← Custodia

Do You Actually Handle CUI? A 5-Minute Self-Check (2026)

A plain-English self-check to tell whether your business handles Controlled Unclassified Information (CUI) or only Federal Contract Information (FCI), and therefore whether you owe CMMC Level 2 or Level 1.

By David Fuentes· Compliance Officer, CustodiaJuly 5, 20267 min read

This is the single most expensive question in CMMC, and most small contractors get it wrong in one of two directions. Some assume every federal contract means CUI and start building a six-figure Level 2 program they do not need. Others assume they are fine and quietly under-comply on a contract that actually flows CUI. Both mistakes are avoidable in about five minutes.

Why this matters so much

Your CMMC level is decided entirely by the kind of information your contracts hand you. Level 1 is 15 safeguards, self assessed, often done in a week. Level 2 is 110 requirements from NIST SP 800-171, a scored assessment, and months of work. The gap between them is the largest single distinction in the whole program.

FCI onlyHandling CUI
CMMC levelLevel 1Level 2
Requirements15 safeguards110 (NIST SP 800-171)
AssessmentSelf assessedSelf or C3PAO
Typical timelineDays to weeksMonths

The three signals of CUI

You do not have to interpret anything. Look for concrete, written signals:

  1. A CUI banner marking. Open the documents the government or your prime sent you. A CUI banner at the top of a page, sometimes with a category code like CUI//SP-CTI, is the clearest signal.
  2. DFARS 252.204-7012 in the contract. Search your contracts for that clause number. It is the DoD clause that flows CUI obligations and points to NIST SP 800-171.
  3. A DD Form 254 or CUI clause. These identify controlled or sensitive information tied to the work.

The 5-minute check

Run these steps against your last three federal contracts:

  1. Search each contract PDF for the strings CUI and 252.204-7012.
  2. Open every document the government or prime delivered and scan the top of each page for a CUI banner.
  3. Check whether a DD Form 254 was issued for the work.
  4. If you found none of the above across all three contracts, you handle FCI only, and you are at Level 1.
  5. If you found any of them, you handle CUI, and you are at Level 2.

If you handle both

Plenty of contractors hold a mix: Level 1 work for one customer, a single contract with CUI for another. You are scoped at Level 2 for whatever touches the CUI. The smart move is usually to isolate that work in a CUI enclave, so Level 2 applies to a small, separated environment and the rest of the business stays at Level 1. That single decision is the biggest driver of what Level 2 costs you.

What to do next

Frequently asked questions

How do I know if my business handles CUI?

Look for three signals: a CUI banner marking on documents the government sent you, a contract citing DFARS 252.204-7012, or a DD Form 254 or contract clause identifying controlled information. If any are present, you handle CUI and owe CMMC Level 2. If none are, you almost certainly handle only Federal Contract Information and owe Level 1.

What is the difference between CUI and FCI for scoping?

FCI, Federal Contract Information, is unmarked non-public information under a contract and triggers CMMC Level 1. CUI is marked or specifically controlled information and triggers CMMC Level 2, the 110 requirements of NIST SP 800-171. The simplest test is the marking: FCI is not marked, CUI is.

My prime says the work is sensitive. Is that CUI?

Not by itself. CUI must be designated in writing, through the contract, a clause like DFARS 252.204-7012, a DD Form 254, or a marked document. A verbal comment that something is sensitive does not create CUI obligations. Ask for the written designation before treating work as Level 2.

What if I handle both CUI and FCI?

You are scoped at the higher level, CMMC Level 2, for the systems that touch CUI. Many contractors isolate CUI in a separate enclave so Level 2 applies to a small, controlled environment while the rest of the business stays at Level 1. That scoping decision is the biggest cost lever at Level 2.

How can I confirm my level quickly?

Take the free CMMC check. It walks you through a few plain questions about the information your contracts hand you and tells you whether you are at Level 1 or Level 2 in about two minutes, with no account required.

Keep reading
  1. CMMC Level 1
    What Is FCI? The 90-Second Definition That Decides Your CMMC Level (2026)

    FCI is the routine non-public information you handle under a federal contract. It's what triggers CMMC Level 1, and it's almost certainly already in your inbox.

    Read →
  2. CMMC Level 1
    CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)

    Most small defense contractors are Level 1, not Level 2, but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.

    Read →
  3. CUI
    How to Destroy CUI Correctly: The Goal, Methods, and Rules (2026)

    The goal of destroying CUI is to make it unreadable, indecipherable, and irrecoverable. Here are the approved methods for paper and digital media, and the CMMC requirement behind them.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)