Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.
If you cannot find an answer then contact us or click the chat button on the lower right..
-
Artificial Intelligence (AI)
-
CMMC Fundamentals
-
CMMC Levels & Requirements
-
The 14 Control Families
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- CMMC Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
-
Implementation Roadmaps
-
Industry-Specific Guides
-
CMMC Documentation & Evidence
-
SPRS & Self-Assessment
-
CMMC Costs & Budgeting
-
Technology & Tools
-
CMMC Training & Awareness
-
Policies & Procedures
- How to Submit Your SPRS Score: PIEE Step-by-Step Guide [2026 Update]
- CMMC Policies and Procedures: What Documentation You Need
- How to Write a System Security Plan: The Owner's Guide to the One Document That Gates Everything
- Creating a Plan of Action and Milestones for CMMC
- Documenting Evidence for CMMC Assessment
-
Supply Chain & Third-Party Risk
-
Incident Response & Breach Reporting
-
Common Mistakes & Failures
-
Advanced Topics & Level 2
-
Updates & Regulatory Changes
When is CMMC Certification Required?
CMMC (Cybersecurity Maturity Model Certification) certification is required when you have a Department of Defense (DoD) contract that requires you to process, store, or transmit certain types of government information on your company’s computer systems.
Process, store, or transmit means: creating, using, saving, or sending information on your company’s computers, networks, or cloud services during the work you do for the government contract.
What Triggers CMMC Requirements?
CMMC certification became a contract requirement starting November 10, 2025. Whether you need CMMC certification depends on the type of information your contract requires you to handle:
Federal Contract Information (FCI)
Federal Contract Information (FCI) is information that the government gives you or that you create for the government as part of your contract work, and it’s not meant for the public to see. This does not include simple payment information like invoices.
If your contract involves FCI, you need CMMC Level 1 certification.
Controlled Unclassified Information (CUI)
Controlled Unclassified Information (CUI) is sensitive government information that requires special protection but is not classified as secret. This includes technical data, export-controlled information, and other sensitive information marked with “CUI” on documents.
If your contract involves CUI, you need CMMC Level 2 or CMMC Level 3 certification, depending on how sensitive the information is.
When Do You Need to Be Certified?
The DoD is rolling out CMMC requirements in four phases over three years:
Phase 1: November 10, 2025 – November 9, 2026
- New DoD contracts will start including CMMC requirements
- Level 1 and Level 2 self-assessments are required
- The DoD may require third-party assessments for some high-priority Level 2 contracts
- You must have your CMMC certification before the contract can be awarded to you
Phase 2: November 10, 2026 – November 9, 2027
- Third-party assessments (by certified assessment organizations called C3PAOs) become required for Level 2 contracts
- Level 3 assessments may be required for select critical programs
Phase 3: November 10, 2027 – November 9, 2028
- Level 3 assessments become required for applicable contracts
- Existing contracts awarded before Phase 2 will need certification before options can be exercised or contracts extended
Phase 4: November 10, 2028 and Beyond
- Full implementation
- All applicable DoD contracts, including renewals and extensions, must include CMMC requirements
Who Must Get CMMC Certified?
CMMC requirements apply to:
- Prime contractors – Companies that win DoD contracts directly
- Subcontractors at all levels – Any company in the supply chain that handles FCI or CUI must have the appropriate CMMC level
Prime contractors are responsible for ensuring their subcontractors have the required CMMC certification if they will handle FCI or CUI.
What Contracts Are Exempt?
CMMC requirements do not apply to:
- Contracts below the micro-purchase threshold (currently $10,000 for most contracts)
- Contracts exclusively for commercially available off-the-shelf (COTS) items – products sold to the general public without modification
- Contracts where you don’t process, store, or transmit FCI or CUI on your own systems
How to Know Which Level You Need
The DoD contracting officer will specify the required CMMC level in the contract solicitation (the request for bids). The requirement is based on:
- The type of information you’ll handle (FCI or CUI)
- The sensitivity of that information
- The criticality of the program or technology
Your CMMC status must be posted in the Supplier Performance Risk System (SPRS) before the contract can be awarded to you.
Supplier Performance Risk System (SPRS) is the DoD’s online database where contractors report their cybersecurity assessment scores and certification status.
Key Takeaway
If you want to bid on DoD contracts that involve handling government information starting November 10, 2025, you need to have the appropriate CMMC certification completed before the contract award. The specific level required will be listed in each contract solicitation.
Companies should begin preparing now, as achieving CMMC certification typically takes 6-12 months depending on your current cybersecurity posture.
Sources: This article is based on the official CMMC Program Final Rule (32 CFR Part 170) published October 15, 2024, and the DFARS CMMC Acquisition Rule (48 CFR Part 204) published September 10, 2025, both issued by the U.S. Department of Defense.