The differences between CMMC Level 1 and Level 2

Table of Contents

    John Minnix

    November 14, 2024

    Mastering CMMC Compliance: The Differences Between Level 1 and Level 2

    An overview of the differences between CMMC Level 1 and Level 2 compliance

    Video Transcript

    Below is a transcript of a video conversation between Greg Laroche, Head of Products and Compliance at PreVeil, and Tim Mektrakarn and John Minnix, Founders of Bright Defense.

    John: “What are the key differences between CMMC level 1 and level 2 compliance that businesses should be aware of?

    Tim: “CMMC Level 1 requires documentation of 17 basic controls, and it also allows for self-attestation. For CMMC level 2, this requires implementing NIST 800-171, which has 110 controls. So this is a lot more demanding level of security and documentation that’s required. By using a CUI enclave like Prevail, this helps simplifies the process for SMBs.

    Greg: “So the differences also include the types of information that have to be protected by the company. Level 1 generally pertains to what’s called Federal Contract Information or FCI. Level 2 covers Controlled Unclassified Information that is considered more critical, and that’s why it has the additional controls and additional protections around it.”

    John: “One of the biggest challenges our customers face is understanding the difference between FCI and CUI. You can definitely greatly limit your scope if FCI is the only requirement. CUI is a much bigger lift, and that’s where Prevail adds a lot of value.”

    About Bright Defense

    Bright Defense is defending the world from cybersecurity threats through continuous compliance.

    We understand that compliance is more than just checking boxes. It’s about minimizing the financial risk and reputational harm from a data breach. It’s also about assuring your clients, stakeholders, and employees that you are conducting business with the greatest commitment to security and data integrity.

    Bright Defense combines technology, expertise, and a customer-centric approach into a continuous compliance service that meets your unique business needs. Our monthly engagement model delivers a robust cybersecurity program that allows you to meet compliance frameworks, including SOC 2ISO 27001HIPAAPCI, and CMMC.

    Once compliance certification is achieved, we constantly enhance your security program to keep up with the evolving threat landscape and compliance standards. Our compliance automation toolset powered by Drata gives you complete visibility into your compliance status while saving you time and money.  Contact Bright Defense today to get started!

    About PreVeil

    PreVeil is the leading, proven solution for CMMC and DFARS compliance. PreVeil’s end to end encrypted email and file sharing platform, CMMC documentation, and partner network is trusted by over 1,000 defense contractors. Multiple customers have already achieved perfect 110/110 Scores in NIST 800-171 and CMMC Joint Surveillance Assessments. These successful assessments validate PreVeil’s benefits of compliance assurance, best in class security and low cost for defense contractors. To learn more about PreVeil’s FedRAMP story, check out our website.

    Get In Touch

      Group 1298 (1)-min