CMMC FAQ:
Level 1 & Level 2

The Cybersecurity Maturity Model Certification (CMMC) is a U.S. Department of Defense (DoD) program that requires all DoD contractors and subcontractors to verify their cybersecurity practices. CMMC replaced the previous self-attestation model with a structured framework that must be met before contract award. The program is managed by the Cyber-AB (formerly the CMMC Accreditation Body), which is authorized by the DoD to oversee the certification ecosystem.

CMMC has three levels: Level 1 (Foundational) requires 17 basic cybersecurity practices to protect Federal Contract Information (FCI). Level 2 (Advanced) requires 110 practices aligned with NIST SP 800-171 r2 to protect Controlled Unclassified Information (CUI). Level 3 (Expert) requires 110+ practices and is designed to protect CUI against advanced persistent threats (APTs). Most small DoD contractors need Level 1.

Federal Contract Information (FCI) is information provided by or generated for the government under a contract to develop or deliver a product or service — and that is not intended for public release. If your company receives, stores, processes, or transmits any FCI, you are required to meet CMMC Level 1. FCI is different from Controlled Unclassified Information (CUI), which triggers CMMC Level 2.

The DoD is phasing CMMC requirements into contracts through the DFARS clause 252.204-7021. As contracts are renewed or new contracts are awarded, the CMMC requirement will be included. Contractors should begin preparing now — waiting until a contract requires it leaves no time to remediate gaps. The DoD has stated that all contracts with FCI or CUI will eventually require CMMC certification.

If a contract requires CMMC and your company is not certified, you will be ineligible to bid on or perform that contract. As a subcontractor, you may be removed from your prime contractor's supply chain. Non-compliance can also result in contract termination for existing contracts that include CMMC requirements. Starting your CMMC preparation early is critical to protecting your DoD business.

CMMC Level 1 is the foundational tier of the CMMC framework. It requires organizations to implement 17 basic cybersecurity practices derived from FAR 52.204-21. These practices cover six domains: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity. Level 1 is required for any DoD contractor that handles Federal Contract Information (FCI).

Any company in the DoD supply chain that receives, processes, stores, or transmits Federal Contract Information (FCI) needs CMMC Level 1. This includes prime contractors, subcontractors, and IT service providers who handle FCI on behalf of a contractor. Even small businesses and sole proprietors are not exempt if they handle FCI under a DoD contract.

The 17 practices span six domains: Access Control (4 practices) — limit system access to authorized users and transactions, control external connections, and manage publicly accessible systems. Identification & Authentication (2 practices) — identify and authenticate all users and devices. Media Protection (1 practice) — sanitize media before disposal. Physical Protection (4 practices) — limit physical access, escort visitors, maintain physical access logs, manage access devices. System & Communications Protection (2 practices) — monitor and control communications at network boundaries. System & Information Integrity (4 practices) — patch systems, deploy anti-malware, update protections, and scan for threats.

CMMC Level 1 is a self-assessment. Your organization assesses itself against all 17 practices, calculates your SPRS score, and has a senior company official affirm the results. The affirmation is then submitted to the DoD's Supplier Performance Risk System (SPRS). No third-party C3PAO auditor is required for Level 1 — however, working with an RPO like Galaxy Consulting ensures your self-assessment is accurate and defensible.

CMMC Level 1 certification is valid for three years. However, an annual affirmation is required — each year, a senior company official must affirm that the organization continues to meet all 17 Level 1 practices. If your environment changes significantly (new systems, new contracts, staff changes), you should review your compliance status and update your System Security Plan accordingly.

The Supplier Performance Risk System (SPRS) is the DoD database where contractors submit their CMMC self-assessment scores. For CMMC Level 1, the maximum score is 110. Each practice that is not fully implemented reduces your score. A score of 110 means all practices are met. Your SPRS score is visible to DoD contracting officers and can influence contract award decisions. Submitting a score you cannot support with documentation is a federal compliance risk.

