objectives from NIST SP 800-171A
SPRS score submitted to SPRS.mil
Comprehensive SSP and POA&M documentation

Who Needs Level 2

If your contract includes DFARS 252.204-7012, you handle CUI and need Level 2. This includes:

Any contractor receiving technical data or specifications marked as CUI
Subcontractors with CUI flow-down from primes
IT providers managing systems that store or process CUI
Manufacturers with CUI-marked drawings or processes

Cost and Effort

Level 2 typically requires 3-6 months of preparation and $10,000-$100,000+ depending on your approach (software-first vs. consultant-heavy).

Side-by-Side Comparison

Aspect	Level 1	Level 2
Information Type	FCI	CUI
Controls	17 (FAR 52.204-21)	110 (NIST 800-171)
Assessment	Self-assessment	C3PAO third-party
SPRS Score Range	N/A	-203 to 110
SSP Required	No	Yes
POA&M Required	No	Yes
Evidence Vault	Minimal	Extensive
Certification Validity	Annual	3 years
Typical Timeline	2-4 weeks	3-6 months
Typical Cost	$1,000-5,000	$10,000-100,000+

The Subcontractor Question

The most common confusion: do subcontractors need Level 2?

If your prime contractor flows CUI down to you — yes. Check your subcontract for DFARS 252.204-7012. If it's there, you need Level 2 regardless of your company size.

Many small subcontractors (10-50 employees) are discovering they need Level 2 for the first time. The good news: tools like CMMC Command make it achievable without a six-figure consulting engagement.

What If You're Not Sure?

Check your contracts for DFARS 252.204-7012 — if present, you need Level 2
Check for FAR 52.204-21 without DFARS — Level 1 is sufficient
Ask your contracting officer or prime contractor directly
When in doubt, assess against Level 2 — it covers Level 1 automatically

Start Your Assessment

Whether you need Level 1 or Level 2, the first step is the same: understand your current posture.

Start your free CMMC assessment — all 110 controls assessed with real-time SPRS scoring, free forever.

CMMC Level 1 vs Level 2: Which Do You Need? Complete Comparison

The Two Levels That Matter

Level 1: Federal Contract Information (FCI)

Requirements

Who Needs Level 1

Cost and Effort

Level 2: Controlled Unclassified Information (CUI)

Requirements

Who Needs Level 2

Cost and Effort

Side-by-Side Comparison

The Subcontractor Question

What If You're Not Sure?

Start Your Assessment

See where you stand on CMMC

Keep reading

NIST SP 800-171 Rev 3: What Changed and What It Means for CMMC

CMMC Level 2 Requirements: The Complete 2026 Guide for DIB Contractors

C3PAO Assessment Preparation: The 30-Day Checklist