Which Security Standards Apply to You?

Word count: ~1,810 Specificity markers hit: (1) NIST/CMMC control references — CMMC Level 1 (17 practices), Level 2 (110 practices per NIST 800-171 Rev 2), DFARS 252.204-7012, DFARS 252.204-7021, FAR 52.204-21; (2) Cost/time — Level 1 self-assessment free, Level 2 C3PAO assessment $40K–$100K, FedRAMP authorization 12–24 months; (3) Tool/product names — SPRS (Supplier Performance Risk System), Microsoft 365 GCC High, CMMC-AB Marketplace; (4) Common mistake — assuming Level 2 applies when only FAR 52.204-21 is in the contract; (5) Decision point — contract clause analysis to determine which standard governs

---

Before you spend $50,000 on a CMMC compliance program, figure out which security standards actually apply to your contracts. This isn't a complicated analysis, but contractors routinely either over-build their compliance programs (spending on Level 2 when Level 1 suffices) or under-build them (treating every requirement as optional when it isn't).

The right answer comes from your contract, not from a general understanding of what defense contractors do.

Step 1: Read Your Contract Clauses

Pull your current DoD contracts and subcontract agreements. Look for these specific clauses in the contract terms:

DFARS 252.204-7012 — "Safeguarding Covered Defense Information and Cyber Incident Reporting"

If this clause is in your contract, you are required to implement NIST SP 800-171 security controls on all systems that process, store, or transmit covered defense information. This has been the core obligation for defense contractors since 2017. It requires: - Full 110-control NIST 800-171 implementation - SPRS score submission - 72-hour cyber incident reporting

DFARS 252.204-7021 — "Cybersecurity Maturity Model Certification Requirements"

This is the CMMC clause. If it appears in a solicitation or contract, the DoD is requiring CMMC certification at a specific level as a condition of the contract. The clause will specify the required CMMC level (1, 2, or 3). As of early 2026, this clause appears in contracts on a phased basis per the CMMC rollout under 32 CFR Part 170.

FAR 52.204-21 — "Basic Safeguarding of Covered Contractor Information Systems"

This Federal Acquisition Regulation clause applies to civilian agency contracts (and may appear in some DoD contracts). It requires only 15 basic practices — a subset of NIST 800-171. It does not require CUI-level security for all systems; it applies to "covered contractor information systems" that process, store, or transmit federal contract information (FCI). FCI is any information provided by or generated for the government under contract, and it's a broader and less restrictive category than CUI.

No cybersecurity clause at all

Some contracts — particularly for commercial items under FAR Part 12 — may have no cybersecurity clause. In that case, you have no contractual obligation to NIST 800-171 or CMMC. You may still have good reasons to implement security controls, but compliance with CMMC isn't one of them.

The clause analysis is your starting point. The rest of this article assumes you've identified which clauses apply.

CMMC Level 1: Who It Applies To

CMMC Level 1 applies to organizations that handle Federal Contract Information (FCI) but not CUI. FCI is broadly defined — essentially any information the government provides to you to complete a contract, or that you create specifically for the government under a contract. This includes things like bid-relevant technical specifications provided during acquisition, contract deliverable templates, government-provided materials you use to perform the work.

Level 1 requirements: 17 practices drawn from FAR 52.204-21. These are basic cyber hygiene: limit information system access to authorized users, verify the identities of users and processes, perform maintenance on organizational systems, protect CUI (applied here to FCI), manage information systems, perform configuration management, protect audit information, identify users and processes, authenticate users, limit access to trusted users, manage communication at system boundaries, and a handful of others.

Assessment: Level 1 is self-assessment only. You evaluate your own compliance against the 17 practices, enter a score in SPRS, and affirm compliance annually. There's no third-party assessor involved. The self-assessment is not trivial — it's a signed legal attestation — but it doesn't require hiring a C3PAO.

Cost: Self-assessments can be completed internally at no external cost beyond staff time. Third-party assistance for a Level 1 self-assessment, if desired, typically runs $5,000–$15,000.

The decision: If your contract includes FAR 52.204-21 but not DFARS 252.204-7012 or DFARS 252.204-7021, you're looking at Level 1 (or the equivalent FAR clause requirements). Don't build a 110-control program for a 17-control obligation.

CMMC Level 2: Who It Applies To

CMMC Level 2 applies to organizations that handle Controlled Unclassified Information (CUI). CUI is a defined category — it's information that falls under a statute, regulation, or government policy that requires protection. Not all sensitive information is CUI; it has to be formally designated by the government.

How to tell if you have CUI: Your contract will reference CUI either explicitly (the statement of work mentions "controlled technical information," "export-controlled research," or a specific CUI category), or DFARS 252.204-7012 will be in your contract and CUI will be flowing through the program. If you're working on engineering drawings, technical specifications, research data, or other technical content for a DoD program, CUI is almost certainly involved.

