If your work for the Department of Defense (DoD) only involves Federal Contract Information (FCI) and never touches Controlled Unclassified Information (CUI), you can stay at Cybersecurity Maturity Model Certification (CMMC) Level 1. That is the short answer. Handling FCI without CUI keeps you in the lighter 15-requirement, self-attestation tier and out of the much heavier Level 2 process.
The catch is that staying at Level 1 is not automatic. It depends on what data actually moves through your environment, and that can change with a single email from a prime contractor.
This post is for small subcontractors and suppliers who suspect they only need Level 1 and want to keep it that way. We will cover the real line between FCI and CUI, how to scope your environment so CUI stays out, what happens if CUI slips in anyway, and the practical steps that protect your Level 1 status. APT Security Management is a managed security services provider based in North Charleston, South Carolina, and we help DoD contractors figure out exactly where that line falls.
What actually separates FCI from CUI
Your CMMC level is decided by the type of data you handle, not by the size of your company or the dollar value of your contract.
Federal Contract Information is information provided by or generated for the government under a contract that is not meant for public release. Think delivery schedules, basic contract terms, or process documentation that is not sensitive on its own. Handling FCI puts you at Level 1.
Controlled Unclassified Information is a defined category of sensitive government information that requires protection under specific rules. In the defense world this often means engineering drawings, technical specifications, source code, or other technical data marked as CUI. Handling CUI puts you at Level 2.
The line is cleaner than it sounds. If nothing in your environment is CUI, you have a Level 1 scope. If even one CUI item lives in your systems, gets emailed to your team, or sits on a shared drive your staff can reach, you are looking at Level 2 for the systems that touch it. If you are still sorting out which bucket your data falls in, our post on FCI vs CUI walks through how to tell them apart, and Level 1 or Level 2 covers how the level flows from the data.
Why staying at Level 1 is worth the effort
The gap between the two levels is large, and that is the reason scoping is worth your time.
Level 1 covers 15 requirements and is confirmed through annual self-attestation. A senior official reviews your compliance and submits an affirmation in the Supplier Performance Risk System (SPRS). There is no outside assessor and no fee, because Level 1 is confirmed through self-attestation, not a third-party certification.
Level 2 covers 110 practices aligned to National Institute of Standards and Technology (NIST) Special Publication 800-171. Contracts requiring CUI handling are typically confirmed by a third-party assessment from a Certified Third-Party Assessment Organization (C3PAO), unless the contracting officer has designated the contract as eligible for self-attestation. That means a paid assessment, a System Security Plan (SSP), a Plan of Action and Milestones (POA&M), and a much longer remediation runway before you are ready.
So the choice is not 15 requirements versus 110 practices on paper. It is a self-signed affirmation versus a scheduled, paid, third-party audit with a documentation burden behind it. If your contract only requires FCI handling, keeping CUI out of your environment keeps you on the lighter side of that line.
How to keep CUI out of your environment
Staying at Level 1 is a scoping decision you make on purpose. Three steps do most of the work.
What happens when CUI shows up uninvited
The risk with a Level 1 scope is not usually a bad decision. It is drift.
A prime contractor emails an engineering drawing marked CUI so your team can quote a part. Someone saves it to the shared drive everyone uses. That one file can change your level. The systems that received it, stored it, and can access it are now in CUI scope, and your Level 1 self-attestation no longer reflects reality.
This is where email security matters. Strong email controls, using a platform such as Sophos, help you catch and contain sensitive attachments before they spread across your environment. Email is the most common way CUI arrives unannounced, so it is the boundary worth watching most closely.
If CUI does land in your systems, do not ignore it. Either remove it and document that you did, or accept that the receiving systems are now Level 2 scope and plan accordingly. Quietly leaving a CUI file on a Level 1 network is the situation a gap assessment is designed to catch.
Practical steps to protect your Level 1 scope
A few habits keep the FCI-only line intact:
Ask primes to redact. If a prime sends technical data you do not need, ask whether a redacted or lower-sensitivity version would do. Often it would.
Push back on unnecessary CUI flow-down. Primes sometimes flow CUI requirements down the chain by habit. If your scope of work genuinely does not involve CUI, it is reasonable to confirm that with the prime in writing.
Build a separate environment for any CUI work. If you take on work that does require CUI, keep it in a segmented, separate environment rather than letting it spread. That protects the Level 1 status of the rest of your business.
Train your team on what CUI looks like. Staff should recognize a CUI marking and know not to save it to general systems. Most CUI drift comes from people who did not know the file was sensitive.
What to Do Next
Start by mapping your data flows and confirming, in writing where you can, whether your contracts actually require CUI handling. If they do not, the work is keeping it that way. If you are not certain, a gap assessment will tell you where your scope really sits and whether your environment matches the level you are attesting to. APT offers a Level 1 gap check for exactly this, and our CMMC compliance prep service covers both levels if your scope turns out to be larger than you expected.
Talk Through Your Situation With APT
Not sure whether you can stay at Level 1 or whether CUI has crept into your environment? Book a free 30-minute consultation and we will help you figure out where your scope actually falls.
