Do I Need CMMC? FCI vs CUI and Which Level You Need (2026)

Q: Do I need CMMC if I'm a subcontractor?

Yes, if FCI or CUI flows down to you. CMMC requirements pass through the supply chain: if a prime sends you Controlled Unclassified Information to do the work, you generally need the same Level 2 obligations they do for that data. If you only ever receive Federal Contract Information, Level 1 applies. Your subcontract and the data you actually receive determine your level, not your tier.

Q: What's the difference between FCI and CUI?

FCI (Federal Contract Information) is information provided by or generated for the government under a contract that isn't intended for public release — it maps to CMMC Level 1 and the 15 basic safeguards in FAR 52.204-21. CUI (Controlled Unclassified Information) is information the government requires to be safeguarded under a specific category (e.g., technical drawings, ITAR data) — it maps to CMMC Level 2 and the 110 controls in NIST SP 800-171.

Q: How do I know if I handle CUI?

Check whether your contract contains DFARS 252.204-7012, look for CUI markings on documents and CDRLs, and review what the prime or contracting officer sends you. If technical data, specifications, or controlled categories are involved, you likely handle CUI and fall under Level 2. When unsure, ask your contracting officer in writing.

Q: Does every defense contractor need CMMC?

Effectively, any contractor that handles FCI or CUI on DoD work falls under CMMC at Level 1 or Level 2. Contracts solely for commercial off-the-shelf (COTS) items are generally excluded. If you handle no FCI and no CUI, CMMC may not apply — but most DoD vendors handle at least FCI.

Before you spend a dime or a weekend on CMMC, answer one question: what kind of government information do you actually handle? That single fact decides whether CMMC applies to you and, if it does, which level you have to meet. Almost everything else is downstream of it.

The 30-second answer

What you handle	CMMC level	How it's assessed
Neither FCI nor CUI	None*	CMMC generally doesn't apply
FCI only	Level 1	Annual self-assessment
CUI	Level 2	Self-assessment or C3PAO certification
CUI on the most sensitive programs	Level 3	Government-led (DIBCAC)

*Contracts solely for commercial off-the-shelf (COTS) items are generally excluded — but most DoD vendors handle at least FCI.

FCI vs CUI — the distinction that sets your level

CMMC has three levels, but for most small contractors the real fork is just two: Level 1 or Level 2. Which one you land on is decided by whether you hold FCI, CUI, or both.

FCI — Federal Contract Information

FCI is information provided by or generated for the government under a contract that isn't meant for public release — think a non-public statement of work, delivery schedules, or internal contract correspondence. If FCI is the most sensitive thing you touch, you're at Level 1: the 15 basic safeguarding requirements in FAR 52.204-21, confirmed by an annual self-assessment.

CUI — Controlled Unclassified Information

CUI is information the government specifically requires you to protect under a defined category — technical drawings and specifications, controlled technical information, ITAR/export-controlled data, and similar. The moment a contract puts CUI in your hands, you step up to Level 2: the 110 controls of NIST SP 800-171, documented in an SSP and scored in SPRS. (CMMC currently assesses against Revision 2 of 800-171.)

Rule of thumb: FCI → Level 1, CUI → Level 2. The hard part isn't the rule — it's correctly identifying which kind of data you actually have. Contractors routinely under-call CUI as "just FCI" and get caught short.

Which level applies to you

Level 1 (FCI)

Small footprint, basic cyber hygiene, annual self-assessment, and an affirmation in SPRS. No third party, no 110 controls — but it's still a real requirement, not a checkbox.

Level 2 (CUI)

The 110 NIST 800-171 controls. Some lower-risk CUI contracts permit a self-assessment; many will require a C3PAO certification as the rollout proceeds. This is where most of the work — and cost — lives.

Level 3

Reserved for the most sensitive programs. It builds on Level 2 with a subset of NIST SP 800-172 enhancements and is assessed by the government (DIBCAC). Most small contractors will never touch Level 3.

"I'm just a subcontractor / I don't touch CUI"

CMMC flows down. If a prime sends you CUI to do the work, you generally inherit the same Level 2 obligation they have for that data — your tier in the supply chain doesn't lower the bar. The flip side is just as important: if your prime only ever sends you FCI, you're at Level 1, not Level 2, even on a big program. What you receive sets your level, not how large the contract is.

Think you're Level 2? See where you stand — free

If CUI is in play, the next step is a self-assessment against the 110 controls. Our free calculator gives you a SPRS score and shows exactly which gaps cost you the most — no signup.

Calculate your SPRS score free →

How to confirm what you actually handle

Check your contract for DFARS 252.204-7012. Its presence is a strong signal that CUI is involved and Level 2 is in your future.
Look for CUI markings. Documents, drawings, and CDRLs that carry CUI banners or designation markings tell you directly.
Review what the prime sends. Technical data packages, specifications, and controlled technical information are classic CUI.
Ask in writing. If it's ambiguous, ask your contracting officer or prime to confirm the data type — and keep the answer on file.

Do I need CMMC — frequently asked

Do I need CMMC if I'm a subcontractor?

Yes, if FCI or CUI flows down to you. If a prime sends you CUI, you generally carry the same Level 2 obligation for that data. If you only receive FCI, Level 1 applies. The data you receive sets your level — not your tier.

What's the difference between FCI and CUI?

FCI is non-public contract information and maps to Level 1 (15 FAR safeguards). CUI is information in a government-defined protection category and maps to Level 2 (110 NIST 800-171 controls).

How do I know if I handle CUI?

Look for DFARS 252.204-7012 in your contract, CUI markings on documents and CDRLs, and controlled technical data from the prime. When unsure, ask your contracting officer in writing.

Does every defense contractor need CMMC?

Effectively any contractor handling FCI or CUI on DoD work falls under Level 1 or Level 2. COTS-only contracts are generally excluded, but most DoD vendors handle at least FCI.

Next step

If you've confirmed you handle CUI, you're a Level 2 shop — start by finding out where you stand. Calculate your SPRS score, then turn the gaps into a documented plan with the free SSP generator. Still not sure on cost? See how much CMMC actually costs, and what's changing at CMMC Phase 2 on November 10, 2026.