John Minnix - Compliance Strategist
May 5, 2025
The Differences Between CMMC Level 1 and Level 2
Video Transcript
Below is a transcript of a video conversation between Greg Laroche, Head of Products and Compliance at PreVeil, and Tim Mektrakarn and John Minnix, Founders of Bright Defense.
John: “What are the key differences between CMMC level 1 and level 2 compliance that businesses should be aware of?
Tim: “CMMC Level 1 requires documentation of 17 basic controls, and it also allows for self-attestation. For CMMC level 2, this requires implementing NIST 800-171, which has 110 controls. So this is a lot more demanding level of security and documentation that’s required. By using a CUI enclave like Prevail, this helps simplifies the process for SMBs.
Greg: “So the differences also include the types of information that have to be protected by the company. Level 1 generally pertains to what’s called Federal Contract Information or FCI. Level 2 covers Controlled Unclassified Information that is considered more critical, and that’s why it has the additional controls and additional protections around it.”
John: “One of the biggest challenges our customers face is understanding the difference between FCI and CUI. You can definitely greatly limit your scope if FCI is the only requirement. CUI is a much bigger lift, and that’s where Prevail adds a lot of value.”
The Differences Between CMMC Level 1 and Level 2 (Comparison Table)
| Aspect | CMMC Level 1 | CMMC Level 2 |
|---|---|---|
| Number of Controls | 17 basic controls | 110 controls from NIST SP 800-171 |
| Documentation Requirement | Basic documentation | Detailed and extensive documentation required |
| Assessment Type | Self-attestation allowed | Third-party assessment typically required |
| Data Covered | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) |
| Security Demand | Minimal security baseline | Higher security and compliance burden |
| Challenge for SMBs | More manageable without external tools | Often complex without support; CUI increases implementation difficulty |
| Scope Consideration | Scope may be limited to FCI only | Broader scope due to CUI inclusion |
| Use of CUI Enclave (e.g., Prevail) | Not always necessary | Can help simplify implementation and reduce scope for handling CUI |
About Bright Defense
Bright Defense is defending the world from cybersecurity threats through continuous compliance.
We understand that compliance is more than just checking boxes. It’s about minimizing the financial risk and reputational harm from a data breach. It’s also about assuring your clients, stakeholders, and employees that you are conducting business with the greatest commitment to security and data integrity.
Bright Defense combines technology, expertise, and a customer-centric approach into a continuous compliance service that meets your unique business needs. Our monthly engagement model delivers a robust cybersecurity program that allows you to meet compliance frameworks, including SOC 2, ISO 27001, HIPAA, PCI, and CMMC.
Once compliance certification is achieved, we constantly enhance your security program to keep up with the evolving threat landscape and compliance standards. Our compliance automation toolset powered by Drata gives you complete visibility into your compliance status while saving you time and money. Contact Bright Defense today to get started!
About PreVeil
PreVeil is the leading, proven solution for CMMC and DFARS compliance. PreVeil’s end to end encrypted email and file sharing platform, CMMC documentation, and partner network is trusted by over 1,000 defense contractors. Multiple customers have already achieved perfect 110/110 Scores in NIST 800-171 and CMMC Joint Surveillance Assessments. These successful assessments validate PreVeil’s benefits of compliance assurance, best in class security and low cost for defense contractors. To learn more about PreVeil’s FedRAMP story, check out our website.
Get In Touch
