Linkedin
  • Home
  • Demo & Video
  • Blog
  • About Us
  • Try Free Self-Assessment Tool
Menu Categories
  • Home
  • Demo & Video
  • Blog
  • About Us
  • Try Free Self-Assessment Tool
Linkedin
Cart To use Cart please install WooCommerce plugin
The Stack: Why Most CUI Handlers Need Both L1 and L2 | Overwatch Tools
CMMC Product Series โ€” Part 6 of 6

The Stack: Why Most CUI Handlers Need Both L1 and L2

If your contracts involve both FCI and CUI, you don't pick between Level 1 and Level 2 โ€” you need both. Here's what the combined stack actually looks like, and why $5,990/year covers it.

๐Ÿ“… Published 2026 โฑ 9 min read ๐ŸŽฏ For small contractors handling both FCI and CUI

Final post in "CMMC Compliance with Overwatch Tools: The Product Series"

โš  Self-Assessment Programs Only. The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope.

If your contracts involve both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), here is the thing the rest of the industry tends to bury under jargon:

You don't choose between CMMC Level 1 and Level 2. If you handle both FCI and CUI, you need both.

They aren't competing options. They're two layers of the same compliance posture, covering two different parts of your business. Throughout this series we've shown you what real compliance looks like versus a checklist, how the consulting sessions are structured, why platform-specific templates matter, what evidence survives scrutiny, and how all of it stays right-sized for a small business. This post is the close. It brings the two paths together into one clear proposition โ€” and tells you how to take them.

A Stack, Not a Choice

Most small contractors think of CMMC as a single ladder: get to Level 1, then maybe climb to Level 2. That mental model is where the confusion starts. Level 1 and Level 2 don't sit on top of each other on the same system. They cover different scopes.

Your main business โ€” the systems where your team works every day, emails clients, stores quotes and contract paperwork โ€” handles FCI. That's a Level 1 problem. Your CUI, when you have it, doesn't belong on those same everyday systems. It belongs in a dedicated enclave, separated and tightly scoped. That enclave is the Level 2 problem.

So a contractor with both kinds of data has two distinct jobs to do, on two distinct scopes:

Layer 1 โ€” Your Main Business

CMMC Level 1 ยท Covers FCI

Your everyday systems โ€” the M365 or Google Workspace environment your team already runs on. This is where FCI lives, and Level 1 secures it.

+
Layer 2 โ€” Your CUI Enclave

CMMC Level 2 ยท Covers CUI

A dedicated, separated enclave on GCC High or Workspace for Government โ€” scoped only for CUI. Level 2 secures this layer without touching your everyday environment.

Why this matters: Trying to make one system do both jobs is how small contractors end up over-scoped โ€” dragging their entire business into Level 2 complexity it never needed. The stack keeps each layer doing exactly what it should: Level 1 for the business, Level 2 for the enclave. Different scopes. Both required when you handle both kinds of data.

Layer 1: The L1 Turnkey Package โ€” $2,495/Year

This is the layer that covers your main business, where FCI lives. It's the same L1 Turnkey package we've walked through earlier in the series โ€” defined, mapped, and sessioned, not open-ended consulting.

  • 8 bi-weekly expert consultation sessions โ€” one hour each, keeping momentum from kickoff through your SPRS submission.
  • 15 CMMC Level 1 practices โ†’ 142 required artifacts โ€” every practice broken into the specific documents and evidence an assessment expects.
  • Platform-specific templates for Microsoft 365 or Google Workspace โ€” no translating generic enterprise documents into your environment.
  • All 8 device & network configuration guides, implementation procedures, and workflows.
  • Evidence Locker & SPRS report โ€” packaged, date-stamped, and ready for self-assessment documentation.

Most clients complete their Level 1 self-assessment in 2โ€“4 weeks, depending on existing infrastructure and how quickly your team works through the sessions. Limited time: $2,495/year โ€” $500 off the regular $2,995.

