Do Companies That Don’t Handle CUI Need CMMC?

It doesn’t matter if organizations handle FCI or CUI, as CMMC shows up and is directly related to businesses that have contracts with the DoD1. CMMC compliance applies to more than 300,000 organizations that engage with the DoD. If you have a contract with the DoD then you at a minimum need to be CMMC Level 1, as your contract will have sensitive information, and therefore it is FCI. However, compliance does not equate to being CMMC certified. For example, if a contract says that an organization is contractually obligated to comply with DFARS 252.204-7012, then you need to meet the same requirements as CMMC Level 2.

To sum it up, if you have a contract with the DoD but you don’t handle CUI, you’re at CMMC Level 1. If you have a contract with the DoD and you do handle CUI, you’re at CMMC Level 2. If you do not have a contract with the DoD, but you’re trying to win one, then it’s a good idea to be at least CMMC Level 2.

Pro Tip: Most (if not at all) contracts with the DoD involving CUI require that companies adhere to the requirements set forth by DFARS 252.204-7012 which require complying with all NIST SP 800-171 controls. If you currently have a DoD contract that contains the DFARS 252.204-7012 clause and you are not implementing NIST SP 800-171 controls within your organization, then you are technically in breach of contract. Your organization can be held civilly liable for false claims, as was the case with Aerojet Rocketdyne who had to pay $9,000,000 in fines last year for this reason.

Areojet Rocketdyne article

- Kloud9 IT