FCI or CUI? The information type decides whether Texas defense contractors need CMMC Level 1 self-attestation or a full Level 2 C3PAO assessment — and smart scoping decides the cost.
If your company holds a Department of Defense contract or subcontract, the Cybersecurity Maturity Model Certification (CMMC) program is no longer a future problem — it is a clause in the contracts landing on Texas desks right now. The hardest part is not the controls themselves. It is scoping: deciding which of your systems are in play, which CMMC level your contract demands, and how much of your environment you are willing to drag into an assessment. Get scoping wrong and you either fail an assessment or spend six figures securing systems that never needed to be in scope.
This guide walks Texas defense contractors — from San Antonio's Military City cluster to the aerospace and manufacturing shops across the state — through the practical difference between CMMC Level 1 and Level 2, and how to draw a scope boundary that is both defensible and affordable.
CMMC is the Department of Defense's mechanism for verifying that contractors protect two categories of sensitive-but-unclassified information:
The type of information your contract involves is the single biggest driver of which level you need. FCI-only work points to Level 1. Any CUI puts you at Level 2.
Level 1 maps to the 15 basic safeguarding requirements in FAR 52.204-21. These are foundational hygiene controls — limiting system access to authorized users, sanitizing media before disposal, using boundary protection, and keeping antivirus current. There is no requirement for a written System Security Plan at Level 1, though maintaining one is smart.
The key relief valve at Level 1 is annual self-assessment. You are not required to hire a third-party assessor. A company officer attests to compliance and the affirmation is entered into the Supplier Performance Risk System (SPRS). For a small shop that only ever touches FCI, Level 1 is genuinely achievable with disciplined managed IT and a documented process.
Level 2 aligns to the 110 security requirements in NIST SP 800-171 Rev 2, spanning 14 control families from Access Control to System and Information Integrity. This is a categorical jump in effort. Level 2 requires:
The multi-factor authentication, FIPS-validated encryption, audit logging, and incident response requirements at Level 2 overlap heavily with the same disciplines we build for SOC 2 readiness and NIST CSF 2.0 programs. If you have done that work, you are not starting from zero.
Here is where most Texas contractors overspend. CMMC scope is defined by asset categories, and the smart move is to shrink the boundary so that only the assets that store, process, or transmit CUI carry the full 110-control burden. The CMMC scoping guidance recognizes five asset categories:
The single most effective cost-control move is enclaving: building a segmented environment — often a dedicated Microsoft 365 GCC High tenant or a VDI enclave — where all CUI lives. Everything outside the enclave becomes out of scope. We cover the identity architecture this depends on in our Active Directory tiering and network access control guides.
Contractors routinely under-scope because they do not realize where CUI has spread. Common leak points we find during assessments:
Data flow mapping is not busywork. It is the artifact that lets you honestly draw the scope boundary and prove it to an assessor.
At Level 2, a Plan of Action and Milestones lets you certify with a handful of controls still open — but the rules are strict. Certain high-weight controls cannot be on a POA&M at all; they must be fully met. The rest must be closed within 180 days or your conditional certification lapses. Treat the POA&M as a short bridge, not a parking lot. Contractors who defer MFA, encryption, or logging into a POA&M usually discover those are exactly the controls you cannot defer.
If your DoD contracts already carry DFARS 252.204-7012, you have been obligated to implement NIST 800-171 and report a SPRS score for years. CMMC Level 2 is the verification layer on top of that existing obligation. Pull your current SPRS self-score first — the delta between that number and 110 is your honest roadmap. Many Texas contractors find their self-reported score was optimistic once an assessor's lens is applied.
Begin with a two-week scoping sprint: (1) confirm whether your contracts involve FCI, CUI, or both by reading the clauses and asking your prime; (2) map where that data actually lives today; and (3) decide whether to enclave. That single decision — enclave versus flat network — determines whether your CMMC project costs tens of thousands or hundreds of thousands. LayerLogix runs this scoping sprint as a fixed-scope engagement, and you can kick it off with a free IT assessment to gauge where your environment stands before the clock starts.
LayerLogix supports Texas defense contractors and their supply chains statewide, with deep coverage across the military and aerospace corridors:
Whether you need Level 1 self-attestation support or a full Level 2 enclave build ahead of a C3PAO assessment, our IT outsourcing and privileged access management teams can scope it correctly the first time.
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.