About this episode
One of the most common questions Defense Industrial Base (DIB) contractors face is: “What CMMC Level do I need in order to respond to this solicitation?” The answer depends entirely on the contract language and the type of information your organization will handle. Let’s break it down into plain terms.Step 1: Look for DFARS 252.204-7012 or NIST SP 800-171 ReferencesIf the solicitation includes DFARS 252.204-7012 or explicitly requires compliance with NIST SP 800-171, you are dealing with Controlled Unclassified Information (CUI). That means your organization must achieve CMMC Level 2.Level 2 represents the “advanced” tier of cybersecurity, aligning directly with NIST SP 800-171’s 110 controls. In short: if you see 7012 or NIST 800-171, think Level 2.Step 2: Check for FAR 52.204-21 OnlyIf the solicitation only lists FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) and no DFARS clauses, then you’re only required to protect Federal Contract Information (FCI). In this case, CMMC Level 1 is the right fit.Level 1 is considered “foundational” and focuses on 17 practices that address the basic safeguarding of FCI.Step 3: Identify if You Handle CUIEven if the solicitation doesn’t explicitly mention DFARS 252.204-7012, if your role in the contract involves handling CUI—such as technical data, ITAR/EAR information, or export-controlled details—you’ll need CMMC Level 2. Subcontractors that only work with FCI may remain at Level 1, but those touching CUI must step up to Level 2.Step 4: Watch for “Undetermined” SituationsSome solicitations may be vague or missing clear guidance. If none of the clauses are referenced, and your role doesn’t involve handling FCI or CUI, the requirement may be undetermined or not applicable. In these cases, it’s wise to seek clarification from the contracting officer before making assumptions.Quick Reference TableFAR 52.204-21 only (FCI) - Level 1DFARS 252.204-7012 or NIST SP 800-171 (CUI) - Level 2Handling CUI directly - Level 2No clauses, no FCI or CUI - Undetermined / N/AWhy This MattersBidding on a solicitation without the right CMMC level could disqualify your company, or worse, lead to compliance issues down the road. By knowing how to read the contract language and identify the associated data types, DIB contractors can quickly determine their path to compliance and stay competitive.Luis G. Batista C.P.M., CPSMluis@cybercomply.usOffice: (305) 306-1800 Ext. 800Website LinkedIn Sch