Level 2 requirements: All 110 practices in NIST SP 800-171 Rev 2, organized into 14 families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

Assessment: Level 2 has two tracks:

• Self-assessment — permitted for some contracts where the DoD has determined Level 2 self-assessment is sufficient. You assess your own compliance, enter the score in SPRS, and a senior official certifies it. The standard for self-assessment is identical to C3PAO assessment — all 110 controls, documented evidence. The difference is no external evaluator.

• C3PAO assessment — required for contracts that the DoD has designated as requiring third-party certification. A CMMC Third-Party Assessment Organization (C3PAO) conducts the assessment against your documented and implemented controls. C3PAO assessments cost $40,000–$100,000 depending on environment size and complexity, and typically take 3–6 months from engagement to final report.

Cost and timeline: A typical Level 2 C3PAO assessment engagement (pre-assessment, formal assessment, final report) runs $40,000–$100,000. Add remediation costs if gaps are found. Plan 12–18 months from starting your compliance program to assessment completion if you're starting from scratch.

CMMC Level 3: Who It Applies To

CMMC Level 3 applies to a small subset of contractors working on the DoD's highest-priority programs — those handling CUI associated with critical programs or technologies. Level 3 requires 110 NIST 800-171 practices plus 24 additional practices drawn from NIST SP 800-172. The DoD will specifically identify which contracts require Level 3 in the solicitation.

If your contract doesn't mention Level 3 and your contracting officer hasn't discussed it with you, you're almost certainly not in scope. Level 3 applies to a narrow slice of the defense industrial base.

The Common Mistake: Assuming Level 2 When Only FAR 52.204-21 Applies

The most common over-building mistake is treating a contract with FAR 52.204-21 (basic FCI protection) as requiring NIST 800-171 Level 2 implementation. This happens when contractors:

• Assume that all government contracts require CMMC
• Read general guidance about defense contractors and CMMC without checking their actual contract clauses
• Follow advice from a vendor selling Level 2 compliance tooling

FAR 52.204-21 requires 15 basic practices for covered contractor information systems. NIST 800-171 requires 110 practices for CUI systems. These are not the same standard, and the gap in implementation cost is significant.

Before starting a CMMC implementation, read your contract. If you see FAR 52.204-21 but not DFARS 252.204-7012 or DFARS 252.204-7021, you do not have a CUI obligation under that contract. You may still choose to implement higher security controls as a business decision, but don't do it because you misread your compliance requirements.

Cloud Services: FedRAMP and Its Role

If you use cloud services to process, store, or transmit CUI, those cloud services must meet specific authorization standards. DFARS 252.204-7012 requires cloud services to meet security requirements equivalent to FedRAMP Moderate or higher, with some categories requiring FedRAMP High.

FedRAMP is a government authorization program, not a certification contractors pursue directly. Your responsibility is to use FedRAMP-authorized cloud services for CUI. Check the FedRAMP Marketplace (marketplace.fedramp.gov) to verify a cloud provider's authorization status before using it for CUI.

The practical guidance: For most small and medium defense contractors, Microsoft 365 GCC High (FedRAMP High authorized) is the most straightforward path for cloud-based CUI. It handles email, document storage, and collaboration for DoD work. It satisfies the cloud security requirements in DFARS 252.204-7012 and contributes toward multiple CMMC Level 2 controls.

If you're using standard commercial cloud services (regular Microsoft 365, Google Workspace, Dropbox, Box), those services are not FedRAMP-authorized at the required level and cannot be used for CUI. This is one of the most common compliance gaps in small defense contractor environments.

What Your Assessor Expects

If you're heading into a CMMC assessment, assessors expect you to demonstrate that your compliance program is sized correctly to your actual obligations — and that you know why.

You should be able to clearly answer: - Which DFARS clauses appear in your relevant contracts? - What CUI categories do you handle? (Point to specific contracts and NARA Registry categories.) - Why does your assessment scope include specific systems and exclude others? (Point to your data flow diagram and scope decision.) - How did you determine whether you need Level 1 or Level 2?

Organizations that can walk an assessor through their contractual obligations logically, and explain how their scope follows from those obligations, typically have more successful assessments than organizations that built compliance programs based on general assumptions.

---

The quick reference: - FAR 52.204-21 only: 15 basic practices, self-assessed, no CUI requirement - DFARS 252.204-7012 + CMMC Level 2 self-assessment: 110 controls, internal self-assessment, annual affirmation in SPRS - DFARS 252.204-7021 specifying Level 2 C3PAO: 110 controls, third-party C3PAO assessment required, formal certification - DFARS 252.204-7021 specifying Level 3: 110 + 24 additional controls, government-led assessment

Start with your contract. Build the program your contract requires.