This is the single most expensive question in CMMC, and most small contractors get it wrong in one of two directions. Some assume every federal contract means CUI and start building a six-figure Level 2 program they do not need. Others assume they are fine and quietly under-comply on a contract that actually flows CUI. Both mistakes are avoidable in about five minutes.
Why this matters so much
Your CMMC level is decided entirely by the kind of information your contracts hand you. Level 1 is 15 safeguards, self assessed, often done in a week. Level 2 is 110 requirements from NIST SP 800-171, a scored assessment, and months of work. The gap between them is the largest single distinction in the whole program.
| FCI only | Handling CUI | |
|---|---|---|
| CMMC level | Level 1 | Level 2 |
| Requirements | 15 safeguards | 110 (NIST SP 800-171) |
| Assessment | Self assessed | Self or C3PAO |
| Typical timeline | Days to weeks | Months |
The three signals of CUI
You do not have to interpret anything. Look for concrete, written signals:
- A CUI banner marking. Open the documents the government or your prime sent you. A
CUIbanner at the top of a page, sometimes with a category code likeCUI//SP-CTI, is the clearest signal. - DFARS 252.204-7012 in the contract. Search your contracts for that clause number. It is the DoD clause that flows CUI obligations and points to NIST SP 800-171.
- A DD Form 254 or CUI clause. These identify controlled or sensitive information tied to the work.
The 5-minute check
Run these steps against your last three federal contracts:
- Search each contract PDF for the strings CUI and 252.204-7012.
- Open every document the government or prime delivered and scan the top of each page for a CUI banner.
- Check whether a DD Form 254 was issued for the work.
- If you found none of the above across all three contracts, you handle FCI only, and you are at Level 1.
- If you found any of them, you handle CUI, and you are at Level 2.
If you handle both
Plenty of contractors hold a mix: Level 1 work for one customer, a single contract with CUI for another. You are scoped at Level 2 for whatever touches the CUI. The smart move is usually to isolate that work in a CUI enclave, so Level 2 applies to a small, separated environment and the rest of the business stays at Level 1. That single decision is the biggest driver of what Level 2 costs you.
What to do next
- Confirmed FCI only? Start with CMMC Level 1 and the 15-requirement checklist.
- Confirmed CUI? See what CMMC Level 2 takes and scope your assets first.
- Still unsure? Read the full CUI explainer or take the 2 minute check.
Frequently asked questions
How do I know if my business handles CUI?
Look for three signals: a CUI banner marking on documents the government sent you, a contract citing DFARS 252.204-7012, or a DD Form 254 or contract clause identifying controlled information. If any are present, you handle CUI and owe CMMC Level 2. If none are, you almost certainly handle only Federal Contract Information and owe Level 1.
What is the difference between CUI and FCI for scoping?
FCI, Federal Contract Information, is unmarked non-public information under a contract and triggers CMMC Level 1. CUI is marked or specifically controlled information and triggers CMMC Level 2, the 110 requirements of NIST SP 800-171. The simplest test is the marking: FCI is not marked, CUI is.
My prime says the work is sensitive. Is that CUI?
Not by itself. CUI must be designated in writing, through the contract, a clause like DFARS 252.204-7012, a DD Form 254, or a marked document. A verbal comment that something is sensitive does not create CUI obligations. Ask for the written designation before treating work as Level 2.
What if I handle both CUI and FCI?
You are scoped at the higher level, CMMC Level 2, for the systems that touch CUI. Many contractors isolate CUI in a separate enclave so Level 2 applies to a small, controlled environment while the rest of the business stays at Level 1. That scoping decision is the biggest cost lever at Level 2.
How can I confirm my level quickly?
Take the free CMMC check. It walks you through a few plain questions about the information your contracts hand you and tells you whether you are at Level 1 or Level 2 in about two minutes, with no account required.