Defense Industrial Base CMMC

Who Needs a CMMC Certification?

Learn which companies need to earn a CMMC certification to work on DoD contracts.

Join our newsletter:
Companies handling “controlled unclassified information” CUI and “federal contract information” will need to earn a Cybersecurity Maturity Model Certification (CMMC).
Companies with DFARS clause 252.204-7012 in their DoD contracts are already required to implement NIST SP 800-171. DFARS clause 252.204-7012 was included in contracts that involved handling “controlled unclassified information” (CUI). As a result it can be deduced that these companies will have a CMMC requirement of level 3 or higher.
Companies that are subcontractors may also have CMMC requirements. These requirements do not necessarily have to be the same as the prime contractor's. For example, a prime contractor may have a level 3 CMMC requirement but a sub contractor working on the same contract may have a level 1 requirement.
Companies only providing Commercial-Off-The-Shelf (COTS) products to the DoD may not require a CMMC certification . Commercially available off-the-shelf (COTS) are commercial items (as defined in paragraph (1) of the definition at FAR 2.101), sold in substantial quantities in the commercial marketplace, offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace. COTS do not include bulk cargo, as defined in section 3 of the Shipping Act of 1984 (46 U.S.C. App. 1702), such as agricultural products and petroleum products.
Summary: All companies with a DoD contract who handle either “controlled unclassified information” (CUI) or information that is “for official use only” (FOUO) will need to earn a CMMC certification.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.