The Stack: Why Most CUI Handlers Need Both L1 and L2
If your contracts involve both FCI and CUI, you don't pick between Level 1 and Level 2 โ you need both. Here's what the combined stack actually looks like, and why $5,990/year covers it.
Final post in "CMMC Compliance with Overwatch Tools: The Product Series"
If your contracts involve both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), here is the thing the rest of the industry tends to bury under jargon:
You don't choose between CMMC Level 1 and Level 2. If you handle both FCI and CUI, you need both.
They aren't competing options. They're two layers of the same compliance posture, covering two different parts of your business. Throughout this series we've shown you what real compliance looks like versus a checklist, how the consulting sessions are structured, why platform-specific templates matter, what evidence survives scrutiny, and how all of it stays right-sized for a small business. This post is the close. It brings the two paths together into one clear proposition โ and tells you how to take them.
A Stack, Not a Choice
Most small contractors think of CMMC as a single ladder: get to Level 1, then maybe climb to Level 2. That mental model is where the confusion starts. Level 1 and Level 2 don't sit on top of each other on the same system. They cover different scopes.
Your main business โ the systems where your team works every day, emails clients, stores quotes and contract paperwork โ handles FCI. That's a Level 1 problem. Your CUI, when you have it, doesn't belong on those same everyday systems. It belongs in a dedicated enclave, separated and tightly scoped. That enclave is the Level 2 problem.
So a contractor with both kinds of data has two distinct jobs to do, on two distinct scopes:
CMMC Level 1 ยท Covers FCI
Your everyday systems โ the M365 or Google Workspace environment your team already runs on. This is where FCI lives, and Level 1 secures it.
CMMC Level 2 ยท Covers CUI
A dedicated, separated enclave on GCC High or Workspace for Government โ scoped only for CUI. Level 2 secures this layer without touching your everyday environment.
Layer 1: The L1 Turnkey Package โ $2,495/Year
This is the layer that covers your main business, where FCI lives. It's the same L1 Turnkey package we've walked through earlier in the series โ defined, mapped, and sessioned, not open-ended consulting.
- 8 bi-weekly expert consultation sessions โ one hour each, keeping momentum from kickoff through your SPRS submission.
- 15 CMMC Level 1 practices โ 142 required artifacts โ every practice broken into the specific documents and evidence an assessment expects.
- Platform-specific templates for Microsoft 365 or Google Workspace โ no translating generic enterprise documents into your environment.
- All 8 device & network configuration guides, implementation procedures, and workflows.
- Evidence Locker & SPRS report โ packaged, date-stamped, and ready for self-assessment documentation.
Most clients complete their Level 1 self-assessment in 2โ4 weeks, depending on existing infrastructure and how quickly your team works through the sessions. Limited time: $2,495/year โ $500 off the regular $2,995.
If you only handle FCI โ no CUI exposure at all โ this layer is the whole job. We'll come back to that case near the end, because it's where a large share of the small contractor market actually lives.
Layer 2: The L2 CUI Enclave Package โ $3,495/Year
This is the layer that covers your CUI โ and only your CUI. It builds a dedicated enclave, separated from your everyday systems, scoped for limited CUI needs and built without enterprise IT.
- 12 bi-weekly expert consulting sessions โ kickoff, platform decision, build, evidence, dry run, SPRS.
- 110 CMMC Level 2 practices โ 182 defined artifacts, organized across the 14 CMMC domains.
- Optimized for Microsoft 365 GCC High or Google Workspace for Government โ your choice of platform variant, with dedicated enclave configuration guides for each.
- System Security Plan (SSP), POAM framework, Risk Register, and evidence checklist โ pre-filled and ready to adapt.
- Right-sized for small businesses with limited CUI needs โ no Active Directory, no SIEM, no full-time security staff. We provide templates and configuration guides; your team implements with our support.
- Time estimates on every task โ implementable part-time, around your real workload.
The Combined Stack โ $5,990/Year for Full FCI + CUI Coverage
Put both layers together and you have complete coverage: your main business secured at Level 1, your CUI enclave secured at Level 2. One provider. One cohesive approach. Two packages that share the same design language and operational philosophy โ so nothing falls between the cracks.
A planned, predictable annual cost โ with mapped artifacts, evidence, and consulting on both layers.
