Many organizations that do business with the US Government will be challenged with implementing a CMMC Security Program. This program will focus on meeting the requirements defined within 52.204-21 and 252.204-7012.
CMMC Level 1
52.204-21 (Nov 2021) basically defines the minimal amount of security practices that an organization needs to be able to accept an order from the US government. I defines 15 different requirements and procedures, which equate to 17 different practices defined in SP800-171v2. And yes, even if you are a subcontractor of a subcontractor, the government will expect you to implement each of these requirements and the corresponding SP800-171v2 practices.
This question comes up a LOT. At the time of this post (May 2026), SP800-171v3 has not been accepted through the rule making process, so even though SP800-171v2 is considered superseded by NIST, all CMMC assessments will be completed against SP800-171v2, including how CMMC Level 1 is self-assessed. However the DoD has provided some guidance on how to implement SP800-171v3.
CMMC Level 2
So all information that you receive directly or through the flow down processes of being a sub-contractor is usually considered managed under one of the FAR processes, with 52.204-21 being included. But not everything you receive related to a US Government contracted order is considered Control Unclassified Information (CUI) or falls under DFARS 252.204-7112.
Understanding what is CUI and what it is not, is one of the most difficult tasks that an organization will have to go through. To make it even more difficult, CUI Marking was not consistently applied and shared by the Prime, its subcontractor, and so on, and so on. The release of an updated 48CFR has attempted to solve this issue requiring the notification to subcontractors to be notified of their CMMC requirements, including if they need to achieve an CMMC Level 2 or 3 certification.
Where to start is to look through your RFP’s, Contracts, Orders and have conversations with your customers to clearly understand your requirements. There is a legal concept called the Christian Doctrine which, overly simplified, basically states the ignorance of requirements is not a defendable option. For more information use your favorite search engine and search for “Christian Doctrine government contracts”.
Where a CMMC Level 1 is an self-assessment, your Level 2 requires an external assessment of all 110 Practices and the 320 objectives that define how the 110 Practices are to be implemented. This external assessment is required every 3 years, and every year will require an self-assessment to be completed.
In addition to organizations not understanding if or where they may have CUI being stored, processed, or transmitted. They are typically challenged to determine what, why and why should be included in scope and what external services require a FedRAMP approved service. In most cases, an organization will only need an FedRAMP moderate authorized service, but if you have to address any ITAR or CMMC Level 3 requirements your going to need a FedRAMP HIGH authorized service.
Understanding where your CUI exists at with what People, Facilities, and Technology’s (do not forget line of site controls) is one of the hardest achievements of your CMMC Level 2 journey.
And sorry, folks. If you have to achieve a CMMC Level 2 assessment, your Level 1 requirements are not out of scope. You will be assessed against them as well, so evidence/artifacts are required !!