• David Africano

What CMMC Level do I need?

This is a common question the 300,000+ DoD contractors that make up the Defense Industrial Base (DIB) are asking themselves.


Understanding what determines exactly what drives the requirement between CMMC Level 1 and CMMC level 3 can be distilled down to two items:

  1. Does your DoD Contract handle FCI?

  2. Does your DoD Contract handle CUI?

"Well, Dave, what are FCI and CUI?"

FCI

FCI stands for Federal Contract Information, and according to the FAR, it is defined as:

"Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments."
https://www.acquisition.gov/far/52.204-21-0

The simple act of winning a DoD contract means that you are now handling FCI, and by doing so, you will be required to be CMMC Level 1 certified.

CUI

CUI stands for Controlled Unclassified Information, and according to the National Archives and Records Administration (NARA), CUI is defined as:

"Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended."
https://www.archives.gov/cui/registry/category-list

CUI is a much more complex category to define because NARA has 17 groupings of data with many more categories within these groupings considered CUI.


If your DoD contract holds CUI data in any of these categories, you will be required to be CMMC Level 3 certified.

Still, confused? Don't worry; give Volar Security 30 Minutes of your time, and we will clarify this and answer all your CMMC related questions.

We can help you determine the type of data your contract holds, if you need to target CMMC Level 1 or CMMC Level 3, and then help you implement the appropriate technologies and information security processes and practices to achieve your CMMC level requirement.

Description of location of government data types through the ascending CMMC levels

Volar Security - security made easy...




31 views0 comments

Recent Posts

See All