Not ready for a Complete Pen Test? How about finding out your Cyber Score in 2 mins? Click here for your Cyber Score
Published: May 2026 | Capital Cyber
If you are a defense contractor or subcontractor, you have probably heard the question: “Do I need CMMC?” The answer depends entirely on the type of information your organization handles under federal contracts. Not every contractor needs CMMC certification, but if certain clauses show up in your contract, the clock is ticking.
Here is how to figure out where you stand.
CMMC is not a blanket requirement for every company that does business with the Department of Defense. It is triggered by the type of data flowing through your environment:
No FCI, No CUI? No CMMC.
If your contracts do not involve Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), CMMC does not apply to you. You still need to meet basic FAR and DFARS requirements, but certification is not in the picture.
FCI Only? CMMC Level 1.
If your contract includes FCI (as defined by FAR 52.204-21), you fall under CMMC Level 1. This means 17 security controls and an annual self-assessment. Think of it as the baseline: locking doors, using passwords, and keeping unauthorized users out of your systems.
CUI in Play? CMMC Level 2.
If DFARS 252.204-7012 appears in your contract, CUI is involved, and you are looking at CMMC Level 2. That means compliance with all 110 controls in NIST SP 800-171 Rev 2. For prioritized acquisitions, you will need a third-party C3PAO assessment rather than just a self-assessment.
Critical Programs with APT Concerns? CMMC Level 3.
For the most sensitive programs, CMMC Level 3 adds selected controls from NIST SP 800-172 on top of Level 2 requirements. These assessments are conducted by DIBCAC (the Defense Industrial Base Cybersecurity Assessment Center).
You do not have to guess. The clauses in your contract spell it out:
DFARS 252.204-7012 is the big one. If this clause is present, CUI is in scope, and CMMC Level 2 (at a minimum) applies. This clause covers safeguarding Covered Defense Information and cyber incident reporting.
DFARS 252.204-7019 and 7020 require you to report your SPRS (Supplier Performance Risk System) score, which reflects your current self-assessment against NIST 800-171 controls.
DFARS 252.204-7021 is the clause that names the specific CMMC level required for your contract.
FAR 52.204-21 establishes the FCI baseline, which drives Level 1 requirements.
With CMMC Phase 2 approaching in late 2026, prime contractors are already flowing CMMC requirements down to subcontractors. If you are waiting to see what happens, you are already behind. Understanding which clauses apply to your contracts is the first step toward building a realistic compliance timeline.
Capital Cyber specializes in helping defense contractors navigate CMMC from scoping through certification. Whether you need a gap assessment, remediation support, or ongoing managed compliance services, we meet you where you are and get you where you need to be.
Schedule a Free CMMC Consultation and find out exactly what CMMC means for your business.
Capital Cyber | 1019B Edwards Ferry Rd. #1183, Leesburg, VA 20176.