If you've been trying to figure out what CMMC level applies to your company, you've probably run into this question: do you handle CUI? The answer determines whether you need a $30,000+ third-party assessment or a simple annual self-certification.
The problem is that most small defense contractors either overestimate or underestimate their CUI exposure. Some assume they don't have it because they're "just a subcontractor." Others assume everything in a DoD contract is CUI. Both assumptions can cost you — one in unnecessary audit expense, the other in a compliance gap that shows up on a DFARS clause you didn't realize you were subject to.
Here's how to actually figure out where you stand.
First, What's the Difference Between CUI and FCI?
The DoD uses two categories of sensitive information, and they trigger very different compliance obligations:
| Type | What It Is | CMMC Level Required |
|---|---|---|
| FCI Federal Contract Information |
Information provided by or generated for the government under a contract, not intended for public release | Level 1 — 17 controls, annual self-assessment |
| CUI Controlled Unclassified Information |
Government-created or -owned information that requires safeguarding per law, regulation, or policy | Level 2 — 110 controls, C3PAO assessment by Nov 2026 |
Almost every DoD contractor handles FCI — if your company has ever received a task order, technical spec, or deliverable requirement from a federal contract, that's FCI. The more important question is whether you also handle CUI.
What Actually Counts as CUI?
CUI is not a vague concept — it has a formal registry. The National Archives maintains the CUI Registry, which lists every category of information that qualifies. For defense contractors, the most common CUI categories are:
- CTI (Controlled Technical Information) — technical data with military application, such as specifications, engineering drawings, computer software source code, or technical documentation related to weapons or defense systems
- Export Controlled — information regulated under ITAR or EAR, including anything with military or dual-use technology implications
- Privacy/PII — personally identifiable information about government personnel or contractors
- Procurement & Acquisition — source selection sensitive data, pre-decisional acquisition information
- Operations Security — information that could allow adversaries to deduce mission details
How Do You Know If You Actually Have It?
The most reliable way is to look at your contracts. CUI is typically identified in one of three ways:
- It's marked on the document. Proper CUI has a header or footer that reads "CUI" or includes a category designation like "CUI//CTI." If you've ever received a file with that marking, you handle CUI.
- Your contract includes DFARS 252.204-7012. This clause — "Safeguarding Covered Defense Information" — is the clearest signal. If it's in your contract, the government has determined you will encounter CUI.
- You're working on a system that touches DoD networks or weapons programs. Even if the documents aren't marked, if you're providing IT services, software development, or engineering support to a DoD program, the data you handle almost certainly qualifies.
The Gray Zone: When You're Not Sure
A lot of small subs live in the gray zone. You're doing software development, logistics, or professional services for a prime. You don't get classified data. But you get emails, project files, and briefing decks — and you're not sure if any of it is CUI.
Here's a practical test. Ask yourself these questions:
- Have you received any technical specifications, engineering drawings, or design documents related to a DoD system?
- Do you have access to government systems or networks (even read-only)?
- Does your contract include DFARS 252.204-7012 or 7019/7020?
- Have you ever received files labeled "FOR OFFICIAL USE ONLY," "FOUO," or "SENSITIVE"?
- Does your prime ask you to follow specific information handling requirements?
If you answered yes to any of these, you should treat your environment as CUI-applicable and plan for Level 2.
What If I Only Have FCI?
If after reviewing your contracts you're confident you only handle FCI — not CUI — then you need CMMC Level 1, not Level 2. That's 17 basic security practices, most of which a well-run small business already does (antivirus, password policies, access controls). You self-certify annually and post your score in SPRS.
Level 1 is not a free pass. You still have to actually do the 17 practices and post an accurate score. Falsely certifying is a False Claims Act violation.
However, be careful about assuming you'll stay at Level 1 permanently. If your business grows, if you win new work, or if your prime starts flowing down CUI requirements, your obligation can change. It's worth building toward Level 2 hygiene even if you're technically only required to do Level 1 today.
The November 2026 Deadline Is Real
Phase 2 of CMMC enforcement begins November 10, 2026. At that point, most new DoD contracts requiring Level 2 will mandate a completed C3PAO assessment before award. If you're still figuring out whether you have CUI, you're behind schedule. C3PAO assessments are booking out 6+ months in advance.
The first step isn't hiring a consultant. It's knowing what you have. Once you understand your CUI exposure, everything else — which controls apply, what documentation you need, how to prepare for an assessment — follows logically.
Not sure where your gaps are?
CMMC Map walks you through all 110 controls with plain-English guidance and helps you identify exactly what you need before you spend money on a C3PAO.
Start Your Free 14-Day TrialQuick Reference: CUI or Not?
| Scenario | Likely CUI? |
|---|---|
| You build widgets that go into a DoD vehicle and receive technical specs | ✅ Yes — CTI |
| You provide janitorial services at a DoD facility | ❌ No — likely FCI only |
| You develop software for a DoD program and have access to the system environment | ✅ Yes |
| You're a trucking company delivering supplies under a GSA contract | ❌ No — likely FCI only |
| Your contract includes DFARS 252.204-7012 | ✅ Yes — by definition |
| You provide IT managed services to a prime that handles CUI | ✅ Likely yes — CUI flows to MSPs |
When in doubt, ask your contracting officer or prime. "Does this contract involve CUI?" is a completely reasonable question, and the answer protects both parties.