What is CMMC?
The purpose of the Cybersecurity Maturity Model Certification (CMMC) program is to verify that contractors with the Department of Defense (DoD) are fulfilling their obligations to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by meeting standardized cybersecurity requirements. These requirements vary depending on the type and sensitivity of the information. The program has three tiers with escalating security requirements. DoD request for proposals (RFPs) will include a clause identifying the CMMC level required for a contractor (and its subcontractors) to receive an award.
Verification will take place by self-assessment or third-party assessment depending on the CMMC level requirement.
The CMMC program was established by the CMMC Program final rule published October 15, 2024 and is being implemented by the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) final rule published on September 10, 2025. CMMC is being implemented in three phases (see more below), Phase 1 begins November 10, 2025.
What are the requirements for each of the three CMMC levels?
- Level 1: Contractors and applicable subcontractors must complete an annual self-assessment to verify their compliance with the security requirements specified in Federal Acquisition Regulation (FAR) clause 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.” A senior official from each contractor and applicable subcontractors must annually affirm compliance via the Supplier Performance Risk System (SPRS).
- Level 2: Contractors and applicable subcontractors must implement the 110 security requirements specified by DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” which are based on the National Institute of Standards and Technology (NIST) standard for protecting controlled unclassified information, NIST SP 800-171 Rev. 2. Assessment procedures for compliance with NIST SP 800-171 Rev. 2 are found in NIST SP 800-171A.
- Level 2 comes in two versions: self-assessment and third-party certification (depending on whether the acquisition involves information critical to national security). Self-assessment is required every three years and compliance will need to be affirmed on an annual basis.
- Level 2 contractors and subcontractors that must be assessed by a third party must be certified by a third-party assessment organization (C3PAO) every three years and affirm continuous compliance annually.
- Level 3: Contractors must meet all Level 2 requirements as well as 24 select NIST SP 800-172 security requirements. Level 3 contractors must pass an assessment every three years by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) in addition to Level 2 reporting requirements. The assessment procedures for NIST SP 800-172 are found in NIST SP 800-172A.
What contracts will CMMC apply to?
CMMC requirements will be incorporated into DoD contracts above the micro-purchase threshold (MPT) where the contractor provides information systems that “process, store, or transmit” FCI or CUI. Contracts exclusively for commercially available off-the-shelf (COTS) items are exempt from CMMC requirements. There is no exception for FAR Part 12 commercial product or commercial service contracts.
Who will be required to undergo a CMMC self-assessment or third-party certification?
According to a DoD Guidance Memorandum (published 1/25/25) on the implementation of CMMC, the following CMMC levels will be required of contractors based on the sensitivity of data that the contractor will “process, share, or transmit” under a DoD solicitation:
- Level 1 Self-assessment: Required “if the planned contract, task order, or delivery order may require the contractor (or subcontractors at any tier) to process, store, or transmit only Federal Contract Information (FCI) in its information system.” FCI is defined at FAR 4.1901.
- Level 2 Assessment: Required “if the planned contract will require the contractor (or subcontractors) to process, store, or transmit Controlled Unclassified Information (CUI) on a contractor-owned information system, compliance must be assessed against NIST SP 800-171 requirements.”
- Level 2 Self-assessment: Required when a contractor handles CUI that is completely outside of the National Archive’s CUI Registry Defense Organizational Index Grouping. The
- Level 2 Assessment by C3PAO: Certification by a C3PAO is required when a contractor handles CUI that is within the National Archive’s CUI Registry Defense Organizational Index Grouping.
- Level 3 Certification: Certification by DCMA of compliance with the enhanced protections under NIST SP 800-172 must be garnered when a contractor handles:
- CUI associated with a breakthrough, unique, and/or advanced technology;
- A significant aggregation or compilation of CUI in a single information system or IT environment; and
- A “Ubiquity – when an attack on a single information system of IT environment would result in widespread vulnerability across DoD.”
Does CMMC flow down to subcontractors?
Yes—generally speaking, subcontracts will be subject to a CMMC level that matches the sensitivity of the information they will handle in the performance of the subcontract. Prime contractors must ensure that their subcontractors have a current CMMC certificate or self-assessment at the required CMMC level appropriate to the information that is flowed down to the subcontractor.
