CMMC Level 1 vs Level 2: Scoping Your Texas Defense Contractor Assessment

Level 1 — Foundational

Required for contractors handling Federal Contract Information (FCI) only — basic information not intended for public release that you receive from or generate for the federal government in the course of contract performance. 17 controls drawn from FAR 52.204-21. Self-assessment, annual self-attestation. No third-party assessment required. Estimated cost: $5,000-$25,000 for initial deployment + annual attestation.

Level 2 — Advanced

Required for contractors handling Controlled Unclassified Information (CUI). 110 controls drawn from NIST SP 800-171. Most contractors require third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO); a small subset of "non-prioritized" CUI contracts allow self-assessment. Three-year certification cycle with annual affirmation. Estimated cost: $50,000-$300,000 for initial deployment + $30,000-$80,000 per assessment cycle.

Level 3 — Expert

Required for contractors handling CUI on the highest-risk contracts. Adds ~24 enhanced controls drawn from NIST SP 800-172. DIBCAC government-led assessment. Currently affects a small minority of contractors — mostly those handling export-controlled technical data, weapons system design, or critical infrastructure CUI. Estimated cost: $200,000-$1M+.

The single most important question for any Texas defense subcontractor scoping CMMC is: does our organization receive, store, process, or transmit Controlled Unclassified Information?

Indicators you handle CUI:

• Your contracts contain DFARS 252.204-7012 ("Safeguarding Covered Defense Information")
• You receive technical data marked CUI, NOFORN, or with specific CUI category markings (CUI//SP-EXPT, CUI//PROCURE, CUI//SP-PRVCY, etc.)
• You receive proposal data, source selection information, or pricing data marked Sensitive But Unclassified
• You handle export-controlled technical data (ITAR, EAR) — this is CUI
• Your prime contractor flows down CUI handling requirements explicitly

Indicators you handle FCI only:

• You provide commodity products or services without receiving technical data
• You have no DFARS 7012 in your contracts (only FAR 52.204-21)
• You receive only standard commercial information from your federal customer
• You have explicit confirmation in writing from your prime that no CUI flows to you

If you cannot definitively answer "no CUI" with documented evidence, assume CUI and scope for Level 2.

Most Texas defense subcontractors handle CUI in only a small portion of their environment — specific projects, specific teams, specific systems. Applying Level 2 controls to the entire enterprise dramatically inflates cost and complexity. The mature approach is the CUI enclave: scope Level 2 controls to a defined, isolated enclave that handles all CUI, and exclude the rest of the enterprise.

An effective CUI enclave includes:

• Network segment dedicated to CUI processing — separate VLAN, separate firewall zone, no flat connectivity to general corporate network
• Identity boundary — separate Microsoft 365 GCC High tenant (or partitioned identity) for users who handle CUI
• Endpoint boundary — dedicated workstations or VDI for CUI work; standard endpoints prohibited from accessing CUI
• Storage boundary — CUI stored only in approved repositories (typically a GCC High SharePoint or a dedicated FIPS-validated file server)
• Personnel boundary — only US persons (where required) with documented clearance for CUI access
• Physical boundary — defined space (or controlled remote work pattern) where CUI may be accessed

The enclave reduces CMMC scope from "your whole company" to "the CUI enclave plus the supporting security/admin infrastructure." For most Texas SMB defense subcontractors, this is the difference between a $300K assessment and a $80K assessment.

• "We do not handle CUI" — but the contracts contain DFARS 7012 and the prime expects flow-down compliance. The contract language wins; if DFARS 7012 is in your contract you are presumed to handle CUI
• Treating the entire enterprise as in-scope when an enclave would dramatically reduce scope
• Not isolating the CUI enclave from corporate identity — shared Active Directory between enclave and corporate destroys the boundary
• Storing CUI in standard Microsoft 365 Commercial — many CUI categories require GCC High; Commercial is non-compliant
• Assuming Level 1 self-attestation works for CUI contracts — it does not. Level 2 with third-party assessment is the requirement for nearly all CUI handling

CMMC 2.0 final rule implementation is now actively flowing into DoD solicitations. Texas defense primes have begun explicit flow-down requirements to subcontractors. Solicitations issued in late 2026 increasingly require certification within 12-18 months of contract start — meaning subcontractors need to be in active assessment now to maintain eligibility on new awards.

For most Texas SMB defense subcontractors handling CUI: the runway to Level 2 certification is 8-12 months from formal start to assessment. Working backward from the next major contract recompete is the right planning anchor.

For Texas defense subcontractors uncertain of their CMMC scope: pull every active DoD-related contract, scan for DFARS 252.204-7012, document what data you actually receive from each prime, and produce a written CUI determination. This single exercise typically clarifies the scoping question definitively. Then engage a CMMC Registered Practitioner or RP Organization for the formal gap assessment.

For broader CMMC context: CMMC 2.0 compliance service, Texas defense contractor CMMC preparation, CMMC Self-Assessment Tool, CMMC self-assessment guide.

• Fort Worth CMMC compliance — Lockheed Martin / Bell supply chain
• Clear Lake CMMC compliance — NASA JSC contractor community
• Houston CMMC compliance — Energy Corridor defense-adjacent contractors
• Austin cybersecurity — emerging defense tech