What's in scope
Full coverage for a contractor handling both FCI and CUI: a Level 1 self-assessment on your everyday business systems, plus a Level 2 self-assessment on a dedicated, separated CUI enclave. Both packages give you defined artifacts, expert sessions, platform-specific configuration guides, and self-assessment documentation.
What's not in scope
We provide templates, configuration guides, and consulting โ your team implements with our support. We don't set up your enclave for you, and we don't provide hardware. The L2 package is for self-assessment-eligible programs only; if your contract requires a C3PAO, that's a different path. And large or complex CUI environments โ the kind that genuinely need Active Directory, a SIEM, or full-time security staff โ need more than this right-sized stack provides.
Want to confirm your scope and see which package(s) apply to your contracts?
The Math: $5,990/Year vs. a $50,000 C3PAO Assessment
Here's the comparison that reframes the whole decision. The combined stack isn't being measured against "doing nothing." It's being measured against what CUI compliance costs the other way.
Full FCI + CUI coverage. Mapped artifacts, evidence, and consulting on both layers. Predictable annual cost.
Per cycle, every three years โ and again at full price if you don't pass the first time. Assessment fee only.
A C3PAO assessment is a third-party certification engagement that, for CUI-handling programs that eventually require it, commonly runs in the neighborhood of $50,000 per cycle โ every three years, with the meter starting over if you fail. That's before any of the preparation work it takes to be ready for it.
For a program that's currently eligible to self-assess, the combined stack lets you build real, defensible compliance on both layers for a fraction of a single C3PAO cycle โ and do it on a planned annual budget instead of a five-figure event you brace for.
The Self-Assessment Window โ and Why Timing Matters
The opportunity in front of self-assessment-eligible contractors isn't permanent. The phased rollout of CMMC creates a window during which many CUI-handling programs can self-assess before a C3PAO assessment becomes mandatory for them.
That window is the strategic moment. Used well, it's the time to:
- Build your compliance posture properly on both layers โ real artifacts, real evidence, real procedures.
- Validate it through a structured self-assessment, so you know it holds together under scrutiny.
- Be ready โ so that if and when a C3PAO assessment does become required for your program, you're walking in with a mature, documented, defensible posture instead of starting from scratch.
The contractors who treat the window as breathing room โ "we'll deal with it later" โ are the ones who end up scrambling when the deadline lands. The ones who use it to build and validate are the ones who turn a stressful certification into a confirmation of work they've already done.
How to Know If the Combined Stack Fits You
The combined stack is the right answer for one specific situation: a small contractor with at least one contract that involves CUI handling, whose L2 program is eligible for self-assessment. If that's you, you almost certainly need both layers โ FCI coverage for the main business, CUI coverage for the enclave.
The clearest signals come from your contract language and your data:
| What you handle | What you likely need |
|---|---|
| FCI only โ no CUI exposure | L1 Turnkey alone. Most of the small contractor market lives here. |
| FCI and CUI, self-assessment-eligible | The combined stack โ both layers. $5,990/year for full coverage. |
| CUI in a large or complex environment, or a C3PAO-required program | More than this right-sized stack provides. A different conversation โ and we'll tell you so. |
If you're not sure which row you're in โ and plenty of contractors genuinely aren't, because the FCI/CUI distinction and self-assessment eligibility aren't always obvious from a contract at a glance โ that's exactly what the free consultation is for. Thirty minutes is usually enough to map your scope and tell you which package(s) actually apply.
If You Only Handle FCI, You Only Need L1 โ but It Still Has to Be Real
Let's be honest about who this combined stack is not for. A large share of small defense contractors handle FCI but never touch CUI. If that's you, the combined stack is over-buying. You need Layer 1 โ the L1 Turnkey package โ and that's it.
But "you only need L1" is not the same as "L1 is easy" or "a checklist will do." A Level 1 self-assessment is a legally binding declaration in SPRS, and the DoD can verify it. The contractors who get burned are the ones who treated Level 1 as a box-checking exercise and discovered, when someone asked for evidence, that they had assertions instead of artifacts.
Two Packages. One Predictable Cost. One Defined Path.
Bring your contracts and your situation. We'll map your scope, confirm whether you handle FCI, CUI, or both, and tell you exactly which package(s) apply โ in under 30 minutes. No pitch. No obligation. If the answer is "you only need L1," or even "you don't need us," we'll tell you that too.
The self-assessment window is open. Use it to build, validate, and be ready.
Book Your Free Consultation Explore the Packages