Getting your CMMC level wrong isn't a paperwork error, it's a compliance failure that can cost you contracts, trigger audits, and in some cases create False Claims Act exposure. Here's how to determine which level applies to you, what each actually requires, and the flow-down risks that catch subcontractors off guard.
32 CFR Part 170 CMMC Level 1 CMMC Level 2 CUI Registry DFARS 252.204-7012
The Cybersecurity Maturity Model Certification framework, as finalized under 32 CFR Part 170 (effective December 16, 2024), has three levels. In practice, nearly all defense contractors fall into Level 1 or Level 2. Level 3 applies to a small set of contractors handling information from DoD's highest-sensitivity programs and involves DIBCAC-led assessments on top of Level 2. For this discussion, we'll focus on the decision most contractors actually face.
The gap between Level 1 and Level 2 is substantial. Level 1's 17 practices are basic cyber hygiene, things like not using default passwords, having antivirus, and restricting access to authorized users. Level 2's 110 practices include mature capabilities like multi-factor authentication, log management and retention, encryption in transit and at rest, incident response planning, configuration baseline management, vulnerability scanning, and risk assessment processes. The documentation burden alone, SSP, POA&M, system boundary definition, network diagrams, is significant work for a small contractor.
The single most important determination is whether your contract involves Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). These terms have specific, legal meanings that are frequently misunderstood.
FCI is information provided by or generated for the government under a contract, not intended for public release. It's the baseline, information that exists because of the contractual relationship. Examples of FCI that is not CUI include:
If your contract only involves FCI, and this is genuinely rare for meaningful DoD work, CMMC Level 1 applies. But most contractors who think they only have FCI are wrong when they look carefully at their data environment.
CUI is information the government creates or possesses that requires safeguarding per law, regulation, or government-wide policy, but is not classified. CUI is defined and managed under the National Archives CUI Registry, which lists authorized CUI categories and subcategories. Examples include:
The most common mistake: Assuming that because your company doesn't design weapons systems, you don't have CUI. If you receive technical drawings, specifications, or any data marked with a CUI banner from your prime contractor or the government, regardless of what kind of work you do, you have CUI in your environment. Even a small machine shop receiving CAD files with CUI markings is in scope for Level 2.
CUI should be marked by the originating government agency using banners, labels, and document headers that indicate the CUI category and any distribution controls. In a perfect world, all CUI you receive would be clearly marked. In practice, CUI markings are inconsistently applied, especially on data received years ago.
Here's how to determine whether you have CUI, even when markings are absent:
Here's the scenario that catches subcontractors off guard: You are a third-tier sub supplying a manufactured component to a second-tier sub that supplies to a prime. The prime has a DoD contract with CMMC Level 2 requirements. The prime receives technical drawings (CUI) and passes portions of those drawings to the second-tier sub, who passes a subset to you. You receive CUI. You are in scope for CMMC Level 2, even if your company's name never appears on the prime contract.
The CMMC flow-down requirement is explicit in 32 CFR Part 170 and in DFARS 252.204-7012 itself: primes must flow the clause down to subs at all tiers when the subcontract involves CUI or CDI. This means your CMMC obligation is determined by the data you receive, not by the contract you signed directly with the government.
A practical note: Even if your prime hasn't explicitly told you that you need CMMC Level 2, if you handle data that appears to be CUI, you should treat yourself as in scope. As enforcement tightens, primes are increasingly auditing their supply chains and terminating subcontractors who can't demonstrate compliance. Getting ahead of this protects your business relationships, not just your regulatory standing.
The reverse scenario matters too: if your sub handles CUI on your behalf and you don't include CMMC requirements in your subcontract, you are non-compliant with DFARS 252.204-7012's flow-down requirement. You inherit the compliance risk for every sub in your supply chain that handles CUI you originated or passed through.
Not all CMMC Level 2 contractors need a C3PAO assessment. Under 32 CFR Part 170, Level 2 is divided into two paths based on program criticality:
| Path | When Required | Who Assesses | Frequency |
|---|---|---|---|
| C3PAO Assessment | Programs involving national security systems, or when contracting officer specifies | Certified Third-Party Assessment Organization (C3PAO) | Triennial (every 3 years) |
| Self-Attestation | Level 2 programs not requiring C3PAO (non-critical CUI programs) | Senior company official (CEO, CISO, or equivalent) | Annual |
The practical test: if your contract or solicitation doesn't specify "CMMC Level 2 Third-Party Assessment" or list it as a contract requirement, you may qualify for the self-attestation path. But note: the technical requirements are identical for both paths, 110 practices, same NIST 800-171 standard. The difference is who verifies compliance, not what you have to implement. Many contractors pursuing self-attestation still engage a C3PAO or CMMC Registered Practitioner Organization (RPO) to validate their readiness before signing the attestation, for exactly this reason.
