Does your company actually need CMMC? A painting contractor's guide.

Here's the scenario we hear every week: a small business owner calls us, worried. They just found out about CMMC. Their prime mentioned it. Their IT guy Googled it. Someone at a trade show said they'd be "locked out" of DoD contracts if they didn't get certified.

And they have no idea whether any of that actually applies to them.

This post is for them. If you run a small firm (5–200 people), do federal work — directly or through a prime — and you're not sure whether CMMC is your problem: read this. By the end, you should know the answer.

If you'd rather just use our free 5-minute scoping tool, go ahead. It's the same logic, applied to your specific situation.

First: what CMMC actually is

CMMC stands for Cybersecurity Maturity Model Certification. It's a framework the Department of Defense is rolling out to verify that companies in its supply chain actually protect sensitive information — instead of just saying they do.

There are three levels:

• Level 1 — 17 basic cyber hygiene practices. Self-assessed annually. No outside assessor needed.
• Level 2 — 110 practices from NIST SP 800-171. Requires a certified third-party assessor (C3PAO) every three years.
• Level 3 — Even stricter, for companies handling the most sensitive CUI. Rare for small businesses.

Most of what you'll read online focuses on Level 2. That's because most defense contractors end up there. But if you're a subcontractor to a subcontractor, you might only need Level 1 — or you might not need CMMC at all.

The question that actually determines your level

Ignore the practice counts for a minute. The only question that matters is: what kind of data does the government send you?

FCI — Federal Contract Information

This is the boring administrative stuff:

• Purchase orders
• Invoices
• Schedules
• Delivery dates
• Point-of-contact info
• Work statements that describe what to do without getting technical

If this is all you see, you're at Level 1. Seventeen practices, self-assessed, done.

CUI — Controlled Unclassified Information

This is the sensitive stuff:

• Engineering drawings and schematics
• Technical specifications
• Test results
• Source code for defense systems
• CAD files
• Anything marked FOUO, CUI, or with a Distribution Statement

If you see this, you're at Level 2. 110 practices, external assessor.

The painting company example (this one's real)

A painting company called us. They paint hangar doors at a regional Air Force base. Their federal work had grown from 10% to 90% of revenue. Their prime was pushing them to get CMMC "just to be safe."

We asked one question: "What do they actually send you to paint?"

The owner wasn't sure. We walked him through his inbox. He found three things:

1. Purchase orders — just dates, locations, dollar amounts. That's FCI.
2. Scope-of-work documents — "paint hangar 7, doors 1–4, per spec" — also FCI.
3. Door specifications — marked FOR OFFICIAL USE ONLY with dimensions and structural details.

That third one flipped him from Level 1 to Level 2.

Once he knew that, the fix was easier than he thought. The Air Force could email him specs with the markings stripped off, keeping technical detail out of his environment. It took one email to his contracting officer to reclassify how documents flowed to him. Six months later he was Level 1 ready, passed his self-assessment, and kept his contract.

The point: you can sometimes change your scope by changing what you accept. You don't have to default to Level 2 just because your prime said so. Ask what data flows, then decide.

The three-question shortcut

If you want to skip to the answer, run this decision tree:

1. Do you have a federal contract? No → CMMC doesn't apply.
2. Does your contract reference DFARS 252.204-7012? Yes → Level 2. The clause itself requires you to handle CUI per NIST 800-171.
3. Do you receive technical data (drawings, specs, test results, marked files) from the government? Yes → Level 2. No → Level 1.

That's it. That's the logic. Every CMMC consultant, every automated scoping tool, every prime's checklist is some variant of that three-step path.

Why it's worth getting this right

The Level 1 / Level 2 distinction matters because the cost delta is enormous:

	Level 1	Level 2
Practices	17	110
Assessor	Self	C3PAO (external)
Typical cost to prepare	$3K–$10K	$40K–$200K+
Typical timeline	1–3 months	6–12 months
Annual cost	Minimal	Ongoing monitoring + re-assessment

A small firm that mis-scopes themselves into Level 2 when Level 1 would have sufficed just paid 10x too much. A small firm that assumes Level 1 when they actually need Level 2 fails their first audit and loses the contract.

Either error is fixable. Not getting it wrong in the first place is better.

What to do next

If you want a structured, honest answer: run our free scoping tool. Five questions, five minutes, no sign-up. It teaches you at each step and gives you an action plan at the end.

If you'd rather just read a bit more first, the next post in this series goes deeper on how to tell FCI from CUI when the government isn't marking documents clearly (which, frustratingly, happens a lot).

If you're sure you need Level 2 and you want to talk about an assessment — that's what we do. Email us.

---

vCISOx runs CMMC and FedRAMP assessments for small defense contractors. We also publish a template library and an AI-assisted compliance subscription for teams who'd rather do it themselves. If that sounds useful, run the scoping tool first — we'll recommend the right path based on your actual situation, not what we'd love to sell you.