What is the timeline for the rollout of CMMC?
CMMC will be implemented in a three-phase approach over three years. Each phase will last one year. Phase one begins November 10, 2025. This is when the DFARS rule, Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041), goes into effect.
- Phase 1: Upon the above rule’s finalization, CMMC Level 1 and 2 self-assessments will be a condition of award for new contracts that include a CMMC level requirement. A limited number of contracts may require Level 2 C3PAO assessments at DoD’s discretion. This phase lasts until November 10, 2026.
- Phase 2: Beginning November 10, 2026, DoD will start adding Level 2 certification requirements to applicable contracts. Level 3 certification requirements will be incorporated into a limited number of applicable contracts at DoD’s discretion. This phase lasts until November 10, 2027.
- Phase 3: As of November 10, 2027, DoD will extend Level 2 certification requirements to existing contracts, and Level 3 certification will be required on applicable contracts. DoD can begin to include Level 2 C3PAO assessment requirements in options to exercise active DoD contracts. This phase lasts until November 10, 2028.
- Phase 4: Starting November 10, 2028, CMMC will fully apply to all DoD contracts above the MPT where a contractor handles FCI or CUI (except for purely COTS contracts). This will include options to exercise active contracts.*
*Applicable contracts that are not awarded or extended during the phased implementation will incorporate CMMC requirements upon their award/extension.
CMMC Law and Regulations:
- CMMC Program Final Rule (10/15/24)
- Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) (9/10/24)
- Executive Order 13556 — Controlled Unclassified Information
- FAR Clause 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
- NIST SP 800-171 Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
- DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
- DFARS Clause 252.204-7019 Notice of NISTSP 800-171 DoD Assessment Requirements
- DFARS Clause 252.204-7020 NIST SP 800-171DoD Assessment Requirements
- DoD Memo “Implementing the Cybersecurity Maturity Model Certification (CMMC) Program: Guidance for Determining Appropriate CMMC Compliance Assessment Levels and Process for Waiving CMMC Assessment Requirements”
Member Resources:
Sheppard, Mullin, Richter & Hampton
- Don’t Fall Behind: The CMMC Final Rule to Update the DFARS is Here! (9/15/25)
- Countdown to Compliance: DoD Finalizes the CMMC Program Rule (10/15/24)
Rogers Joseph O’Donnell
Perkins Coie
Blank Rome
- The Department of Defense Releases Proposed CMMC Rule (12/22/23)
- The Department of Defense Issues Proposed Timeline for CMMC Implementation (01/04/24)
- Understanding the Basics of CMMC Level 1 (01/09/24)
- Understanding the Basics of CMMC Level 2 (01/16/24)
- Understanding the Basics of CMMC Level 3 (01/23/24)
Morris Manning & Martin
- Ringing In The New Year With The Codification Of CMMC 2.0 (01/04/24)
- Not Up for Debate: CMMC 2.0 Gains Additional Traction (07/01/2024)
Holland & Knight
- Department of Defense Releases Long-Awaited CMMC Proposed Rule (12/27/23)
- The Proposed CMMC Rule Is Here: What It Means for Your Organization (01/04/2024)
Mayer Brown
Arnold & Porter
- Department of Defense Issues CMMC 2.0 Proposed Rule (01/05/2024)
- Breaking Down the CMMC Proposed Rule | Podcast (01/16/2024)
Covington
Crowell & Moring
- DoD’s New Year Resolution: A Cybersecurity Maturity Model Certification Program (CMMC) Proposed Rule (12/27/2023)
- This is Just a Test: Advising Your Client on Real-World Cybersecurity Questions Using Fictional Scenarios Connected to the Department of Defense’s Proposed Cybersecurity Maturity Model Program (07/31/24)
- The Impact Of The Cybersecurity Maturity Model Certification On The Defense Industrial Base (05/01/2024)
- Cybersecurity Matured: DoD Finalizes Cybersecurity Maturity Model Certification (CMMC) Program (10/14/24)
- Finally, the CMMC Final Rule: DoD Completes CMMC Rulemaking, Ushering in New Era in DoD Cybersecurity (9/10/25)