CMMC

Who Needs CMMC

Which organizations need CMMC certification — prime contractors, subcontractors, cloud service providers, and anyone handling FCI or CUI for the Department of Defense.
Browse CMMC topics
CMMC Assessment ProcessCMMC Implementation TimelineCMMC Levels ExplainedNIST SP 800-171 MappingWho Needs CMMC

Who is required to get CMMC certified?

Any organization that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of a Department of Defense contract or subcontract will need CMMC certification. The required level depends on the type of information handled.

This is not limited to large defense primes. The requirement flows down through the entire supply chain, reaching small and mid-size businesses that may be several tiers removed from the DoD.

Organizations that need CMMC

Prime contractors

Organizations that contract directly with the DoD are the most obvious candidates. If your contract involves handling FCI or CUI — which the vast majority of DoD contracts do — you will need CMMC certification at the level specified in the solicitation.

Subcontractors (all tiers)

CMMC requirements flow down to subcontractors at every tier. If a prime contractor shares FCI or CUI with a subcontractor, that subcontractor must hold the appropriate CMMC certification. This flow-down continues through every layer of the supply chain.

Example: A DoD contract requires Level 2 certification. The prime contractor engages a subcontractor to build a software component and shares CUI design specifications. That subcontractor must also achieve Level 2. If the subcontractor further subcontracts work and shares CUI, the next-tier sub must also be certified.

Cloud service providers

Cloud service providers (CSPs) that host, process, or store FCI or CUI for DoD contractors need CMMC certification at the level corresponding to the information they handle. CSPs supporting CUI workloads typically need to be FedRAMP authorized at the Moderate baseline or higher, which provides significant overlap with CMMC Level 2 requirements.

Managed service providers and IT vendors

Organizations providing managed IT services, managed security services, or IT infrastructure to defense contractors may need CMMC certification if they have access to FCI or CUI through their service delivery. This includes managed SOC providers, helpdesk services with access to contractor systems, and backup or disaster recovery providers handling contractor data.

Foreign suppliers

CMMC applies to foreign organizations in the defense supply chain that handle FCI or CUI. However, the Cyber AB is working to establish mutual recognition agreements and international assessment frameworks. Foreign suppliers should monitor Cyber AB guidance for their specific country and engage early with their prime contractor to understand requirements.

Understanding FCI and CUI

The distinction between FCI and CUI determines your minimum CMMC level.

Federal Contract Information (FCI)

FCI is information that is provided by or generated for the government under a contract to develop or deliver a product or service. It does not include information provided by the government to the public or simple transactional information (like contract award data).

Examples of FCI:

  • Contract specifications and requirements documents
  • Technical drawings shared by the government for manufacturing
  • Performance reports generated for the government under contract
  • Internal communications about contract deliverables

Minimum CMMC level: Level 1 (17 practices, self-assessment)

Controlled Unclassified Information (CUI)

CUI is information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. It is more sensitive than FCI but not classified. CUI categories relevant to defense include:

  • Controlled Technical Information (CTI)
  • Export-controlled information (ITAR, EAR)
  • Critical infrastructure security information
  • Naval nuclear propulsion information
  • Operations security information
  • Personnel security information

Minimum CMMC level: Level 2 (110 practices, self-assessment or C3PAO depending on sensitivity)

How to identify CUI in your environment

CUI should be marked by the originator with CUI markings per 32 CFR Part 2002. In practice, marking is inconsistent. To identify CUI in your environment:

  1. Review your contract — look for DFARS clause 252.204-7012 (Safeguarding Covered Defense Information), which indicates CUI is present
  2. Check data received from the DoD — look for CUI markings, export control notices, or distribution limitation statements
  3. Ask your contracting officer — if you are unsure whether information qualifies as CUI, request clarification
  4. Err on the side of caution — treat ambiguous information as CUI until confirmed otherwise

Flow-down requirements

Flow-down is one of the most operationally complex aspects of CMMC. When a prime contractor (or any tier) shares FCI or CUI with a subcontractor, they must:

  1. Include CMMC requirements in the subcontract — the subcontract must specify the required CMMC level
  2. Verify subcontractor certification — before sharing FCI or CUI, confirm the subcontractor holds a valid CMMC certification at the required level via SPRS
  3. Monitor ongoing compliance — subcontractor certifications expire and must be renewed. Primes should track subcontractor certification status

Reducing flow-down burden

Organizations can limit the number of subcontractors that need CMMC certification by:

  • Minimizing CUI sharing — only share CUI with subcontractors that genuinely need it for their work
  • Using secure enclaves — provide subcontractors access to CUI through controlled environments rather than transferring data to their systems
  • Consolidating suppliers — fewer suppliers with CUI access means fewer CMMC certifications to track

Who does NOT need CMMC?

CMMC is not required for:

  • Commercially available off-the-shelf (COTS) suppliers — organizations that only provide COTS products are explicitly excluded from CMMC requirements
  • Contracts that do not involve FCI or CUI — purely public information or non-sensitive contract work does not trigger CMMC
  • Non-DoD federal contracts — CMMC is a DoD program. Other federal agencies have their own cybersecurity requirements (though some are considering adopting CMMC-like models)

How episki helps

episki simplifies CMMC scoping by helping you identify where FCI and CUI flow through your environment and which systems fall within your assessment boundary. The subcontractor flow-down tracker monitors certification status across your supply chain and alerts you when a subcontractor's certification is expiring. For organizations at multiple supply chain tiers, episki maintains separate scoping views for each contract while reusing shared controls. Start a free trial to map your CMMC scope.

Related topics

levelsimplementation-timelineassessment-process

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a walkthrough