CMMC Compliance Overview

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a standard issued directly by the Department of War (DoW). It establishes mandatory cybersecurity requirements for all contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Depending on the sensitivity of the data you manage, your organization will need to certify at the appropriate level.

More information to come on how this might impact your NSTXL membership status and your ability to submit on future opportunities.

When to Be Certified

CMMC requirements will be added to DoW contracts in phases beginning on November 10, 2025. To remain eligible for future opportunities, companies should prepare now and be certified at the appropriate level before CMMC appears in their target solicitations. NSTXL will be providing cost-effective CMMC2 options for our members within the next few weeks.

Certification Levels and Requirements

Certification requirements vary by level, but all come directly from the Department of War and will be phased into contracts over the next several years.

Level 1 Requirements (Foundational)

Requires organizations to implement 17 basic cyber hygiene practices derived from FAR 52.204-21. Certification can be achieved through a self-assessment submitted annually through the Supplier Performance Risk System (SPRS).

Level 2 Requirements (Advanced)

Aligned with the 110 security controls within NIST SP 800-171 Revision 2. Some contracts will allow for Level 2 self-assessments, but most will require an independent evaluation conducted by a Certified Third-Party Assessment Organization (C3PAO).

Level 3 Requirements (Expert)

Aligned with the 110 security controls in NIST SP 800-171 Revision 2, along with an additional 24 controls outlined in NIST SP 800-172. Requires a government-led assessment every three years by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Update Your Email Subscription to Stay Informed on CMMC Compliance Changes and Regulations.

NSTXL will keep you up to date on new information regarding CMMC. Please ensure that you update your email subscription to stay informed about changes in compliance, certification due dates, and to avoid any impact on your membership resulting from these new laws.

Frequently Asked Questions (FAQs)

These frequently asked questions come from the Department of War Chief Information Officer’s (DOWCIO) website.
To see the full list of questions, click the button below.

The DoW will begin to incorporate CMMC assessment requirements in applicable procurements on November 10, 2025, when the revised Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021 becomes effective. The first 12 months of implementation will primarily focus on self-assessments. For further information on the DoW’s phased implementation plan, please see 32 Code of Federal Regulations (CFR) 170.3(e).
Costs incurred to implement existing contract requirements for safeguarding information (e.g., DFARS 252.204-7012) are not considered part of the CMMC compliance cost. However, the cost of achieving CMMC compliance (i.e., self-assessment or certification) depends on various factors, including, but not limited to, the CMMC level required, the complexity of the defense industrial base (DIB) company’s unclassified network, the existing cybersecurity posture of the organization, and market forces of supply and demand.
The DoW provides resources to help businesses who wish to enter the DIB reach cybersecurity compliance.

  • The DoW CIO DIB Cybersecurity Program has compiled a list of no-cost Cybersecurityas-a-Service resources to reduce barriers to DIB community compliance and support contract cybersecurity efforts at dibnet.dod.mil under DoW DIB Cybersecurity-As-A Service (CSaaS) Services and Support.
  • The CMMC Accreditation Body, currently the Cyber AB, has a marketplace of certified CMMC assessors, professionals, and registered practitioner organizations that companies can engage now to prepare for CMMC implementation: https://cyberab.org/marketplace
  • The Defense Acquisition University offers free online CMMC and cybersecurity training: https://www.dau.edu/cybersecurity/training
  • The Defense Acquisition University also offers a drop-down for CMMC web events: https://www.dau.edu/cybersecurity/cyber-solutions (click the drop-down labeled “CMMC Resources from the DoW CIO”)
  • DoW’s Office of Small Business Programs has compiled a list of resources on their website that are aimed at helping small and medium-sized businesses understand security requirements and reach compliance: https://business.defense.gov/Resources/FAQs/
Once CMMC is implemented contractually, the DoW will specify the required CMMC level in the solicitation and the resulting contract.
Yes. Companies can implement Revision 3 but must use the DoW’s Organization-Defined Parameters (ODPs) defined in the April 2025 memorandum, “Department of War Organization-Defined Parameters for National Institute of Standards and Technology Special Publication 800-171 Revision 3” found here: https://dodcio.defense.gov/Portals/0/Documents/CMMC/OrgDefinedParmsNISTSP800-171.pdf. Because CMMC Assessments will be conducted against Revision 2 until the class deviation memo (Q3 of this section) is withdrawn or otherwise superseded, DIB companies must ensure any identified gaps between Revision 2 and Revision 3 are addressed.
Level 1 self-assessments will be required on an annual basis, and CMMC Levels 2 and 3 will be required every 3 years. An affirmation of continued compliance is required for all CMMC levels at the time of assessment and annually thereafter. Please reference 32 CFR 170.3(e) for details on the DoW’s timeline for phased implementation of CMMC requirements in applicable procurements.
No, if a DIB company does not process, store, or transmit CUI, it does not need an independent assessment. If the company handles FCI only, a CMMC Level 1 self-assessment is required.

The public will not have access to a listing of DIB companies that have completed their CMMC self-assessments or received CMMC certificates. Such information is available to the DoW officers leading procurement activities.

A company can view their own scores and status in the Supplier Performance Risk System (SPRS). Suppliers may print verification of their status from SPRS to share with their Primes. Subcontractors may voluntarily share their CMMC Status, assessment scores, or certificates to facilitate business teaming arrangements. The DoW expects that defense contractors will share information about CMMC status with other DIB members to facilitate effective teaming arrangements when bidding for DoW contracts.