
Do CMMC requirements apply to non-DoD contracts?
As of June 2020, CMMC requirements will only apply to DoD contracts.
Join our newsletter:
As of now CMMC requirements will only apply to U.S. Department of Defense contracts. This is clearly stated on the official CMMC website. However Katie Arrington who is leading the cybersecurity maturity model certification (CMMC) program said that she “knows other federal agencies are already looking at it (CMMC). So I've got to work all the bugs out.”
FAR 52.204-21 applies to Federal Contracts
Federal contracts where a contractor's system processes, stores, or transmits Federal contract information (FCI) require the implementation of the security controls specified in FAR 52.204-21. As of June 2020, non-DoD contracts do not require CMMC. Please note that the CMMC level one requirements are drawn from FAR 52.204-21. By implementing your FAR 52.204-21 controls you will be prepared if the Federal government starts requiring CMMC.