Who Needs CMMC Compliance & Who Doesn’t: Contract-Driven Guide

If you’ve heard people talk about CMMC compliance like it’s a new “law for all businesses,” I get why it feels confusing. CMMC is not an industry-wide requirement. It’s contract-driven. The trigger is simple: the contract says you need it, and your team touches the kind of data CMMC is meant to protect.

That means I can be “DoD-adjacent” and still be out of scope. If I never process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), and my contract (or flowdowns) doesn’t include the CMMC clause, CMMC may not apply to me.

As of January 2026, CMMC 2.0 is already showing up in new solicitations, with a phased rollout underway. Small businesses should check now, not later, because a late discovery can kill a bid. Below is my quick checklist and real examples so you can decide fast.

What CMMC compliance is, and why DoD requires it

CMMC stands for Cybersecurity Maturity Model Certification. In plain terms, it’s the Department of Defense’s way of confirming that companies in the Defense Industrial Base protect sensitive contract data with basic, repeatable security controls. It exists because DoD data doesn’t stay inside DoD. It moves through primes, subcontractors, staffing firms, IT providers, and cloud platforms.

CMMC 2.0 uses three levels that map to the data you handle:

• Level 1 focuses on FCI and aligns to basic safeguards similar to FAR 52.204-21.
• Level 2 focuses on CUI and aligns to NIST SP 800-171 requirements.
• Level 3 targets the highest-risk programs and adds a subset of NIST SP 800-172, with government-led assessments.

Here’s the practical part: it applies when the contract says it applies. CMMC is enforced through solicitation and contract language, plus subcontract flowdowns. If you want a current anchor point for program updates, I check the official DoD CIO CMMC overview and then compare it to the clauses in the specific solicitation.

Where companies get tripped up is data movement. FCI and CUI don’t live in one neat folder. They show up in email threads, Teams chats, SharePoint sites, ticketing systems, file shares, endpoint caches, backups, and logs. That’s why CMMC ends up touching everyday IT work across Cloud Infrastructure and Cloud Management, identity, endpoints, and how you design a Secure Cloud Architecture.

FCI vs CUI in plain English, with quick examples

FCI (Federal Contract Information) is non-public information provided by or generated for the government under a contract. It’s “contract business” that isn’t meant for public release, but it’s not the most sensitive category.

Common FCI examples:

• Statements of work (SOW) and task descriptions
• Contract schedules and delivery dates
• Internal performance reports tied to the contract
• Purchase orders and contract-related correspondence
• Non-public pricing details within the contract context

CUI (Controlled Unclassified Information) is still unclassified, but it needs specific safeguards because of what it is (technical, export-controlled, sensitive operational details, security-related data).

Common CUI examples:

• Technical drawings or detailed engineering specs
• Export-controlled information (for example, ITAR-related details)
• Detailed test results or design verification data
• Vulnerability data, incident details, or security assessment results
• Controlled operational procedures tied to defense systems
• Marked government CUI files shared by a prime or agency

Mini callout: If I can’t clearly label the data, I don’t guess. I ask the prime or contracting officer, and I document the answer.

Am I in scope for CMMC compliance? My fast checklist (decision tree)

I use this as a five-minute test before I spend money, time, or political capital internally.

1. Am I bidding on or performing DoD work (prime or subcontract)?
   If no, stop here. CMMC usually won’t apply unless your customer contract pulls you in.
2. Does the solicitation, contract, or subcontract include CMMC language?
   Look for DFARS language and explicit CMMC level callouts. If you don’t see it, don’t assume you’re safe, but you may be out of scope.
3. Do I see FAR 52.204-21, DFARS 252.204-7012, 252.204-7020, or 252.204-7021?
   These clauses are strong signals (details below). If none appear, you may be out of scope for CMMC, but still confirm flowdowns.
4. Will any of my systems process, store, or transmit FCI or CUI?
   This includes business tools, not just “secure systems.” Think Microsoft 365 mailboxes, SharePoint sites, laptop drives, ticketing platforms, and remote support tools used in Managed IT for Small Business.
5. Do requirements flow down from a prime to me?
   If the prime shares FCI/CUI with me, or I support systems that contain it, flowdowns usually apply. Ask for the exact language.

Stop point (often overlooked): If I have no DoD contract path (prime or subcontract), no CMMC clause, and I won’t touch FCI/CUI, I’m typically out of scope. I still keep baseline Cybersecurity Services in place, because “out of scope” doesn’t mean “safe.”

Quick examples:

• Out of scope: I run Restaurant POS Support and Kitchen Technology Solutions for commercial restaurants only. No DoD contract, no FCI/CUI.
• Likely Level 1: I support an Office 365 Migration for a small subcontractor, but the project involves only scheduling, staffing, and non-public contract coordination (FCI), not technical CUI.
• Likely Level 2: I provide Cybersecurity Services for an engineering sub, and my team accesses drawings, test data, or vulnerability reports labeled CUI.

The contract clauses that usually decide it (FAR and DFARS, plus flowdown)

These clauses are often the difference between “nice security idea” and “required for award.”

• FAR 52.204-21 signals basic safeguarding of covered contractor information systems, often tied to FCI.
• DFARS 252.204-7012 signals requirements to protect CUI/CDI and report cyber incidents.
• DFARS 252.204-7020 ties to NIST SP 800-171 assessments and SPRS posting expectations.
• DFARS 252.204-7021 is the CMMC requirement and phase-in mechanism. I like reading it straight from Acquisition.gov’s DFARS 252.204-7021 text.

Primes must flow down requirements to subs that will touch the data. Always read the actual contract and subcontract language, because one paragraph can change your scope overnight.

