If you work with the Department of Defense. If you work with the DoD or are thinking about it, you’ve probably heard of CMMC: the Cybersecurity Maturity Model Certification. And you’ve probably wondered whether it actually applies to you.
The honest answer: it depends on what kind of information you handle. Not every defense contractor needs CMMC Level 2. But if you do handle sensitive information and you haven’t started preparing, time is running short. Here’s a straightforward breakdown.
The Three Scenarios
You don’t handle FCI or CUI
If your contracts involve only commercial-off-the-shelf (COTS) items or purely commercial services with no access to Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you are generally not required to meet CMMC. This is the simplest scenario. You still need basic cybersecurity hygiene, but formal certification is not mandated.
You handle FCI but not CUI
Federal Contract Information (FCI) is information provided by or generated for the government under a contract that is not intended for public release. If you handle FCI but no CUI, you are subject to CMMC Level 1, which requires annual self-assessment against FAR 52.204-21’s 15 basic safeguarding requirements. No third-party assessment is required at this level, but you must affirm compliance in the Supplier Performance Risk System (SPRS).
You handle CUI
Controlled Unclassified Information (CUI) is information the government creates or possesses that requires protection per law, regulation, or policy, but is not classified. Examples include technical drawings, export-controlled data, and law enforcement information. If you handle CUI as part of a DoD contract, you are subject to CMMC Level 2, which requires compliance with all 110 controls in NIST SP 800-171. Most companies in this category will require a third-party assessment by a Cyber-AB accredited C3PAO before contract award.
How to Read Your Contract Clauses
The fastest way to know which scenario applies to you is to look at the clauses in your contract. Here’s what to look for:
DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting (requires NIST SP 800-171 compliance if you handle CUI)DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements (requires a current SPRS score)DFARS 252.204-7020: NIST SP 800-171 DoD Assessment Requirements (requires you to allow government review of your assessment)DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements. If this is in your contract, you need CMMC)
You can look up the full text of these clauses on acquisition.gov. If you see 252.204-7021 in your solicitation or contract, CMMC certification is required. If you only see 252.204-7012, you need NIST SP 800-171 compliance even if the formal CMMC clause is not yet present, because CMMC requirements are flowing down across the supply chain.
Also check for flow-down requirements. If you are a subcontractor, the prime contractor is required to flow CMMC requirements down to you if you handle CUI or FCI. Don’t assume that because you’re a subcontractor you’re exempt. Review your subcontract for the same clauses.
Not Sure If You Have CUI?
This is one of the most common points of confusion. CUI is not always labeled obviously. Common categories of CUI in the defense supply chain include:
- Technical drawings, specifications, or engineering data related to defense systems
- Export-controlled technical data (ITAR/EAR)
- Procurement-sensitive information (contract pricing, bid evaluations)
- Critical infrastructure information
- Information about proprietary manufacturing processes provided by the government
- Personally identifiable information (PII) of government personnel
The DoD CMMC program office and the National Archives CUI Registry maintain the official list of CUI categories. If you’re not sure, the safest approach is to ask your contracting officer whether the information you’re receiving or generating is CUI. You can also check whether your systems contain any government-furnished data that came with handling markings.
The Cost Barrier: How to Clear It
One of the biggest reasons small and mid-sized defense contractors are not yet CMMC-ready is cost. A gap assessment to understand where you stand against all 110 NIST SP 800-171 controls can cost $5,000 or more on its own, before any remediation work begins.
The Cyber Grants Alliance CMMC Gap Assessment Grant covers the full cost of a comprehensive gap assessment against all 110 NIST SP 800-171 controls. Grants are awarded to qualifying small and medium-sized businesses in the Defense Industrial Base on a first-come, first-serve basis.
The assessment produces a prioritized gap report and an initial SPRS score, so you leave with a clear picture of where you stand and what you need to do next to achieve CMMC Level 2 certification. There’s no cost to apply, and the process is straightforward.
Your Next Steps
Here’s a simple decision path based on what you’ve read:
- Check your contracts for DFARS clauses 252.204-7012, 7019, 7020, and 7021.
- Determine if you receive or generate CUI. When in doubt, ask your contracting officer.
- If you handle CUI, you need to begin your CMMC Level 2 journey. The first step is understanding your current state, which is exactly what a gap assessment provides.
- Apply for the CMMC Gap Assessment Grant to cover the cost of your assessment. It’s free to apply and there’s no obligation beyond the assessment itself.
The DoD’s CMMC program is already in Phase 2 of rollout. Contracts requiring CMMC certification are being awarded today. Companies that wait until they see the clause in a solicitation may not have enough time to achieve certification before contract award.
You don’t have to figure this out alone. Explore all of our available grant programs or apply today to take the first step.