The CMMC 2.0 final rule (32 CFR Part 170) became effective on December 16, 2024. Since that date, DoD has been phasing CMMC into new solicitations and contract awards. If you are bidding on new DoD work in 2026, CMMC is a live requirement. Here's the practical timeline:
Existing contracts awarded before December 2024 are not automatically subject to CMMC. However, when contracts are re-competed, modified significantly, or extended under new options, CMMC requirements may be added. If you're mid-contract on a multi-year award and a modification is coming, check whether CMMC is being added to the new modification.
Run through these three questions in order. Your first "yes" answer determines your CMMC level.
Does your contract or subcontract involve Controlled Unclassified Information (CUI)?
Check for DFARS 252.204-7012, CUI markings in received data, technical drawings, specifications, or any data that falls under a CUI registry category.
Does your contract involve Federal Contract Information (FCI), even if no CUI is present?
If you produce deliverables for the government or receive information from the government solely in the context of contract performance, that's FCI.
(Level 2 only) Does your contract involve national security systems, or does the solicitation require a C3PAO assessment?
Look for language in the solicitation specifying "CMMC Level 2 with third-party assessment." Absent explicit language, self-attestation may be available.
The consequences of misidentifying your required CMMC level range from contract-level to criminal, depending on the severity and intent of the error.
If a contracting officer or DIBCAC audit determines that you have been operating at a lower CMMC level than required, your contract can be terminated for default, not for convenience. Termination for default can trigger debarment proceedings, which can exclude you from all federal contracting for years. For a company whose revenue depends on DoD contracts, this is an existential risk.
If you certified CMMC compliance at a level you didn't actually meet, either through a CMMC self-attestation in PIEE or an SPRS submission that misrepresented your posture, you've potentially made a false claim. The Civil Cyber-Fraud Initiative has made clear that cybersecurity false certifications are treated as False Claims Act violations. Treble damages, civil penalties, and qui tam whistleblower provisions create significant financial exposure. A sub or former employee with knowledge of your actual security posture can bring a whistleblower case against you.
A mismatch between your claimed CMMC level and observable reality, through a cyber incident report, a prime contractor complaint, or DIBCAC's own risk-based audit selection, can trigger a government-led assessment. DIBCAC assessments are conducted without your prior approval and with full authority to test your systems. Failing a DIBCAC audit while under a Level 2 contract is a serious compliance event that creates an immediate obligation to remediate and re-attest.
Whether you've just determined you're in scope for Level 2 or you're preparing for a C3PAO assessment, our CMMC documentation templates give you the structure assessors recognize. The SSP template covers all 110 NIST 800-171 practices with implementation guidance. The Documentation Pack includes the SSP, POA&M, and supporting policy templates in a single download.
CMMC Level 1 covers 17 basic cybersecurity practices drawn from FAR 52.204-21 and applies to contractors that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). It requires annual self-assessment with no third-party verification. CMMC Level 2 covers all 110 NIST SP 800-171 Rev 2 practices, applies to contractors that handle CUI, and requires either a C3PAO third-party assessment (for critical programs) or an annual self-attestation by a senior company official (for non-critical programs).
Look for DFARS 252.204-7012 in your contract. If it's there, your contract involves Covered Defense Information (CDI), which substantially overlaps with CUI. Also look at the data you receive from your customer, technical drawings, specifications, program data, export-controlled information, and personally identifiable information associated with defense programs are typically CUI. If you're unsure, ask your contracting officer for a written determination. Do not assume you're out of scope, the consequences of handling CUI without the required controls are significant.
It depends on your contract. Under 32 CFR Part 170, CMMC Level 2 is split into two paths: C3PAO-assessed (required for contracts involving programs of national security importance or specified by the contracting officer) and self-attested (available for programs not requiring independent verification). Your contract or solicitation will specify which path is required, look for language referencing "CMMC Level 2 with third-party assessment" or "CMMC Level 2 self-attestation." When in doubt, assume C3PAO assessment is required and plan accordingly.
Claiming a lower CMMC level than your contract requires is a contractual violation and may constitute a false claim under the False Claims Act if you certify compliance. The consequences include contract termination for default, suspension or debarment from future DoD contracting, and civil or criminal liability if a whistleblower or DIBCAC audit reveals the misrepresentation. The safest approach when uncertain is to treat yourself as Level 2 and consult with a CMMC Registered Practitioner Organization (RPO) for a formal scope determination.
Yes. CMMC requirements flow down to subcontractors at all tiers when the subcontract involves CUI or CDI. Prime contractors are required to include the CMMC requirement in subcontracts where applicable. If you are a sub and your work involves handling any CUI the prime receives under a CMMC-covered prime contract, you are in scope. The level required for your subcontract matches the level required for the prime contract for the CUI-handling scope.
The CMMC 2.0 final rule under 32 CFR Part 170 was published in October 2024 and became effective December 16, 2024. DoD began including CMMC requirements in new solicitations and contracts after that date. If you are bidding on new DoD work in 2026, CMMC is a live requirement. Contracts awarded before the effective date are not automatically subject to CMMC, but re-competes and modifications may trigger applicability.
No spam. Just practical guidance on CMMC compliance and new resources when we publish them.