What Is CMMC and Do You Need It?

Contributors

Shantanoo Govilkar
Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions
Image
what-is-cmmc-do-you-need-it

CMMC now applies well beyond the large defense primes you might expect. The Department of Defense has extended cybersecurity requirements to the full supply chain, including small and mid-size contractors and subcontractors who handle even limited government information. If you hold a DoD contract, or you work under one as a subcontractor, this requirement likely reaches you, whether you know it yet or not. Most businesses arriving at this question do not yet know their own compliance status, and that uncertainty carries real risk as new solicitations begin requiring proof of compliance. This guide gives you a plain-language starting point: what CMMC is, how you determine your scope, and what level applies to you.

cmmc-fci-cui-applicability

What CMMC Actually Is

CMMC stands for Cybersecurity Maturity Model Certification, a Department of Defense program that verifies contractors protect sensitive government information at a level appropriate to the data they handle. The program replaces a self-attestation model with a framework of verified security practices, tiered across three levels of increasing rigor.

Two categories of information drive your obligations. Federal Contract Information, or FCI, covers information the government provides or generates under a contract that it does not intend for public release. Controlled Unclassified Information, or CUI, covers a narrower and more sensitive category that requires safeguarding or dissemination controls under federal law, regulation, or government-wide policy. Your CMMC level depends directly on which of these categories your business touches. If you handle only FCI, you fall under Level 1. If you handle CUI, you move into Level 2 or higher, with added controls and, in most cases, third-party assessment. Establishing which category applies to you is the first and most consequential step in this process.

How You Determine Your Scope

You determine your CMMC obligation by answering two questions: do you hold a direct DoD contract or work under one as a subcontractor, and does that work involve FCI. Most businesses assume this only affects large defense manufacturers, but the scope reaches much further into ordinary commercial services.

Consider a freight logistics firm that moves DoD cargo under a transportation contract. The firm receives shipping manifests, delivery schedules, and routing instructions that qualify as FCI, even though the company builds nothing and handles no classified material. That contract alone creates a CMMC obligation. Consider also a staffing firm that places workers on a military installation under a facilities services contract. The staffing firm may never touch a weapons system, but personnel records, access schedules, and installation logistics it manages on the government's behalf still qualify as FCI.

Neither company fits the traditional image of a defense contractor, and neither company can assume the requirement skips them. The determining factor is never company size or industry. It is whether your contract touches DoD information, directly or through a prime. Read your contract language for references to FCI handling, review any flow-down clauses your prime has passed to you, and treat any government-furnished information you receive as a signal that this requirement reaches you.

The Three CMMC Levels

CMMC organizes requirements into three levels, and understanding where you land determines everything else about your compliance path.

Level 1 applies to contractors who handle only FCI. It requires you to implement 15 basic safeguarding practices drawn from FAR 52.204-21, and you verify your own compliance through an annual self-assessment. No third-party assessor gets involved.

Level 2 applies to contractors who handle CUI. It requires you to implement 110 controls from NIST SP 800-171, and most contractors at this level undergo a third-party assessment performed by a Certified Third-Party Assessment Organization, or C3PAO.

Level 3 applies to a smaller set of contractors supporting the government's highest-priority programs. It builds on Level 2 with additional controls from NIST SP 800-172, and the Defense Industrial Base Cybersecurity Assessment Center, not a C3PAO, conducts these assessments directly.

Most small and mid-size contractors, based on the volume of solicitations issued to date, fall into Level 1.

Why Timing Matters Now

CMMC enforcement follows a phased rollout, and the timing matters regardless of which level applies to you. Phase 1 became effective in November 2025, and DoD contracting officers began including CMMC requirements in new solicitations from that point forward.

October 2026 marks the next major milestone. Contracts issued on or after this date will require your CMMC status to appear in the Supplier Performance Risk System, or SPRS, before you can bid, renew, or exercise an option on a covered contract. This requirement applies even to contracts you already hold, since renewals and option exercises trigger the same check as new awards.

Businesses that wait until a solicitation requires proof of compliance put themselves at a disadvantage against competitors who complete their assessment early. A Level 1 self-assessment moves faster than a Level 2 third-party assessment, but neither happens instantly, and the practices themselves take time to implement and document correctly. Starting your scope determination now gives you the runway to meet the deadline without disrupting your active contract pipeline.

Your Next Step

Once you know whether your business handles FCI or CUI, and whether you hold a direct contract or work under a prime, you have what you need to determine your level. If your review points to Level 1, the next step is working through the 15 required practices and preparing your self-assessment and SPRS submission.

Start with our Readiness Checklist, built specifically for Level 1 contractors, to walk through each qualifying question and safeguarding practice in sequence. If you are still unsure where your business lands after reviewing your contracts, our homepage self-qualifier tool asks the same questions our team asks in an initial scoping call, and gives you a fast, direct read on your status. 