CMMC Level 2 is the Advanced tier of the CMMC framework. It requires organizations to implement all 110 security practices from NIST SP 800-171 r2 across 14 domains to protect Controlled Unclassified Information (CUI). Unlike Level 1, Level 2 requires a formal third-party assessment conducted by a Cyber-AB accredited C3PAO (CMMC Third-Party Assessment Organization) — you cannot self-assess your way to Level 2 certification.

CUI is information the U.S. Government creates or possesses that requires safeguarding under law, regulation, or government-wide policy — but is not classified. In defense contracting, CUI commonly includes export-controlled technical data (EAR/ITAR), engineering drawings, defense acquisition-sensitive information, personally identifiable information (PII) of DoD personnel, and other categories defined by the National Archives CUI Registry. If your DoD contract includes a DFARS 252.204-7012 clause, you almost certainly handle CUI.

Any DoD contractor or subcontractor that receives, processes, stores, or transmits Controlled Unclassified Information (CUI) needs CMMC Level 2. This includes manufacturers producing defense-related components, engineering firms developing technical specifications, IT service providers processing CUI on behalf of prime contractors, and any company with a DFARS 252.204-7012 clause in their contract. Subcontractors are not exempt — if the prime flows CUI down to you, you need Level 2.

A C3PAO (CMMC Third-Party Assessment Organization) is a firm accredited by the Cyber-AB to conduct official CMMC Level 2 and Level 3 certification assessments. C3PAOs are independent from RPOs — they do not provide consulting services; they assess. Level 2 requires a C3PAO because the DoD determined that self-attestation is insufficient for protecting CUI. The C3PAO evaluates your environment, documentation, and implemented controls against all 110 NIST SP 800-171 r2 practices before issuing a certification recommendation.

For most DoD programs, no. CMMC Level 2 requires a formal C3PAO assessment. The one exception is a narrow set of programs where the DoD has designated Level 2 as allowable via self-assessment — but these are uncommon and explicitly identified in the contract. If your contract requires CMMC Level 2, assume you need a C3PAO unless the contract language explicitly states otherwise. An RPO like Galaxy Consulting can help you interpret your contract requirements.

CMMC Level 2 requires 110 security practices, derived from NIST SP 800-171 r2, across 14 domains: Access Control (22), Awareness & Training (3), Audit & Accountability (9), Configuration Management (9), Identification & Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Physical Protection (6), Personnel Security (2), Risk Assessment (3), Security Assessment (4), System & Communications Protection (16), and System & Information Integrity (7). All 17 CMMC Level 1 practices are included within these 110.

Yes — a System Security Plan (SSP) is a mandatory artifact for CMMC Level 2. The SSP documents your system boundaries, operating environments, the personnel responsible for security, and precisely how your organization implements each of the 110 security practices. The C3PAO will review your SSP as a core part of the assessment. A well-written SSP can significantly reduce the time and cost of your assessment by clearly demonstrating compliance upfront.

A POA&M documents security deficiencies that have not yet been fully remediated and the corrective actions planned to address them, including responsible parties and target completion dates. At Level 2, a limited number of POA&M items may be accepted by a C3PAO depending on severity — critical or high-severity practices must be remediated before certification can be issued. Galaxy Consulting helps you assess which gaps can be carried as POA&M items and which must be fixed first.

Organizations with a strong baseline (existing NIST SP 800-171 compliance, a current SSP, and a low SPRS score gap) may be ready for a C3PAO assessment in 3–6 months. Organizations with significant gaps across the 110 practices may require 9–18 months of remediation before they are assessment-ready. Galaxy Consulting's Level 2 gap assessment will give you an honest readiness timeline based on your specific environment.

CMMC Level 2 certification is valid for three years from the date of the C3PAO assessment. In years 2 and 3, a senior company official must submit an annual affirmation through the CMMC portal confirming continued compliance with all 110 practices. At the end of the three-year period, a full C3PAO re-assessment is required to renew certification.

