The Cybersecurity Maturity Model Certification (CMMC) verifies that contractors have implemented the security measures necessary to safeguard FCI1 and CUI2.

Know where you stand

How to check your requirement

If you are applying for an award
  • 1Check the topic's Projected CMMC Level Requirement on the DSIP Topics and Topics Q&A page.
  • 2Carefully review these updated requirements — compliance is required prior to award.
If you have an awarded funding agreement
  • 1You are responsible for the requirements currently on your funding agreement.
  • 2Review all funding agreements and contract modifications for CMMC requirements.

Tips to get ready

 
Start early. Prepare for the CMMC levels you expect to need even if they are not a requirement yet — self-assessments and C3PAO certifications can be lengthy processes depending on readiness.
 
Get help. Utilize online communities and third-party companies for guidance and consulting services.
Rollout underway

CMMC implementation — four-phase plan

 
You are here
Phase 1
Began Nov 10, 2025
  • Where applicable, solicitations will require a Level 1 or 2 self-assessment.
  • DoW may implement Level 2 (C3PAO) requirements in some Phase 1 procurements.
 
Phase 2
Begins Nov 10, 2026
  • Where applicable, solicitations will require a Level 2 C3PAO certification6.
  • DoW may opt to delay the Level 2 certification requirement in a contract to an option period.
  • DoW may implement Level 3 requirements in some Phase 2 procurements.
 
Phase 3
Begins Nov 10, 2027
  • Where applicable, solicitations will require a Level 3 certification.
  • DoW may opt to delay the Level 3 certification requirement in a contract to an option period.
 
Phase 4
Begins Nov 10, 2028
  • All solicitations and contracts will include applicable CMMC Level requirements as a condition of contract award.
 
Phase 1 has begun — do this now
Complete a CMMC Level 1 and/or Level 2 self-assessment, if applicable, and submit it to the SPRS.
 
Phase 2 starts soon — prepare
Prepare for and complete a Level 2 C3PAO certification, if applicable.
Know your requirement

The three CMMC levels

 
LEVEL 1
Basic Safeguarding of FCI
 
Applies to you if you process, store, or transmit Federal Contract Information (FCI)1.
  • 15 security requirements aligned with RFO 52.240-937
  • Annual self-assessment and score input in SPRS
  • Annual affirmation of compliance in SPRS
 
LEVEL 2
Broad Protection of CUI
 
Applies to you if you process, store, or transmit Controlled Unclassified Information (CUI)2.
  • 110 security requirements aligned with NIST SP 800-171 R2
  • C3PAO3 certification every 3 years — or self-assessment every 3 years for select programs6
  • Annual affirmation of compliance in SPRS
 
LEVEL 3
Higher-Level Protection of CUI against Advanced Persistent Threats
 
Applies to you when enhanced NIST SP 800-172 protections are required.
  • 110 requirements from NIST SP 800-171 R2, plus 24 from NIST SP 800-172
  • DIBCAC4 certification assessment every 3 years
  • Annual affirmation of compliance in SPRS
Free help & references

CMMC resources

 
Project Spectrum

DoW has partnered with Project Spectrum to provide free online resources and courses to improve cybersecurity readiness, resiliency, and compliance as it relates to CMMC.

Small business concerns can register and access these courses and resources at projectspectrum.io.

Definitions & references
  1. 1Federal Contract Information (FCI) is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service; it does not include information the Government provides to the public or simple transactional information (RFO 52.240-93).
  2. 2Controlled Unclassified Information (CUI) is information the Government — or an entity acting for it — creates or possesses that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. (32 CFR Part 2002)
  3. 3C3PAO — CMMC Third-Party Assessor Organization.
  4. 4DIBCAC — Defense Industrial Base Cybersecurity Assessment Center.
  5. 6Self-assessment is only sufficient for CUI outside the National Archives' CUI Registry Defense Organizational Index Grouping. The Program Manager may elevate the CMMC level if there is high risk to the confidentiality, integrity, or availability of the CUI.
  6. 7RFO 52.240-93 — formerly FAR 52.204-21.