What is CMMC (Level 1 vs Level 2)?

The Cybersecurity Maturity Model Certification — the DoD program that requires defense contractors to prove they protect government information, at a level set by their contract.

Last Reviewed: 2026-06-01Plain-English reference · not legal advice

Plain-English Summary

CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense program that verifies a contractor protects sensitive government information. Level 1 covers basic protection of Federal Contract Information (FCI) and is met by an annual self-assessment. Level 2 covers the more sensitive Controlled Unclassified Information (CUI), requires meeting all 110 NIST SP 800-171 security controls, and for most contracts must be certified by an accredited third-party assessor (a C3PAO).

Why This Matters

For a defense contractor, the required CMMC level is becoming a condition of winning and keeping contracts. Level 2 — the level most defense contractors target — includes physical-protection controls that directly involve visitor management: limiting physical access, escorting and monitoring visitors, and keeping audit logs of who entered. A visitor system that produces those records helps a contractor demonstrate those specific controls to an assessor.

Explanation Depth

Concept Explanation

CMMC is how the Department of Defense checks that its contractors keep government information safe. There are levels. Level 1 is the basic level for less-sensitive "Federal Contract Information," and a company can check itself. Level 2 is for more sensitive "Controlled Unclassified Information," has 110 security requirements, and usually a certified outside assessor has to verify it. Some of those requirements are about your building, not just computers: limiting who gets in, escorting visitors, and keeping a log of who came and went. That is where a visitor system helps.

When You'll See This in SecurePoint

SecurePoint Visitor supports the CMMC/NIST 800-171 physical-protection family by logging physical access (PE.L2-3.10.4), recording visitor escort and monitoring (PE.L2-3.10.3), and exporting that history in Evidence Packs an assessor can review. SecurePoint supports specific control families and produces records; it does not grant CMMC certification, which is an assessed outcome the contractor earns.

What You Should Do Next

Confirm which CMMC level your contracts require (Level 1 for FCI, Level 2 for CUI). For Level 2, expect an assessor to ask for evidence on physical protection: who accessed controlled areas, when, and who escorted them. Make sure your visitor process captures and retains that evidence. Track your control implementation in your System Security Plan (SSP) and any open items in a POA&M, and engage a C3PAO early if certification is required — assessor capacity is limited.

What Can Go Wrong

The biggest mistake is assuming a tool "makes you CMMC compliant." Certification is an outcome a contractor earns by implementing and proving the controls; no product confers it. Other pitfalls: confusing FCI (Level 1) with CUI (Level 2) and under-scoping, neglecting the physical-protection family because it feels separate from IT, or arriving at an assessment without the visitor and access logs to back up your claims. Build the evidence trail before the assessor asks for it.

Sources & References

Related Terms

Need structured workflow compliance?

SecurePoint USA builds these checks, watchlists, approvals, and immutable logs directly into your daily operations.

Talk to SecurePoint

Legal Disclaimer

This glossary entry is provided for educational and informational purposes only and does not constitute legal advice. SecurePoint USA is not a law firm, does not provide legal representation, and this system is not a replacement for qualified sanctions or export control counsel. While we strive to present accurate, up-to-date summaries of regulatory terms, regulations are complex and subject to change. Always consult with your institution's legal team or a certified compliance professional before making legal or operational determinations.