If your organization works with the Department of Defense (DoD), understanding the difference between the Cybersecurity Maturity Model Certification (CMMC) Level 1 and Level 2 is key to preparing for a CMMC compliance assessment.  

What’s the difference between a Level 1 and Level 2 CMMC assessment—and how do you pass? Let’s break it down and show you how a trusted partner like LeeShanok Network Solutions can guide you every step of the way. 

The CMMC Compliance Assessment Process: Where Level 1 and Level 2 Diverge

The significant difference between the two CMMC levels isn’t just about the number of security controls; rather, it’s about who validates your compliance.

Level 1: The Self-Assessment Approach 

If your company handles only Federal Contract Information (FCI), your requirements fall under CMMC Level 1. This is the foundational level, focusing on 15 basic security practices from FAR 52.204-21. 

The good news? In this case, the CMMC compliance assessment for this level is a self-assessment. You review your own security posture, document your compliance, and submit an annual affirmation in the DoD’s Supplier Performance Risk System (SPRS). However, just because it’s a self-assessment doesn’t mean you have to go it alone. The DoD is holding you accountable, and a mistake could put your contracts at risk. That’s why partnering with a trusted expert like LeeShanok Network Solutions can make all the difference, helping you ensure your self-assessment is accurate and your documentation is flawless. 

Level 2: The Assessment Options 

If you handle Controlled Unclassified Information (CUI), you’re looking at CMMC Level 2. This is where the framework gets serious, requiring you to implement 110 security controls based on NIST SP 800-171. 

The crucial detail here? There are two assessment pathways for Level 2. The path you take is determined by the specific requirements in your DoD contract. 

• Self-Assessment: For some non-prioritized acquisitions, your contract may allow you to conduct a self-assessment every three years. Like Level 1, this requires your organization to thoroughly evaluate its own security posture and submit an affirmation of compliance. While this option offers flexibility, the burden of proof is still on you. LeeShanok Network Solutions can be your trusted partner for this process, ensuring your internal assessment is accurate, comprehensive, and audit ready. 
• Third-Party Audit: For CUI that is critical to national security, a mandatory third-party audit is required. This is conducted by a Certified Third-Party Assessment Organization (C3PAO). 

Your Guide Through the CMMC Compliance Assessment 

Whether you’re tackling a Level 1 self-assessment or preparing for a rigorous Level 2 audit, you don’t have to go it alone. This is where LeeShanok Network Solutions steps in. 

For Your Level 1 Self-Assessment 

A self-assessment is still an assessment, and accuracy is paramount. Our team acts as your expert guide, providing clarity and ensuring you’re on the right track: 

• Clarify Requirements: We’ll walk you through the 15 safeguarding practices of FAR 52.204-21, ensuring you understand exactly what’s required for compliance. 
• Conduct a Pre-Assessment: We can help you perform a thorough pre-assessment to evaluate your current security posture against Level 1 requirements, identifying any potential gaps before your formal submission. 
• Document Everything: We’ll assist you in organizing your evidence and preparing the necessary documentation for your SPRS submission, ensuring a complete and accurate representation of your compliance. 

For Your Level 2 Assessment 

Navigating Level 2, whether through self-assessment (for some contracts) or in preparation for a third-party C3PAO audit, requires a deeper level of expertise. LeeShanok is your trusted partner in building a robust security program: 

• Gap Analysis: We’ll start with a detailed gap analysis, comparing your current security controls against the 110 requirements of NIST SP 800-171 to pinpoint areas needing attention. 
• Remediation: Our experienced team will close security gaps and strengthen your defenses by implementing secure logins, multi-factor authentication, role-based access, incident response plans and monitoring, risk assessments with mitigation strategies, and encryption and endpoint protection. 
• Pre-Assessment and Documentation: Whether for self-attestation or third-party audits, we assist with all required documentation. We also perform gap analyses, conduct mock audits, and prepare documentation tailored for CMMC assessments. 

Why Partnering with LeeShanok is Your Best Move 

The CMMC framework is complex and a moving target. Getting it wrong could cost you a contract. By partnering with LeeShanok, you’re not just getting technical support, you’re getting a strategic ally who understands the stakes. Our mission is to help your business navigate the complexities of CMMC compliance assessment.