CMMC Ready Now
Compliance Guide

What Activates CMMC? A Quick Guide for Defense Contractors

CMMC is not a blanket requirement for every company doing business with DoD. Whether it applies to you, and at what level, comes down to two things: the type of data flowing through your work and the specific clauses sitting in your contracts.

Data Type Determines Your CMMC Level

No FCI, No CUI. No CMMC.

If your contracts do not touch Federal Contract Information or Controlled Unclassified Information, you are outside the CMMC framework entirely. Standard FAR and DFARS rules still apply, but certification is off the table.

Level 1

FCI = CMMC Level 1

Federal Contract Information, as defined under FAR 52.204-21, puts you at Level 1. That means 17 basic safeguarding controls and an annual self-assessment. It is the floor, built around fundamental cyber hygiene that most shops should already have in place.

Level 2

CUI = CMMC Level 2

See DFARS 252.204-7012 in your contract? CUI is in scope, and Level 2 is your minimum bar. You need all 110 NIST SP 800-171 Rev 2 controls implemented. For anything DoD tags as a prioritized acquisition, a third-party C3PAO assessment is required before award, not after.

Level 3

CUI + APT Resistance = CMMC Level 3

Programs where advanced persistent threat protection is non-negotiable land at Level 3. It stacks select NIST SP 800-172 controls on top of everything in Level 2, and the assessment is run by DIBCAC, not a commercial C3PAO.

The Contract Clauses That Drive Scoping

Pull your contract and look for these four clauses. They tell you exactly what you are on the hook for.

  • DFARS 252.204-7012 is the main trigger. If it is in there, CUI is present and Level 2 applies at a minimum.
  • DFARS 252.204-7019 and 7020 require you to have a current SPRS score on file based on a self-assessment against NIST SP 800-171.
  • DFARS 252.204-7021 spells out exactly which CMMC level the contract requires. When this clause shows up, certification is a go/no-go condition before award.
  • FAR 52.204-21 sets the FCI baseline that kicks in Level 1. It is broad and shows up in most DoD commercial item contracts, so do not skip it.

What to Do Next

Once you know CMMC applies, the sequence matters. Here is how to work through it:

  1. 01Figure out your required level by checking which of those four clauses are actually in your contracts, current and upcoming.
  2. 02Run a gap assessment against the controls for your level. You need a control-by-control view, not a rough estimate.
  3. 03Build a remediation plan that has real names, real dates, and real budget attached to each gap. Vague plans do not close gaps.
  4. 04Get the controls implemented and documented in your System Security Plan (SSP) and Plan of Action & Milestones (POA&M). Our compliance management services cover both.
  5. 05Line up your assessment path: self-assessment for Level 1, a C3PAO for Level 2, DIBCAC for Level 3.

Starting sooner gives you room to work through problems without a contract deadline breathing down your neck. CMMC Phase 2 is already in force, and more solicitations are landing with DFARS 252.204-7021 every quarter. Companies that moved early have options. Companies that waited are finding out how little runway is left.

Related Reading

Latest News

CMMC Phase 2 Is Here: What Every Defense Contractor Needs to Know

Technical Analysis

NIST 800-171 Rev 3: What Changes for Defense Contractors in 2026

Get a Clear Picture of Where You Stand

CMMC Ready Now works with defense contractors to get from uncertainty to certification using a process that is structured, repeatable, and built around your actual contract requirements. Our gap assessment gives you a control-by-control read on your posture and a prioritized plan to close every gap.

Schedule a Consultation
← Back to Blog