The short answer: If you handle Defense-related Controlled Unclassified Information (CUI), you need a Certified Third-Party Assessment Organization (C3PAO) certification. If you handle non-Defense CUI, a self-assessment may suffice.
The CMMC 2.0 Landscape
Cybersecurity Maturity Model Certification (CMMC) 2.0 dropped the three-tier structure down to three levels, but Level 2 is where most Department of Defense (DoD) contractors land. Here's the critical distinction:
Level 1 (Self-Assessment)
- Protects: Federal Contract Information (FCI) only
- Who needs it: Any contractor receiving FCI from the government
- Assessment: Annual self-assessment
- Bottom line: Basic protection for non-sensitive government data
Level 2 (Self-Assessment)
- Protects: CUI that's in the NARA Registry but NOT in the DoD Organizational Index Grouping
- Examples: Critical Infrastructure CUI, Financial CUI, Procurement CUI (non-defense), Privacy CUI
- Assessment: Annual self-assessment
- Who needs it: Contractors handling non-defense CUI
Level 2 (C3PAO Certification)
- Protects: CUI in the NARA Registry AND part of the DoD Organizational Index Grouping
- Examples: CTI, DoD Critical Infrastructure Security Information, Defense-related CUI
- Assessment: Third-party certification by a C3PAO every 3 years
- Who needs it: Most DIB contractors handling sensitive defense data
The Decision Tree
- Do you receive FCI or CUI from DoD?
- No → Level 1 not required (but recommended)
- Yes → Continue
- Is the data in the NARA Registry?
- No → Level 1 (FCI only)
- Yes → Continue
- Is it Defense-related CUI?
- No → Level 2 Self-Assessment
- Yes → Level 2 C3PAO Certification
The Gray Zone
Many organizations don't know what CUI they're actually handling. You might think you're doing Level 1 work, but a contract clause or a subcontractor handoff just bumped you to Level 2.
Common triggers:
- Technical data clauses in your contracts
- Subcontracting under a prime contractor with CUI requirements
- Accessing DoD systems that contain CUI
What This Means for You
If you're on the fence, assume you need the higher level until you've done a proper scope assessment. The cost of being wrong is a failed audit when it matters most.
For most Defense contractors, that means planning for a C3PAO certification. The self-assessment path is only for those with clear, documented non-Defense CUI.
Important: Always consult official government documentation or ask your contracting officer/representative for definitive guidance on your specific requirements.
Need help determining your path? TZC offers vCISO services to map your data flows, identify your CUI, and get you audit-ready.