If you only handle FCI โ€” no CUI exposure at all โ€” this layer is the whole job. We'll come back to that case near the end, because it's where a large share of the small contractor market actually lives.

Layer 2: The L2 CUI Enclave Package โ€” $3,495/Year

This is the layer that covers your CUI โ€” and only your CUI. It builds a dedicated enclave, separated from your everyday systems, scoped for limited CUI needs and built without enterprise IT.

  • 12 bi-weekly expert consulting sessions โ€” kickoff, platform decision, build, evidence, dry run, SPRS.
  • 110 CMMC Level 2 practices โ†’ 182 defined artifacts, organized across the 14 CMMC domains.
  • Optimized for Microsoft 365 GCC High or Google Workspace for Government โ€” your choice of platform variant, with dedicated enclave configuration guides for each.
  • System Security Plan (SSP), POAM framework, Risk Register, and evidence checklist โ€” pre-filled and ready to adapt.
  • Right-sized for small businesses with limited CUI needs โ€” no Active Directory, no SIEM, no full-time security staff. We provide templates and configuration guides; your team implements with our support.
  • Time estimates on every task โ€” implementable part-time, around your real workload.
โš  Self-Assessment Programs Only. The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope.

The Combined Stack โ€” $5,990/Year for Full FCI + CUI Coverage

Put both layers together and you have complete coverage: your main business secured at Level 1, your CUI enclave secured at Level 2. One provider. One cohesive approach. Two packages that share the same design language and operational philosophy โ€” so nothing falls between the cracks.

L1 Turnkey โ€” FCI / main business $2,495/yr
L2 CUI Enclave โ€” CUI / dedicated enclave $3,495/yr
Combined coverage $5,990/yr

A planned, predictable annual cost โ€” with mapped artifacts, evidence, and consulting on both layers.

What's in scope

Full coverage for a contractor handling both FCI and CUI: a Level 1 self-assessment on your everyday business systems, plus a Level 2 self-assessment on a dedicated, separated CUI enclave. Both packages give you defined artifacts, expert sessions, platform-specific configuration guides, and self-assessment documentation.

What's not in scope

We provide templates, configuration guides, and consulting โ€” your team implements with our support. We don't set up your enclave for you, and we don't provide hardware. The L2 package is for self-assessment-eligible programs only; if your contract requires a C3PAO, that's a different path. And large or complex CUI environments โ€” the kind that genuinely need Active Directory, a SIEM, or full-time security staff โ€” need more than this right-sized stack provides.

Want to confirm your scope and see which package(s) apply to your contracts?

Book a free 30-minute consultation โ†’

The Math: $5,990/Year vs. a $50,000 C3PAO Assessment

Here's the comparison that reframes the whole decision. The combined stack isn't being measured against "doing nothing." It's being measured against what CUI compliance costs the other way.

Combined Stack $5,990/yr

Full FCI + CUI coverage. Mapped artifacts, evidence, and consulting on both layers. Predictable annual cost.

vs
Single C3PAO Assessment ~$50,000

Per cycle, every three years โ€” and again at full price if you don't pass the first time. Assessment fee only.

A C3PAO assessment is a third-party certification engagement that, for CUI-handling programs that eventually require it, commonly runs in the neighborhood of $50,000 per cycle โ€” every three years, with the meter starting over if you fail. That's before any of the preparation work it takes to be ready for it.

For a program that's currently eligible to self-assess, the combined stack lets you build real, defensible compliance on both layers for a fraction of a single C3PAO cycle โ€” and do it on a planned annual budget instead of a five-figure event you brace for.

To be clear: these are different paths, not interchangeable ones. If your program is required to use a C3PAO, that's the path you're on โ€” the self-assessment packages aren't in scope for you. The comparison applies to programs that are eligible to self-assess and want to make that window count.

The Self-Assessment Window โ€” and Why Timing Matters

The opportunity in front of self-assessment-eligible contractors isn't permanent. The phased rollout of CMMC creates a window during which many CUI-handling programs can self-assess before a C3PAO assessment becomes mandatory for them.