Who needs CMMC compliance, who doesn’t, with real-world scenarios

DoD primes: Usually in scope when you run programs that generate or store FCI/CUI across shared systems. Usually not in scope for a commercial division that is fully separated and never touches the contract data (separate identity, separate devices, separate storage, separate support tooling).

Small subcontractors (engineering, manufacturing, integration): Usually in scope if you receive drawings, specs, test results, or any marked CUI from the prime. Usually not in scope if your role is truly administrative (for example, you only invoice, and you never receive non-public contract artifacts). In real life, I push for clear boundaries, because “we don’t store it” falls apart the first time someone forwards an attachment.

Staffing and payroll firms: Usually in scope if you staff cleared roles and handle onboarding packets, schedules, or performance notes tied to a DoD contract that are treated as FCI, and your systems store that data. Usually not in scope if you only submit invoices and timecards with no contract-sensitive details, and the prime doesn’t flow down DFARS clauses. (Staffing firms also need to watch what lands in email.)

IT services providers (MSPs/ESPs) supporting defense subs: Usually in scope when you administer endpoints, identity, backups, or email for a client that handles CUI. If you can access it, you’re part of the boundary. Usually not in scope if your support model is set up as a true separation (for example, you only manage a client’s non-CUI environment, and another team runs the CUI enclave). This is where Technology Consulting and Tailored Technology Services matter, because scoping is as important as controls.

Small business tech services on DoD projects: I see this a lot with Office 365 Migration and collaboration upgrades. Usually in scope if the migration includes mailboxes or SharePoint sites containing FCI/CUI. Usually not in scope if the statement of work explicitly excludes any contract data and you enforce it with process (no data access, sanitized samples, separate test tenants). If you’re planning IT Strategy for SMBs around DoD growth, building the right boundary early saves money later.

Commercial businesses with “DoD-ish” customers: Usually not in scope if you sell commercially and never accept DoD flowdowns. Usually in scope if a prime hands you FCI/CUI as part of subcontract performance, even if your core business is not defense.

Practical boundaries that work: a limited-access enclave, separate tenants or subscriptions, strict sharing rules, and keeping CUI out of standard email when possible. I treat Infrastructure Optimization, Business Continuity & Security, and Data Center Technology decisions as CMMC decisions once CUI is involved.

Service providers and cloud: MSPs, SaaS vendors, and what FedRAMP changes

Cloud is shared responsibility. Your provider secures parts of the platform, but you still control identity, data handling, configuration, and evidence. If an MSP tool or SaaS platform can access or store a client’s CUI, it becomes part of the system boundary a CMMC assessor will examine.

For CUI in the cloud, buyers often expect FedRAMP Moderate (or an equivalent authorization path) for the underlying service. For Microsoft 365, an Office 365 Migration for a defense contractor may push you toward GCC High or another approved route, depending on the contract and data type.

One cautionary example I see: a ticketing system or remote management tool captures screenshots, attachments, or pasted text that contains CUI. Now your “support platform” is part of the compliance story, whether you meant it or not.

Common misconceptions that waste time and money

• “CMMC is optional until 2028.” The rollout is phased, but CMMC language is already appearing in solicitations, and contracts can require it earlier.
• “All subcontractors need the same level as the prime.” Subs need the level that matches the FCI/CUI they touch, not the prime’s entire environment.
• “My MSP’s compliance covers me.” Your provider’s controls don’t automatically make your processes compliant, especially around access control and evidence.
• “CMMC equals FedRAMP.” FedRAMP is for cloud service authorizations, CMMC is a contractor cybersecurity requirement. They overlap, but they’re not the same.
• “We don’t handle CUI because it isn’t marked.” Markings help, but unmarked CUI still exists. Ask and document.
• “If I buy security tools, I’m compliant.” Tools help, but policies, user behavior, and proof matter.
• “Self-attestation is harmless.” Over-claiming compliance can create serious legal and contractual risk, so I document scope decisions and keep evidence tight.

Conclusion: The simple trigger and the smart next steps

I keep CMMC scoping simple: contract clause plus FCI/CUI equals scope. My next steps are to review solicitations and flowdowns, map where the data lives (email, SharePoint, endpoints, tickets, backups), pick a boundary that I can defend, then plan for Level 1 or Level 2 controls as needed. When CUI marking is unclear, or export-controlled data might be involved, I ask the contracting officer or prime, and I loop in counsel for high-risk calls.

If you want help, I can support a practical gap check and implementation focused on Endpoint Security, Device Hardening, and Secure Cloud Architecture so you can bid with confidence, without turning your whole business upside down. I aim to be a steady Business Technology Partner, not a noise machine.

FAQ

Do I need CMMC if I only sell commercially?
Usually no, unless you accept DoD flowdowns or touch FCI/CUI through a customer contract.

What if I’m a staffing firm?
If you only invoice, you may be out of scope. If you handle non-public contract artifacts or receive flowdowns, you may be in scope (often Level 1).

Does using Microsoft 365 make me compliant?
No. Configuration, access control, logging, and policies decide compliance, not the brand of the tool.

What if I never store CUI but I see it in email?
Seeing it is still handling it. Treat that mailbox, endpoint, and workflow as in scope until you fix the process and confirm requirements.

If I don’t need CMMC, what security basics should I still do?
I still recommend MFA, patching, least privilege, tested backups, and basic monitoring. Those basics reduce risk and keep you ready if a future bid pulls you into CMMC. Restaurant POS Support and Kitchen Technology Solutions are usually out of scope unless they’re tied to a DoD contract that includes FCI/CUI and the right clauses.