Now that the Department of Defense (DoD) has adopted the CMMC 2.0 Final Rule, you may be wondering how to even get started to become compliant with the revamped regulatory requirements.
If you’re a prime or subcontractor within the U.S. defense industrial base (DIB), you’re well aware of the Cybersecurity Maturity Model Certification (CMMC) program.
The regulation implements accountability guardrails for protecting sensitive federal information within the DIB.
The intent of the new regulation is to verify that companies have put in place the required security measures to protect sensitive information within the defense supply chain.
If you’re a small or medium-sized business needing CMMC certification and your compliance efforts have stalled or haven’t even gotten into gear—don’t worry, you’re not alone!
In this article, we’ll discuss the types of federal information you're responsible for protecting and where it could reside within your IT environment. Then, we'll help you determine your CMMC level as part of the critical first step in your CMMC journey
With this information, you’ll have a complete understanding of what’s involved in undertaking the first phase in the CMMC process and how it establishes an essential foundation toward final certification.
Under the CMMC 2.0, businesses that collect, create, receive, or transfer controlled unclassified information (CUI) or federal contract information (FCI) will need to meet the cybersecurity assessment requirements of one of three CMMC compliance levels.
Those levels are: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Both FCI and CUI involve sensitive federal information that require certain safeguards.
Organizations at Level 1 deal with FCI; while businesses at Level 2 and Level 3 can handle FCI and CUI.
Related Article: CMMC Rule Approved: Next Steps For Compliance
FCI is information that is “not intended for public release” that is owned by or created for the federal government through a contract to deliver a product or service. Since it’s less sensitive, this type of information requires fewer controls.
FCI can be found in different places such as: the contracts themselves, proposal responses, contract progress reports, emails, subcontracts, notes, and other communications. FCI requires basic cyber hygiene safeguards.
CUI is more complicated. Here’s a simple breakdown of what it is.
CUI is a broad umbrella for highly sensitive but unclassified federal information. It includes data that’s created, collected, or shared by or on behalf of the DoD, such as financial, legal, privacy, and procurement information.
An example of CUI is Controlled Technical Information (CTI), which includes technical specifications, engineering drawings, design analysis, data sets, and blueprints.
Keep in mind that CUI is a control marking, not a classification marking. It lets anyone receiving, storing, or sharing such data instantly know that the information requires additional protections for how it can be handled and with whom it can be shared.
The government is responsible for marking (labeling) any CUI it shares with contractors. Such markings can be found in the headers and footers of each page.
There are specific controls for handling and sharing CUI that must be followed.
Businesses that fail to achieve CMMC certification could jeopardize their existing DoD contract or be prevented from being awarded new ones.
Related Article: What Will The CMMC Certification Process Cost My Business?
There are two types of CUI: Basic and Specified.
CUI Specified information requires a higher level of safeguards than CUI Basic. An example of CUI Specified data could be a defense supplier working on a military contract and handling technical specs for an aircraft or a submarine, for instance.
What this means for you as part of the DIB supplier network is that you’ll be required to show how you’re meeting the required security controls for the CUI you handle and share.
CMMC establishes assessments at three levels, with cybersecurity requirements that build upon each level.
Let’s break these levels down:
Related Article: How Zero Trust Can Streamline NIST & CMMC Compliance For Your Business
According to online information from the DoD’s Chief Information Officer, CMMC Level 2 self-assessments became operational in the SPRS portal as of February. 28, 2025.
You should also know that even though the government has said it plans a phased-in rollout of the regulation requirements, they could impose those requirements on certain contracts ahead of the published schedule.
So, to ensure that you start your compliance efforts off on the right foot, follow the following guidelines:
Since the CMMC levels are segmented by data type, identifying your CMMC level based on the type of federal information you handle will lay the foundation for your CMMC journey.
With this knowledge, you can tailor your security efforts and budget to meet the specific requirements for that certification level.
If you handle CUI, now’s the time to ask yourself: What kind of CUI am I handling? Knowing the type of CUI your organization creates, processes, or transmits will directly impact the cybersecurity controls you need to implement.
All categories of CUI fall under one of two types: CUI Basic and CUI Specified.
If you're dealing with CUI Specified, you’ll need to implement more stringent security measures. These might include:
If you’re not sure of which type of CUI you will be responsible for protecting, you can:
Related Article: Do I Need A Managed IT Service Provider To Meet CMMC Requirements?
Next, figure out where your CUI is stored. This will determine the boundaries of your CMMC assessment, or scope. Remember, your entire organization does NOT need to get assessed.
Instead, you can narrow the focus to only the targeted areas of your business that process, store, or transmit CUI. This could be in various locations within your infrastructure, such as:
Before moving forward, a critical step is submitting your Supplier Performance Risk System (SPRS) score.
Your SPRS score is a numerical score that reflects your current compliance status in meeting the CMMC requirements for your level.
Since the score gives you a baseline to measure your current security safeguards stack up against the regulation, it’s a critical part of your certification journey.
Submitting your SPRS score allows you to:
Keep in mind that when choosing between different subcontractors, primes may require them to have met a minimum SPRS score in order to be considered.
So, why is it so important to kick off your CMMC certification process by figuring out the kind of CUI you have, where it’s located, and what your CMMC level is?
The answer is simple.
You won’t be able to know what security policies, tools, and procedures to put in place to meet the necessary CMMC requirements if you don’t fully understand the data you’re required to project.
Getting started with this foundation will help ensure that nothing falls through the cracks, which could lead to costly delays.
After reading this article, you now have a more thorough understanding of the first step toward CMMC certification.
With CMMC language beginning to appear in DoD contracts, now’s the time to take action.
Preparing for and getting CMMC certified can take anywhere from several months to a year or more, depending on the complexity of your data and business infrastructure.
If you need help identifying your CUI, determining your CMMC level, or reviewing your SPRS score, click the button to reach out. We'll respond quickly to learn more about your compliance concerns and see how we can help streamline your certification journey.