What Is CMMC and Do You Need It?
Contributors
CMMC now applies well beyond the large defense primes you might expect. The Department of Defense has extended cybersecurity requirements to the full supply chain, including small and mid-size contractors and subcontractors who handle even limited government information. If you hold a DoD contract, or you work under one as a subcontractor, this requirement likely reaches you, whether you know it yet or not. Most businesses arriving at this question do not yet know their own compliance status, and that uncertainty carries real risk as new solicitations begin requiring proof of compliance. This guide gives you a plain-language starting point: what CMMC is, how you determine your scope, and what level applies to you.
What CMMC Actually Is
CMMC stands for Cybersecurity Maturity Model Certification, a Department of Defense program that verifies contractors protect sensitive government information at a level appropriate to the data they handle. The program replaces a self-attestation model with a framework of verified security practices, tiered across three levels of increasing rigor.
Two categories of information drive your obligations. Federal Contract Information, or FCI, covers information the government provides or generates under a contract that it does not intend for public release. Controlled Unclassified Information, or CUI, covers a narrower and more sensitive category that requires safeguarding or dissemination controls under federal law, regulation, or government-wide policy. Your CMMC level depends directly on which of these categories your business touches. If you handle only FCI, you fall under Level 1. If you handle CUI, you move into Level 2 or higher, with added controls and, in most cases, third-party assessment. Establishing which category applies to you is the first and most consequential step in this process.
How You Determine Your Scope
You determine your CMMC obligation by answering two questions: do you hold a direct DoD contract or work under one as a subcontractor, and does that work involve FCI. Most businesses assume this only affects large defense manufacturers, but the scope reaches much further into ordinary commercial services.
Consider a freight logistics firm that moves DoD cargo under a transportation contract. The firm receives shipping manifests, delivery schedules, and routing instructions that qualify as FCI, even though the company builds nothing and handles no classified material. That contract alone creates a CMMC obligation. Consider also a staffing firm that places workers on a military installation under a facilities services contract. The staffing firm may never touch a weapons system, but personnel records, access schedules, and installation logistics it manages on the government's behalf still qualify as FCI.
Neither company fits the traditional image of a defense contractor, and neither company can assume the requirement skips them. The determining factor is never company size or industry. It is whether your contract touches DoD information, directly or through a prime. Read your contract language for references to FCI handling, review any flow-down clauses your prime has passed to you, and treat any government-furnished information you receive as a signal that this requirement reaches you.
The Three CMMC Levels
CMMC organizes requirements into three levels, and understanding where you land determines everything else about your compliance path.
Level 1 applies to contractors who handle only FCI. It requires you to implement 15 basic safeguarding practices drawn from FAR 52.204-21, and you verify your own compliance through an annual self-assessment. No third-party assessor gets involved.
Level 2 applies to contractors who handle CUI. It requires you to implement 110 controls from NIST SP 800-171, and most contractors at this level undergo a third-party assessment performed by a Certified Third-Party Assessment Organization, or C3PAO.
Level 3 applies to a smaller set of contractors supporting the government's highest-priority programs. It builds on Level 2 with additional controls from NIST SP 800-172, and the Defense Industrial Base Cybersecurity Assessment Center, not a C3PAO, conducts these assessments directly.
Most small and mid-size contractors, based on the volume of solicitations issued to date, fall into Level 1.
Why Timing Matters Now
CMMC enforcement follows a phased rollout, and the timing matters regardless of which level applies to you. Phase 1 became effective in November 2025, and DoD contracting officers began including CMMC requirements in new solicitations from that point forward.
October 2026 marks the next major milestone. Contracts issued on or after this date will require your CMMC status to appear in the Supplier Performance Risk System, or SPRS, before you can bid, renew, or exercise an option on a covered contract. This requirement applies even to contracts you already hold, since renewals and option exercises trigger the same check as new awards.
Businesses that wait until a solicitation requires proof of compliance put themselves at a disadvantage against competitors who complete their assessment early. A Level 1 self-assessment moves faster than a Level 2 third-party assessment, but neither happens instantly, and the practices themselves take time to implement and document correctly. Starting your scope determination now gives you the runway to meet the deadline without disrupting your active contract pipeline.
Your Next Step
Once you know whether your business handles FCI or CUI, and whether you hold a direct contract or work under a prime, you have what you need to determine your level. If your review points to Level 1, the next step is working through the 15 required practices and preparing your self-assessment and SPRS submission.
Start with our Readiness Checklist, built specifically for Level 1 contractors, to walk through each qualifying question and safeguarding practice in sequence. If you are still unsure where your business lands after reviewing your contracts, our homepage self-qualifier tool asks the same questions our team asks in an initial scoping call, and gives you a fast, direct read on your status.
Other Popular Articles
In the digital age, businesses must adopt an ad
GRC is the capability, or integrated collection