CMMC 2 on Contractors with both FCI and CUI.

Contractors with FCI and CUI

Contractors that also process / transmit / store Controlled Unclassified Information (CUI) will need to meet the cybersecurity measures as proscribed in cybersecurity level 2 of the CMMC maturity model. Level 2 requires the implementation of all 110 controls from NIST 800-171 Rev 2 which would constitute “good” cyber security.

Contractors will need to achieve the minimum CMMC level specified in the solicitation to be eligible for contract awards, and prime contractors will be required to flow down CMMC requirements to subcontractors that handle FCI or CUI

In some cases of very sensitive CUI the organization may be required to meet CMMC level 3. CMMC Level 3 incorporates a subset of NIST SP 800-172 requirements, which are designed to enhance the protection of CUI against Advanced Persistent Threats (APTs). It includes 35 additional practices and 98 assessment objectives, making it essential for contractors handling CUI for DoD’s highest priority programs.

Timeline for Implementation

The implementation of the Cybersecurity Maturity Model Certification (CMMC) is expected to begin appearing in contracts at the end of 2024 or the beginning of 2025. The specific timeline for the inclusion of CMMC requirements in contracts may vary based on the type and scope of the contract. The Department of Defense (DoD) has indicated that it will include CMMC requirements in all new agreements by 2026.

Are there exceptions for Small Business

There is no exception for small businesses; DoD reasoned that “the value of DoD’s sensitive information (and impact of its loss to the Department) does not diminish when it moves to contractors—prime or sub, large or small.”Impacts of CMMC 2 Proposed Rule on Contractors

There is, however, an exception for contracts or orders that are exclusively for commercial off-the-shelf (COTS) items or are valued at or below the micro-purchase ($10,000) threshold. There is no exception for commercial items (non-COTS) contracts above the micro-purchase threshold.

Therefore, organizations, especially DoD contractors and subcontractors, are advised to prepare for CMMC compliance in advance to ensure they are ready for the phased implementation and inclusion of CMMC requirements in contracts.

What happens if an organization does not meet CMMC requirements or does not maintain compliance?

Non-compliance with the Cybersecurity Maturity Model Certification (CMMC) requirements can lead to various consequences, including:

Loss of Contracts: Non-compliance with (CMMC) requirements could result in the loss of government contracts, particularly those involving the Department of Defense (DoD). The DoD may require contractors to achieve a specific level of CMMC certification to be eligible for certain contracts.

Legal and Regulatory Consequences: Failure to comply with cybersecurity regulations, including CMMC, may lead to legal and regulatory consequences, such as fines, penalties, or other legal actions taken against the organization.

Suspension or Debarment: The government may suspend or debar an organization from participating in federal contracts if it is found to be non-compliant with cybersecurity requirements, which can have significant long-term consequences.


Let ASCERTIS help you meet CMMC.

The ASCERTIS assessment easy CMMC GAP assessment tool to identify those areas in your organization that need to be addressed. If you need policies, procedures, handbooks – we have these artifacts that you can tailor to your specific organization. Companies have saved hundreds of labor hours using these documents.