C3PAO assessment costs vary widely depending on your organization's size, system complexity, and the number of CUI assets in scope. Assessments for small-to-mid sized contractors typically range from $30,000 to $100,000 or more. Preparation costs through an RPO are separate and depend on how many gaps need to be remediated. Investing in proper preparation with an RPO before the C3PAO assessment typically reduces total cost by minimizing re-assessment cycles.

Yes. CMMC Level 2 is a superset of Level 1. All 17 Level 1 practices are included within the 110 Level 2 practices. If your organization achieves CMMC Level 2 certification, you are also compliant with Level 1.

A CMMC Registered Provider Organization (RPO) is a consulting firm officially authorized by the Cyber-AB to provide non-certified advisory and consulting services to organizations seeking CMMC certification. RPOs employ Registered Practitioners (RPs) who are trained and vetted to help DoD contractors understand CMMC requirements, identify gaps, implement controls, and prepare documentation. Galaxy Consulting is a Cyber-AB authorized CMMC RPO.

An RPO (Registered Provider Organization) is a consulting firm that helps you prepare for CMMC certification — they do not conduct official assessments. A C3PAO (CMMC Third-Party Assessment Organization) is an accredited body that conducts the official CMMC Level 2 and Level 3 certification assessments. For CMMC Level 1, you do not need a C3PAO — you self-assess. An RPO like Galaxy Consulting helps you prepare your self-assessment accurately.

Technically no — Level 1 is a self-assessment that you can conduct yourself. However, working with an RPO significantly reduces the risk of errors, missed practices, or documentation deficiencies that could result in a lower SPRS score or failed compliance. Small businesses often lack the in-house cybersecurity expertise to confidently assess themselves. An RPO provides that expertise and ensures your self-assessment is accurate, thorough, and defensible.

Galaxy Consulting offers fixed-scope engagement pricing so you know exactly what you are paying before work begins. Costs vary based on your organization's size, current security posture, and which services you need (gap assessment only, full remediation support, documentation, or ongoing RP staffing). Contact us for a free initial consultation and a no-obligation proposal tailored to your situation.

Timeline depends on your starting point. Organizations that already have basic cybersecurity practices in place (antivirus, firewalls, access controls) may be able to complete remediation and documentation in 4–8 weeks. Organizations starting from scratch with minimal security controls may take 2–4 months. Galaxy Consulting's gap assessment will give you a precise timeline estimate based on your specific situation.

At minimum you need a System Security Plan (SSP) that documents how your organization implements each of the 17 Level 1 practices. You should also have an Acceptable Use Policy, an Incident Response Plan, and a Media Sanitization Policy. If any practices are not yet fully implemented, a Plan of Action & Milestones (POA&M) documents your corrective actions. Galaxy Consulting drafts all of these documents as part of our Documentation service.

A System Security Plan (SSP) is a written document that describes your organization's information systems, boundaries, and how you implement each CMMC security practice. It is the primary evidence document for your CMMC Level 1 self-assessment. The SSP must be kept current and updated whenever your environment changes. Galaxy Consulting drafts SSPs tailored to your specific systems and practices.

Yes — CMMC Level 1 is specifically designed to be achievable for small businesses. The 17 practices represent basic cyber hygiene that any responsible business should already have in place, such as using strong passwords, deploying antivirus software, keeping systems patched, and controlling who can access your systems and facilities. With guidance from an RPO, most small businesses can achieve Level 1 compliance without major infrastructure investment.

CMMC Level 1 does not mandate specific products, but you will likely need: a firewall (hardware or software) at your network boundary, antivirus/anti-malware software on all endpoints with automatic updates enabled, a patch management process to keep systems updated, multi-factor authentication (MFA) or strong password policies, and physical access controls (locks, access logs). Galaxy Consulting helps you select and deploy the right tools for your environment and budget.