CMMC Level Determination: How to Know What Your Contract Requires

One of the most common questions Defense Industrial Base (DIB) contractors face is: “What CMMC Level do I need in order to respond to this solicitation?” The answer depends entirely on the contract language and the type of information your organization will handle. Let’s break it down into plain terms.

Step 1: Look for DFARS 252.204-7012 or NIST SP 800-171 References

If the solicitation includes DFARS 252.204-7012 or explicitly requires compliance with NIST SP 800-171, you are dealing with Controlled Unclassified Information (CUI). That means your organization must achieve CMMC Level 2.

Level 2 represents the “advanced” tier of cybersecurity, aligning directly with NIST SP 800-171’s 110 controls. In short: if you see 7012 or NIST 800-171, think Level 2.

Step 2: Check for FAR 52.204-21 Only

If the solicitation only lists FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) and no DFARS clauses, then you’re only required to protect Federal Contract Information (FCI). In this case, CMMC Level 1 is the right fit.

Level 1 is considered “foundational” and focuses on 17 practices that address the basic safeguarding of FCI.

Step 3: Identify if You Handle CUI

Even if the solicitation doesn’t explicitly mention DFARS 252.204-7012, if your role in the contract involves handling CUI such as technical data, ITAR/EAR information, or export-controlled details, you’ll need CMMC Level 2. Subcontractors that only work with FCI may remain at Level 1, but those touching CUI must step up to Level 2.

Step 4: Watch for “Undetermined” Situations

Some solicitations may be vague or missing clear guidance. If none of the clauses are referenced, and your role doesn’t involve handling FCI or CUI, the requirement may be undetermined or not applicable. In these cases, it’s wise to seek clarification from the contracting officer before making assumptions.

Quick Reference Table

• FAR 52.204-21 only (FCI) - Level 1

• DFARS 252.204-7012 or NIST SP 800-171 (CUI) - Level 2

• Handling CUI directly - Level 2

• No clauses, no FCI or CUI - Undetermined / N/A

Why This Matters

Bidding on a solicitation without the right CMMC level could disqualify your company, or worse, lead to compliance issues down the road. By knowing how to read the contract language and identify the associated data types, DIB contractors can quickly determine their path to compliance and stay competitive.

Begin your Level 1 or Level 2 Gap Assessment with our Free application CyberGap.us