CMMC Level 1 vs Level 2 vs Level 3: Which One Does Your Omaha Business Actually Need?
The 90% of Omaha DoD contractors who pick the wrong CMMC level either overspend by $200K or lose their contract. Decision guide with a 5-question filter.
The single most expensive CMMC mistake we see Omaha contractors make is picking the wrong level. Pick too high and you'll burn $150K–$200K of unnecessary remediation. Pick too low and you'll fail your assessment, lose the contract, and start over.
This guide gives you a 5-question filter to land on the right CMMC 2.0 level for your business — based on what's actually in your DoD contract clauses, not what your IT vendor wants to sell you.
Quick Refresher: The Three CMMC 2.0 Levels
| Level | Name | Information Type | Practices | Assessment |
|---|---|---|---|---|
| 1 | Foundational | FCI only | 17 basic safeguards | Annual self-assessment + senior official affirmation |
| 2 | Advanced | CUI | 110 NIST SP 800-171 controls | Triennial C3PAO assessment (or self for some non-prioritized contracts) |
| 3 | Expert | CUI (high-value programs) | 110 + subset of NIST 800-172 | Government-led (DIBCAC) assessment |
Step 1: Do You Receive Federal Contract Information (FCI)?
FCI is information not intended for public release that's provided by or generated for the government under a contract. If you have any DoD or federal contract — even a small services agreement — you almost certainly handle FCI.
If yes: you need at minimum Level 1. Continue to Step 2.
If no: CMMC may not apply. Confirm by reading every contract clause referencing FAR 52.204-21 or DFARS 252.204-7012.
Step 2: Do You Receive Controlled Unclassified Information (CUI)?
CUI is unclassified information that requires safeguarding controls per government policy. It includes:
- Engineering drawings, specs, and tech data marked CUI
- Export-controlled information (often overlaps with ITAR)
- Privacy data, financial data, and procurement-sensitive info marked CUI
- Any document with CUI markings, banners, or limited-distribution statements
If your prime sends you anything marked CUI, NOFORN, EXPORT CONTROLLED, or FOUO (legacy), you handle CUI.
If yes: you need at minimum Level 2. Continue to Step 3.
If no: Level 1 is enough. Most Omaha service-only subs (janitorial, basic logistics, professional services without engineering data) end here.
Step 3: Is Your Contract a "Prioritized Acquisition"?
Within Level 2, DoD distinguishes between contracts that allow self-assessment and those that require C3PAO third-party assessment. Higher-risk programs are flagged as "prioritized acquisitions" and require the C3PAO route.
How to tell:
- Read the DFARS 252.204-7021 clause in your contract
- Ask your contracting officer or prime in writing
- If in doubt, plan for C3PAO — it's the safer path and most Omaha primes are flowing it down
Step 4: Are You Working on Critical Programs (USSTRATCOM, Space, Cyber)?
Omaha is unique because Offutt hosts USSTRATCOM. Some programs at that level may eventually require Level 3 certification. Today this is rare — fewer than 1% of contractors will need Level 3 — but it's relevant if you're a tier-1 prime on classified-adjacent programs.
If yes: Plan for Level 3 over Level 2. The increment is significant — additional NIST 800-172 enhanced controls, advanced threat hunting, more documentation.
If no: Level 2 is your target.
Step 5: What Do Your Active Contract Clauses Say?
This is the only definitive answer. CMMC level is not negotiable — it's set by the contract. Pull every active contract and look for:
- FAR 52.204-21 → Level 1 territory
- DFARS 252.204-7012 → CUI handling, signals Level 2 likely
- DFARS 252.204-7019 → SPRS score reporting requirement
- DFARS 252.204-7020 → NIST SP 800-171 DoD assessment
- DFARS 252.204-7021 → CMMC requirement, level usually specified
If your contract specifies a level, that's your answer. Stop here.
The Decision Tree (TL;DR)
- No DoD contracts? → No CMMC.
- DoD contract, no CUI? → Level 1. ~3 months, $15K–$40K.
- DoD contract with CUI, non-prioritized? → Level 2 (self-assessment). ~6–9 months, $50K–$120K.
- DoD contract with CUI, prioritized acquisition? → Level 2 (C3PAO). ~9–12 months, $100K–$250K+.
- Critical national-security program? → Level 3. 12–18+ months, custom budget.
Common Omaha Mistakes
Mistake #1: "My buddy got Level 2, so I should too"
Your contract clauses are different from your buddy's. Pick based on YOUR contracts, not someone else's program.
Mistake #2: Treating Level 1 as "easy"
Level 1 is simpler, but it still has real requirements — MFA, access control documentation, and FIPS-validated encryption among them. Most Omaha contractors who self-assess at Level 1 the first time fail because they didn't actually implement the 17 practices.
Mistake #3: Assuming GCC High is required
GCC High is required if you handle CUI in Microsoft 365. If you only handle FCI (Level 1), you can stay on standard commercial Microsoft 365. Don't pay for GCC High you don't need.
Mistake #4: Going alone without an RP/RPO
You can do CMMC alone. Most contractors who try discover after 6–9 months that their evidence won't survive a C3PAO. Working with a Registered Practitioner Organization from the start saves time and money.
What to Do Next
If you're an Omaha-area DoD contractor and want a 30-minute call to confirm your required CMMC level and a fixed-fee program estimate, visit our CMMC Readiness page → or call 402-650-8407. We'll review your contract clauses with you, give you the level recommendation in writing, and outline the timeline and budget.