Free Tool — No Email Required
Does CMMC Apply to My Business?
5 questions. Under 3 minutes. Get a clear answer and your next step — no sales pitch.
Do You Need CMMC Compliance?
If you've received a DoD contract or are bidding on one, you may be wondering whether CMMC (Cybersecurity Maturity Model Certification) applies to you. The answer depends on a few specific factors — and getting it wrong can mean either unnecessary compliance costs or a contract disqualification.
CMMC 2.0, finalized in 2024, applies to all companies in the Defense Industrial Base (DIB) that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). That includes prime contractors and subcontractors at any tier. If your contract flows through a prime who handles DoD work, you may be in scope even if you never interact with the government directly.
This free quiz walks you through 5 questions designed to surface your CMMC obligation in under 2 minutes. It covers your contract type, the data you handle, and your relationship to the prime contractor. No email required — your answers stay in your browser.
Over 95% of DIB companies that handle only FCI fall under CMMC Level 1, which requires annual self-attestation. Companies handling CUI need Level 2, which requires a third-party assessment (C3PAO). Knowing which category you're in early saves months of wasted preparation.
Question 1 of 5
Does your company hold or pursue Department of Defense contracts?
This includes prime contracts, subcontracts, and active bids on DoD work.
Frequently Asked Questions: Does CMMC Apply to Me?
Does CMMC apply to all DoD contractors? +
CMMC applies to any company in the Defense Industrial Base (DIB) that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This includes prime contractors and subcontractors at any tier of the supply chain.
Does CMMC apply to small businesses? +
Yes. CMMC has no small business exemption. If your contract involves FCI or CUI, CMMC applies regardless of company size. The DoD has issued guidance encouraging small businesses to self-attest for Level 1 where applicable, which reduces cost.
What if I'm a subcontractor, not a prime? +
Subcontractors are subject to CMMC at the level required for the data they handle. If a prime flows CUI down to you, you need Level 2 certification for that work. The flowdown clause in your contract will specify requirements.
What is Federal Contract Information (FCI)? +
FCI is information provided by or generated for the government under a contract that is not intended for public release. Handling FCI puts you under CMMC Level 1, which requires 17 basic cybersecurity practices and annual self-attestation.
What is the difference between FCI and CUI? +
FCI (Federal Contract Information) is the baseline — contract data not for public release. CUI (Controlled Unclassified Information) is a stricter category covering sensitive but unclassified government data like technical specs, export-controlled information, or privacy data. Handling CUI requires CMMC Level 2.
When does CMMC become mandatory? +
CMMC 2.0 was finalized in October 2024. The DoD is phasing in requirements through contract clauses. By 2026, CMMC requirements are expected to appear in all new DoD solicitations. Companies should begin preparation now to avoid gaps.
Next Step
Now that you know CMMC applies, find out which level you need.
Level 1 vs Level 2 is the most important decision in your compliance path — and this guide makes it clear.