That window is the strategic moment. Used well, it's the time to:

  • Build your compliance posture properly on both layers โ€” real artifacts, real evidence, real procedures.
  • Validate it through a structured self-assessment, so you know it holds together under scrutiny.
  • Be ready โ€” so that if and when a C3PAO assessment does become required for your program, you're walking in with a mature, documented, defensible posture instead of starting from scratch.

The contractors who treat the window as breathing room โ€” "we'll deal with it later" โ€” are the ones who end up scrambling when the deadline lands. The ones who use it to build and validate are the ones who turn a stressful certification into a confirmation of work they've already done.

How to Know If the Combined Stack Fits You

The combined stack is the right answer for one specific situation: a small contractor with at least one contract that involves CUI handling, whose L2 program is eligible for self-assessment. If that's you, you almost certainly need both layers โ€” FCI coverage for the main business, CUI coverage for the enclave.

The clearest signals come from your contract language and your data:

What you handle What you likely need
FCI only โ€” no CUI exposure L1 Turnkey alone. Most of the small contractor market lives here.
FCI and CUI, self-assessment-eligible The combined stack โ€” both layers. $5,990/year for full coverage.
CUI in a large or complex environment, or a C3PAO-required program More than this right-sized stack provides. A different conversation โ€” and we'll tell you so.

If you're not sure which row you're in โ€” and plenty of contractors genuinely aren't, because the FCI/CUI distinction and self-assessment eligibility aren't always obvious from a contract at a glance โ€” that's exactly what the free consultation is for. Thirty minutes is usually enough to map your scope and tell you which package(s) actually apply.

If You Only Handle FCI, You Only Need L1 โ€” but It Still Has to Be Real

Let's be honest about who this combined stack is not for. A large share of small defense contractors handle FCI but never touch CUI. If that's you, the combined stack is over-buying. You need Layer 1 โ€” the L1 Turnkey package โ€” and that's it.

But "you only need L1" is not the same as "L1 is easy" or "a checklist will do." A Level 1 self-assessment is a legally binding declaration in SPRS, and the DoD can verify it. The contractors who get burned are the ones who treated Level 1 as a box-checking exercise and discovered, when someone asked for evidence, that they had assertions instead of artifacts.

The point of the whole series: whichever path is yours โ€” L1 alone, or the full stack โ€” it has to be real, defensible, and built to survive scrutiny. That's what the packages are designed to produce. Not a checklist. A posture you can stand behind.

Two Packages. One Predictable Cost. One Defined Path.

Bring your contracts and your situation. We'll map your scope, confirm whether you handle FCI, CUI, or both, and tell you exactly which package(s) apply โ€” in under 30 minutes. No pitch. No obligation. If the answer is "you only need L1," or even "you don't need us," we'll tell you that too.

The self-assessment window is open. Use it to build, validate, and be ready.

Book Your Free Consultation Explore the Packages

Overwatch Tools โ€” CMMC Compliance Solutions for Small Defense Contractors

Chesapeake, Virginia | overwatchtools.com | info@overwatchtools.com

ยฉ 2026 Overwatch Tools. The L2 CUI Enclave Package is for CMMC Level 2 self-assessment programs only. Programs requiring a C3PAO are not in scope.

Share Post
  • Twitter
  • Facebook
  • Pinterest
  • Linkedin
Right-Sized for Small Business...
Right-Sized for Small Business: CMMC Level 1 and Level 2 Without Enterprise IT
What's Actually in the Box: A Full Inventory of Your CMMC Toolkit
What’s Actually in the B...

Comments are closed

Company Address

  • Overwatch Tools, Inc.
  • 300 Woodards Ford Road
  • Chesapeake Virginia 23322
  • E-Mail: info@overwatchtools.com
  • Outervision Capitol Company
  • Privacy Policy

,Copyright ยฉ 2025 Overwatch Tools, Inc.

Home
Shop
Contact us
More
More
  • Home
  • Demo & Video
  • Blog
  • About Us
  • Try Free Self-Assessment Tool