Get the latest insights straight from our desk to your inbox.

Other Featured Articles

Explore More
what-is-cmmc-do-you-need-it

What Is CMMC and Do You Need It?

Learn what CMMC is, who needs it, and how to determine if your business requires Level 1 compliance for DoD contracts.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
mmc-level-selection-guide

CMMC Level 1 vs Level 2, Which Applies to You?

Learn the key differences between CMMC Level 1 and Level 2, understand FCI vs. CUI, and determine which CMMC level your DoD contract requires to avoid unnecessary costs or compliance risks.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
cmmc-dod-subcontractors

What CMMC Means for DoD Subcontractors

Understand what CMMC means for DoD subcontractors, how compliance requirements flow down from prime contractors, who must comply, and the steps to determine your CMMC obligations.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
cmmc-level-1-self-assessment-guide

How to Complete Your CMMC Level 1 Self Assessment

Complete CMMC Level 1 self-assessment guide: define scope, work through 15 practices, fix common gaps, and submit your SPRS affirmation.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
cmmc-october-2026-deadline

The October 2026 CMMC Deadline: What Happens If You Miss It 

Prepare for the October 2026 CMMC deadline. Learn how compliance affects DoD contract eligibility, SPRS affirmations, renewals, and subcontractors.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
IT-OT-Boundary-Ransomware-Entry-Point

Operational Technology (OT) Penetration Testing Guide for Ransomware Defense

Ransomware doesn't need to breach your control room it needs to get close enough that you can't trust it hasn't.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
FDA-510K-and-PMA-Cybersecurity-Testing

A Medical Device Maker's Guide to FDA Cybersecurity Testing for 510(k) & PMA

The FDA doesn't publish a pen testing checklist, but its guidance, 524B requirements, and reviewer expectations add up to one.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Pharma-Pen-Testing-FDA-Complianc

Pharma Pen Testing: Why FDA and IP Risk Need Different Scoping

Standard pen test scoping frameworks weren't built for pharma.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
FDA-524B-Medical-Device-Cybersecurity-Testing

FDA 524B Is Here: What Medical Device Makers Must Test Now

Section 524B made medical device cybersecurity a legal requirement, not a guideline.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
CMMC-2-0-Pen-Testing-Requirements

Why CHIPS Act Manufacturers Can't Rely on CMMC Pen Testing Alone

Semiconductor manufacturers face dual compliance obligations under CMMC 2.0 and the CHIPS Act and a standard pen test satisfies neither fully.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
C3PAO-Audit-Evidence-Mapping

Why Pen Test Evidence Fails C3PAO Assessments (and How to Fix It)

Completing a pen test isn't enough for CMMC.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
PTaaS-vs-Annual-Pen-Testing

PTaaS vs. Annual Pen Testing: Why Manufacturers Are Switching

Annual penetration testing produces documentation, not security.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Map-OT-Attack-Surface

Map Your OT Attack Surface Before the Next Audit

Don't wait for an auditor to tell you what you missed.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Scope-IT-OT-Penetration-Testing

How to Scope IT-OT Penetration Testing Safely

Learn how to safely scope IT-OT penetration testing engagements.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Manufacturing-Penetration-Testing-Frequency

How Often Should Manufacturers Run OT Penetration Testing?

Annual pen testing fits a budget cycle but it doesn't reflect how fast manufacturing environments actually change.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
21-CFR-Part-11-and-cGMP-Requirements

Pharmaceutical Pen Testing: What 21 CFR Part 11 and cGMP Require

21 CFR Part 11 and cGMP don't mention penetration testing but the controls they require depend on it.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
RD-and-Regulated-Systems-Penetration-Testing-Scopes

Pharmaceutical Pen Testing: Why R&D and GxP Need Different Scopes

R&D and GxP regulated environments have different risk profiles, compliance requirements, and testing constraints.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Nation-State-Cyber-Threats-in-Pharma

Why Pharmaceutical Pen Testing Must Address Nation-State Threats

Nation-state actors treat pharma like critical infrastructure targeting formulation data, synthesis routes, and clinical IP with patience and precision.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
IT-OT-Boundary-Ransomware-Risk

How Ransomware Crosses the IT-OT Boundary (And How to Stop It)

Ransomware operators target the IT-OT boundary deliberately and they know manufacturing economics well.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
Where-Industry-4-0-Exposed-OT

Where Industry 4.0 Left Your OT Attack Surface Wide Open

Industry 4.0 connected OT environments were never built for. Learn why traditional IT security tools fall short and what OT penetration testing reveals that audits miss.

Shantanoo Govilkar
SVP Strategic Solutions Risk & Cybersecurity Solutions view
What-AS4-Actually-Solves-Banner-Image

What AS4 Actually Solves: Real Outcomes Companies See After Migration

Discover what AS4 actually solves for modern businesses. Learn the real outcomes companies achieve after migration, from stronger security to better B2B integration performance.

