Federal Contracts CMMC

Do CMMC requirements apply to non-DoD contracts?

As of June 2020, CMMC requirements will only apply to DoD contracts.

Join our newsletter:
As of now CMMC requirements will only apply to U.S. Department of Defense contracts. This is clearly stated on the official CMMC website. However Katie Arrington who is leading the cybersecurity maturity model certification (CMMC) program said that she “knows other federal agencies are already looking at it (CMMC). So I've got to work all the bugs out.”

FAR 52.204-21 applies to Federal Contracts

Federal contracts where a contractor's system processes, stores, or transmits Federal contract information (FCI) require the implementation of the security controls specified in FAR 52.204-21. As of June 2020, non-DoD contracts do not require CMMC. Please note that the CMMC level one requirements are drawn from FAR 52.204-21. By implementing your FAR 52.204-21 controls you will be prepared if the Federal government starts requiring CMMC.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.