Whether you need CMMCfor your contract comes down to one question: does your work touch government data that isn't meant to be public? If a prime contractor or the government hands you information to do your part of the job, the Cybersecurity Maturity Model Certification almost certainly reaches you — even if you have never spoken to the Department of Defense directly.
That surprises a lot of small manufacturers, machine shops, and engineering firms. They assume CMMC is something the prime worries about, or something only big defense contractors deal with. Both assumptions are wrong, and both are expensive — because the consequence of getting it wrong isn't a fine, it's being ineligible to bid.
The Two Data Types That Decide Everything
CMMC exists to protect two kinds of government information, and which one you handle determines which level you need.
Federal Contract Information (FCI)is information provided by or generated for the government under a contract that isn't intended for public release — basic things like delivery schedules, non-public specifications, or process details. If FCI is the most sensitive data you touch, you are generally a Level 1 shop.
Controlled Unclassified Information (CUI)is the sensitive-but-unclassified category: technical drawings, specifications, ITAR/EAR-controlled technical data, design and process information, and more. CUI has nothing to do with classified work — a shop that has “never seen anything classified” can still handle CUI on every job. If you handle CUI, you are generally looking at Level 2, which maps to the 110 controls of NIST SP 800-171.
How to Tell Which One You Handle
The fastest signal is your contract language. If a contract includes DFARS 252.204-7012, the government is telling you it expects CUI to be involved — and that clause already obligates you to safeguard it and report incidents, independent of CMMC. The presence of 7012 is the single clearest hint that Level 2 is in your future.
When it's genuinely unclear, don't guess. Ask your contracting officer or your prime to confirm, in writing, exactly what data they send you and at what level. That one email resolves more scope arguments than any consultant can.
| If this describes you… | Data type | Likely level |
|---|---|---|
| You receive only basic, non-public contract information (delivery schedules, basic specs) and no CUI markings | Federal Contract Information (FCI) | Likely Level 1 |
| Your contract contains DFARS 252.204-7012, or your prime sends you CUI / technical data | Controlled Unclassified Information (CUI) | Likely Level 2 |
| You are a prime on a high-priority program with the most sensitive CUI | CUI under enhanced protection | Possibly Level 3 |
| You sell only commercial-off-the-shelf (COTS) products with no FCI or CUI | None in scope | Likely out of scope |
Indicative guidance only — final scope and level are set by your contract terms and your prime/contracting officer, not by this table.
Why “The Prime Handles Compliance” Is a Trap
CMMC obligations flow down. When a prime wins a contract that requires a given level, it is required to flow the appropriate requirement down to the subcontractors who handle the data. The prime cannot absorb your obligation for you any more than it can do your machining for you. If you receive the data, you carry the requirement.
The practical effect is brutal in its simplicity: a prime assembling a bid will favour subcontractors who can already demonstrate the right level. A shop that can't isn't fined — it's quietly left off the next bid. There is also real False Claims Actexposure for attesting to a security posture you don't actually have; the Department of Justice has pursued multi-million-dollar settlements over exactly that.
The Timeline — and Why It's Later Than You Think
CMMC is phasing in rather than switching on overnight. The program rule took effect in late 2024, and CMMC requirements are appearing in DoD solicitations on a phased schedule that ramps through 2026 to 2028. It is tempting to read that as “I have years.”
You don't. A Level 2 third-party (C3PAO) assessment has to be scheduled, and assessor capacity is limited. Getting genuinely ready — closing gaps across all 110 controls, writing a System Security Plan, building a POA&M, and operating the controls long enough to show evidence — commonly takes a year or more. Work backwards from the first contract you'll want to bid once the clause is in it, and the real start date is usually “now.”
Your Next Step
If you've read this far and you're still not certain whether you handle FCI or CUI, that uncertainty isthe finding — and it's a fixable one. Confirm your data type with your prime, figure out your likely level, and get an honest read of how far your current controls are from where they need to be. For the full picture of what Level 2 involves, see our CMMC 2.0 explainer, what it typically costs a small subcontractor, and — once you know your level — the difference between the C3PAO, RPO, and MSP roles so you hire the right help in the right order.
Run the CMMC Readiness Check.
Answer a short set of questions and get an indicative read on your likely level and the biggest gaps between your current controls and NIST SP 800-171 — no email wall to see your result.
Open the readiness checkNot Sure Which Level Applies to You?
We'll help you confirm your data type, map your likely CMMC level, and show you the gap to NIST SP 800-171 — in plain English, before you commit to an assessment.
See CMMC Readiness Support