 

EDI Solutions Group
Marketing Group view
AS4-migration-pitfalls-Banner-image

7 Migration Pitfalls That Derail AS4 Upgrades (and How to Avoid Them)

Avoid costly AS4 upgrade mistakes. Discover 7 migration pitfalls that delay projects, create risk, and disrupt B2B messaging, plus practical ways to avoid them.

EDI Solutions Group
Marketing Group view
pen-testing-in-cloud-enviroment-banner-image

How to Perform Penetration Testing in Cloud Environments (AWS, Azure, and GCP) - 2026 Edition

A practical guide to cloud penetration testing across AWS, Azure, and GCP. Learn methods, tools, and best practices to identify vulnerabilities and improve security.

Cybersecurity Solutions Group
Marketing Group view
when-to-switch-legacy-edi-to-as4

5 Signs It's Time to Move Legacy EDI Environment to AS4 Protocol

Partner onboarding delays, compliance gaps, and rising maintenance costs are signals your EDI infrastructure is reaching its limits. Learn the five signs it is time to evaluate a move to AS4.

EDI Solutions Group
Marketing Group view
How-to-Design-Custom-Chatbots-Banner-Image

How to Design Custom Chatbots That Cannot “Make Stuff Up”

Confident AI answers without traceable sources create institutional risk. Learn how Grounded RAG architecture retrieves real documents first and attaches verifiable citations to every response.

Data and AI Solutions Group
Marketing Group view
Conversational-AI-blog-banner

How Citation-Backed Conversational AI Improves Public Access and Internal Decision-Making

AI without source citations creates real liability. Learn how citation-backed AI brings traceable sources, version awareness, and audit-ready outputs to every institutional decision.

Data and AI Solutions Group
Marketing Group view
Network-penetration-testion-blog-banner

How to Perform a Successful Network Penetration Test: Comprehensive Guide for 2025

Learn how to perform a successful network penetration test to identify vulnerabilities, simulate real cyberattacks, and strengthen your organization’s network security.

Cybersecurity Solutions Group
Marketing Group view
Penetration-testing-banner-image

What Is Penetration Testing? A 2026 Expert Guide

A 2026 expert guide to penetration testing for security leaders and IT teams seeking proactive defense, compliance, and stakeholder trust.

Cybersecurity Solutions Group
Marketing Group view
ot-ransomware-prevention-banner-image

OT Ransomware Prevention: Practical Best Practices for Industrial Cybersecurity

Explore enterprise grade OT ransomware prevention strategies, including segmentation, identity control, threat informed detection, and resilient recovery design to protect industrial operations fro

Cybersecurity Solutions Group
Marketing Group view
OT-Ransomware-Risks-and-Response-Banner

10 Myths About OT/ICS Security That Put Your Business at Risk

Think your OT network is secure? Learn the 10 most dangerous myths about OT and ICS cybersecurity that leave industrial operations exposed to attacks.

Cybersecurity Solutions Group
Marketing Group view
OT-ransomeware-risk-and-responses-banner-image

OT Ransomware Risks and Response for Industrial Systems

Learn why OT environments face higher ransomware risk, how attackers gain access, and how effective detection and response reduce operational impact.

Cybersecurity Solutions Group
Marketing Group view
AI-Risk-Assessment-Best-Practices-Banner

AI Risk Assessment: Risk Types, Best Practices & More

Explore AI risk types, essential assessment frameworks, and proven best practices to mitigate threats in AI deployment. Learn actionable strategies for secure AI systems today.

Cybersecurity Solutions Group
Marketing Group view
AI Risk Assessment Banner Image

AI Risk Assessment: Everything You Need to Know

Learn essential processes, methodologies, risk types, regulatory requirements, and practical implementation strategies for safe AI deployment.

Cybersecurity Solutions Group
Marketing Group view
Whitepaper: Ransomware Threat Management

Whitepaper: Ransomware Threat Management

Ransomware continues to be a real threat to business operations across all industries, no organization is safe from this threat.

Laszlo S. Gonc
CISSP, First Senior Fellow, DivIHN Cybersecurity Center of Excellence view
Cybersecurity Incident Response Preparedness

Cybersecurity Incident Response Preparedness

An incident response framework provides a structure to support incident response operations. A framework typically provides guidance on what needs to be done, but not on how it is done.

Laszlo S. Gonc
CISSP, First Senior Fellow, DivIHN Cybersecurity Center of Excellence view
Internet of Things

IoT Medical Device Cybersecurity

Healthcare data and medical devices would be aggressively targeted by ransomware attacks since early 2017 has proven to be true

Laszlo S. Gonc
CISSP, First Senior Fellow, DivIHN Cybersecurity Center of Excellence view
Back
to Top