Contractors burn weeks scoping the wrong CMMC level, and it always traces back to the same confusion. The level you need is not a judgment call about how mature your security is. It is determined by one thing: the kind of government information your contracts cause you to handle. Get that question right and everything else follows. Get it wrong and you either over-build for a requirement you do not have or, far worse, under-build and fail an assessment you did not know you needed.
The two kinds of information
Two categories decide your fate, and the distinction is worth getting precise about.
Federal Contract Information is information you generate or receive under a federal contract that is not intended for public release. It is ordinary contract working material: delivery schedules, basic process information, the routine data of doing business with the government. If that is the most sensitive government information you touch, you are in Level 1 territory.
Controlled Unclassified Information is the category that raises the stakes. It is government information that is sensitive but not classified, and it carries handling requirements wherever it is stored, processed, or transmitted. Technical specifications, certain engineering data, export-controlled information, and similar material fall here. The moment a contract flows CUI to you, you are in Level 2 territory, and the requirement is much larger.
How to tell which one you actually handle
Do not guess from your gut, read your contracts. The clearest signal is the DFARS 252.204-7012 clause, the safeguarding clause that accompanies CUI obligations. Look for it, and look for CUI markings on the data and deliverables your contracts involve. If a prime is flowing requirements down to you, the language they use tells you what category you are handling. If your contract data is marked CUI or your clauses reference safeguarding covered defense information, you handle CUI, and you are Level 2.
The expensive trap is the contractor who assumes FCI-only because that is the easier answer, while CUI is in fact flowing to them through a prime. That assumption does not survive an assessment, and it does not survive a prime's due diligence either. When the gap surfaces, it surfaces as a lost award or a failed assessment, both of which cost far more than the work of scoping correctly at the start.
What each level demands
Level 1 is the lighter requirement by a wide margin. It covers the 15 basic safeguarding requirements from FAR 52.204-21, spread across six security domains, and you confirm it through an annual self-assessment. There is no System Security Plan requirement, no Plan of Action and Milestones, and no third-party assessor. A competent IT team with the right documentation can stand it up and attest to it.
Level 2 is a different scale of effort. It aligns to the full 110 security requirements of NIST SP 800-171 across 14 control families, and it requires the documentation that proves each one: a System Security Plan covering every control, a Plan of Action and Milestones for any gaps, and an SPRS score posted from your self-assessment. For contracts involving prioritized CUI, a Certified Third-Party Assessment Organization examines your documentation and verifies your controls rather than accepting your self-attestation. The jump from Level 1 to Level 2 is not incremental. It is the difference between attesting to fifteen basics and evidencing all 110 controls to an outside assessor.
Scope it once, scope it right
Settle the level before you spend a dollar or an hour on documentation, because the answer determines everything downstream. Read your contracts for the DFARS 252.204-7012 clause and CUI markings. If the most sensitive government information you handle is FCI, you build to Level 1, and the basic safeguarding documentation is enough. If CUI flows to you, you build to Level 2, and you need the full SSP, the 14 families of policies and procedures, the evidence structure, and the assessment preparation that a C3PAO will examine.
The contractors who move fast are the ones who answered this question first and built to the right target once, rather than scoping by assumption and rebuilding when reality corrected them. Read the contract, find the data, and let what you actually handle decide your level.