Free Tool
Which CMMC Level Do You Need?
Answer 4 questions to find out whether your organization needs Level 1, Level 2, or Level 3 certification.
Do you have or seek contracts with the U.S. Department of Defense?
CMMC applies to all DoD contractors and subcontractors in the Defense Industrial Base (DIB). If you are pursuing DoD work, answer Yes even if no contract is signed yet.
Do you handle Controlled Unclassified Information (CUI)?
CUI is information the government requires to be protected but that is not classified. Your contract may explicitly reference DFARS 252.204-7012.
CUI includes technical data, engineering drawings, test results, export-controlled information (EAR/ITAR), and other sensitive-but-unclassified data that the government marks or designates as requiring protection.
If your contract references DFARS 252.204-7012 (Safeguarding Covered Defense Information), you almost certainly handle CUI. When in doubt, ask your contracting officer.
Do you handle Federal Contract Information (FCI)?
FCI is the baseline information category for nearly all DoD contractors, even those who do not handle CUI.
FCI is information provided by or generated for the government under a contract to develop or deliver a product or service. It is information not intended for public release.
Nearly all DoD contractors handle at least FCI — if you receive a Statement of Work, contract deliverables, or government-furnished information, that is FCI. The threshold for Level 1 is very broad.
CMMC may not apply to you
CMMC is a DoD-specific framework for the Defense Industrial Base.
You may not need CMMC certification
But you should confirm with your contracting officer before concluding that.
You need CMMC Level 1
Basic cyber hygiene for contractors handling Federal Contract Information.
Key practices covered
- Antivirus & malware protection
- Access control (who can log in)
- Password requirements
- Limit physical access
- Screen lock & session timeouts
- Patch operating systems
You need CMMC Level 2
Advanced cyber hygiene for contractors handling Controlled Unclassified Information (CUI).
Key requirement domains
- Access Control (AC)
- Audit & Accountability (AU)
- Incident Response (IR)
- System & Communications Protection (SC)
- Risk Assessment (RA)
- Configuration Management (CM)
- Identification & Authentication (IA)
- System Integrity (SI)