Do I Need CMMC? How to Know If It Applies to Your Business
You got a DFARS clause in your contract. Someone at a bid meeting mentioned CMMC. Your prime is asking about your SPRS score. Now you’re wondering: does this actually apply to me?
The answer is not the same for every contractor. It depends on two things: what data you handle, and what your contract says. This article gives you a plain-English decision path — not a sales pitch — so you can answer that question before you spend a dollar on compliance.
The short answer: it depends on what data you handle
CMMC is built around two data types. Understanding them is the fastest way to identify where you stand.
FCI (Federal Contract Information) is the information generated or provided under a government contract — things like schedules, invoices, delivery orders, and contract correspondence. If you only handle FCI, you are likely looking at CMMC Level 1, which requires 17 basic practices and an annual self-attestation. No third-party assessor required.
CUI (Controlled Unclassified Information) covers technical drawings, engineering specifications, test data, and any information the DoD has designated as controlled. If a foreign adversary would benefit from seeing it, assume it’s CUI. The National Archives CUI Registry has the full list of what qualifies. If you handle CUI, you need CMMC Level 2 — which requires a third-party assessment by a Cyber AB-authorized C3PAO (Certified Third-Party Assessment Organization).
For the full comparison between Level 1 and Level 2, see CMMC Level 1 vs. Level 2: Which Do You Need?
Three questions to find out where you stand
Run through these in order. They cover the three most common paths to a CMMC requirement.
1. Does your contract include DFARS clause 252.204-7012, 7019, 7020, or 7021?
These are the cybersecurity clauses the DoD uses to impose CMMC requirements. Pull up your current DoD contract and search for “252.204.” If any of those clauses appear, CMMC applies to you. Clause 7021 is the most current and specifically references CMMC certification levels.
For a plain-English explanation of each clause and what it requires, see DFARS Clauses Decoded.
2. Does your work involve technical drawings, engineering specifications, test data, or anything marked CUI?
This is the data question. Look at what your customer sends you. If you receive anything with a CUI header, footer, or banner — or if you produce technical data under the contract — you are likely handling CUI and need Level 2.
Many manufacturers assume they only handle FCI because they “just make parts.” The moment a prime sends you a controlled drawing, that assumption is wrong. Getting this wrong means being underqualified when your contract comes up for renewal.
3. Does your prime contractor require CMMC in their subcontract flow-down clause?
Even if your direct DoD contract is silent on CMMC, your prime may have their own clause requiring it. Flow-down requirements are common for any subcontractor who touches CUI on a prime’s behalf. Check your subcontract for any cybersecurity or CMMC language.
If any of these three questions produces a “yes,” CMMC applies to you.
What if you’re a subcontractor?
Flow-down is real. If the prime contractor handles CUI and any of that information passes to you — even just technical drawings attached to a work order — you inherit the requirement. The DoD does not distinguish between primes and subs when it comes to protecting controlled information.
The practical test: ask your prime whether CUI flows down to your scope of work. Get the answer in writing. If it does, you are in Level 2 territory regardless of what your own direct government contract says.
For the complete breakdown of how CMMC applies to the defense supply chain, see CMMC for Subcontractors.
What if your contract doesn’t mention CMMC yet?
The DoD is phasing CMMC requirements into contracts through the 2025–2026 contract cycle. If your current contract has no CMMC clause, it is not a permanent exemption — it means the requirement has not yet been inserted at renewal or recompete.
Contractors who start building compliance now have two advantages: they avoid the schedule pressure of a compliance sprint before a recompete, and they can use their SPRS score as a competitive differentiator when bidding. A strong score signals to primes and contracting officers that you are a low-risk supplier.
For the full DoD rollout timeline and which contract types are affected first, see Your CMMC Certification Timeline.
What does it cost if you do need it?
Cost varies significantly by level and company size.
Level 1 self-attestation typically runs $5K–$25K per year when you factor in the internal time to document and implement 17 practices plus the SPRS submission. For most small contractors, this is achievable.
Level 2 is more significant. Assessment costs alone range from $30K–$150K depending on the C3PAO and your company size. Remediation — closing the gaps before the assessment — is often the larger cost and can range from minimal (if you have a strong IT baseline) to $300K+ (if you are building controls from scratch). The full range across company types runs $30K–$500K or more.
For a detailed cost breakdown by company size and starting SPRS score, see the CMMC Cost Guide.
Frequently asked questions
Does CMMC apply to all DoD contracts?
No. CMMC applies to contracts that include specific DFARS cybersecurity clauses (252.204-7012, 7019, 7020, or 7021). Contracts for commercial items, contracts below the micro-purchase threshold, and contracts that involve no CUI may be exempt. Check your contract language — do not assume exemption without verifying.
What is the difference between CMMC Level 1 and Level 2?
Level 1 covers 17 basic cybersecurity practices and requires an annual self-attestation for contractors handling only FCI. Level 2 covers 110 practices aligned to NIST SP 800-171 and requires a third-party assessment for contractors handling CUI. The full comparison is in CMMC Level 1 vs. Level 2.
Do I need CMMC if I only do commercial work?
If your only contracts are commercial — no DoD prime contracts, no DoD subcontracts — then CMMC does not apply. CMMC is a DoD program. If you are bidding on or performing work under DoD contracts, even as a sub-tier supplier, you need to check whether CMMC clauses flow down to your work.
How long does it take to get CMMC certified?
Level 1 self-attestation can be completed in weeks if your basic IT hygiene is in order. Level 2 certification typically takes 6–18 months from the start of gap assessment to the final C3PAO certificate, depending on your starting posture. Starting early is the most important factor — waiting until a contract renewal deadline creates unnecessary cost and risk.
Can I self-certify for CMMC?
For Level 1, yes — annual self-attestation submitted to SPRS is the required method. For Level 2, no — self-certification is not permitted. A DoD-authorized C3PAO must conduct the assessment and issue the certification. The C3PAO submits results directly to the government.
What’s your next step?
If you answered yes to any of the three questions above, CMMC applies to your business. The next move is to understand your current posture — specifically, how many of the required practices you already meet.
The fastest way to get that answer — without a vendor trying to expand your scope — is a 15-minute scoping call with someone who’s independent. We’ll tell you which level applies, where you likely stand, and what your real-world path looks like. Get your CMMC readiness signal in 3 minutes →
Not ready to talk yet? Download the CMMC Readiness Checklist — 15 questions to map your compliance exposure before you engage a single vendor.
Found this useful?
Get the CMMC Readiness Checklist — free
15 questions to understand your compliance exposure before you talk to a single vendor.
Ready to get started?
15 minutes. We'll tell you exactly where you stand on CMMC and what your next step should be.
Get in TouchFree. Available to US-based defense contractors.