Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.
If you cannot find an answer then contact us or click the chat button on the lower right..
-
Artificial Intelligence (AI)
-
CMMC Fundamentals
-
CMMC Levels & Requirements
-
The 14 Control Families
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- CMMC Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
-
Implementation Roadmaps
-
Industry-Specific Guides
-
CMMC Documentation & Evidence
-
SPRS & Self-Assessment
-
CMMC Costs & Budgeting
-
Technology & Tools
-
CMMC Training & Awareness
-
Policies & Procedures
- How to Submit Your SPRS Score: PIEE Step-by-Step Guide [2026 Update]
- CMMC Policies and Procedures: What Documentation You Need
- How to Write a System Security Plan: The Owner's Guide to the One Document That Gates Everything
- Creating a Plan of Action and Milestones for CMMC
- Documenting Evidence for CMMC Assessment
-
Supply Chain & Third-Party Risk
-
Incident Response & Breach Reporting
-
Common Mistakes & Failures
-
Advanced Topics & Level 2
-
Updates & Regulatory Changes
Who Needs to Comply with CMMC?
If you do business with the U.S. Department of Defense (DoD), understanding who needs to comply with CMMC is critical for maintaining your eligibility to win government contracts. As of November 10, 2025, CMMC compliance became a mandatory requirement for most DoD contracts, and failure to meet these requirements will prevent you from bidding on or winning defense work.
CMMC stands for Cybersecurity Maturity Model Certification—the DoD’s verification program that ensures contractors properly protect government information.
This comprehensive guide answers the question “who needs CMMC compliance” by breaking down the requirements for prime contractors, subcontractors, small businesses, and foreign entities.
Who Needs CMMC Compliance: The Basic Answer
You need CMMC compliance if:
- You have (or want to bid on) a Department of Defense contract
- Your contract requires you to process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)
- You use your own company’s computer systems (not government systems) to handle this information
- Your contract value is above the micro-purchase threshold
Process, store, or transmit means: creating, using, saving, or sending information on your company’s computers, servers, networks, or cloud services during your contract work.
Let’s break down each of these requirements in detail.
Understanding Who Needs CMMC: Prime Contractors
Prime contractors are companies that win DoD contracts directly from the government. If you’re a prime contractor who needs CMMC compliance, you must:
- Achieve the CMMC level specified in your contract solicitation before contract award
- Post your CMMC assessment results in the Supplier Performance Risk System (SPRS)
- Submit annual affirmations confirming you maintain compliance
- Flow down CMMC requirements to all subcontractors who handle FCI or CUI
SPRS stands for Supplier Performance Risk System—the DoD’s online database where contractors report their cybersecurity assessment scores and CMMC certification status.
According to the 32 CFR Part 170 final rule, prime contractors are responsible for ensuring their entire supply chain meets CMMC requirements. This means you cannot simply pass the requirement down to subcontractors—you must verify their compliance before awarding them subcontracts.
Who Needs CMMC in the Supply Chain: Subcontractors at All Tiers
One of the most important aspects of who needs CMMC compliance is that subcontractors at every tier of the supply chain must comply if they handle FCI or CUI.
According to 32 CFR 170.23, here’s how CMMC requirements flow down:
Subcontractors Handling Only FCI
If you’re a subcontractor who will only process, store, or transmit Federal Contract Information (and NOT Controlled Unclassified Information), you need CMMC Level 1 (Self) certification—regardless of what level the prime contractor needs.
Subcontractors Handling CUI
If you’re a subcontractor who will process, store, or transmit Controlled Unclassified Information, your minimum requirement depends on the prime contract:
- Prime has Level 2 (Self): You need minimum Level 2 (Self)
- Prime has Level 2 (C3PAO): You need minimum Level 2 (C3PAO)
- Prime has Level 3 (DIBCAC): You need minimum Level 2 (C3PAO)
C3PAO stands for CMMC Third-Party Assessment Organization—certified companies authorized to conduct CMMC Level 2 assessments. DIBCAC stands for Defense Industrial Base Cybersecurity Assessment Center—the DoD organization that conducts Level 3 assessments.
Important: The DoD estimated that approximately 220,000 companies comprise the Defense Industrial Base (DIB), with subcontractors representing a significant portion. Every subcontractor who handles government information must comply—there is no exemption based on company size or tier level.
Defense Industrial Base (DIB) means all the companies and organizations that provide products and services to the Department of Defense, including manufacturers, suppliers, technology providers, and service contractors.
Who Needs CMMC Based on Information Type
Whether you need CMMC compliance depends on the type of government information your contract requires you to handle:
Federal Contract Information (FCI)
If your contract involves Federal Contract Information only, you need CMMC Level 1.
Federal Contract Information is information that:
- The government gives you or you create for the government
- Is not intended for public release
- Does NOT include information on public websites or simple payment information like invoices
Examples of FCI include:
- Contract specifications and requirements
- Delivery schedules
- Pricing information not yet made public
- Non-public procurement documents
Controlled Unclassified Information (CUI)
If your contract involves Controlled Unclassified Information, you need CMMC Level 2 or Level 3.
[Controlled Unclassified Information](link to your CUI article) is sensitive government information that requires special protection but is not classified. Examples include:
- Technical drawings and specifications
- Export-controlled technical data
- Research and development information
- Personally Identifiable Information (PII)
- Critical infrastructure information
The DoD program office or requiring activity determines which CMMC level (2 or 3) applies based on the sensitivity of the CUI and the criticality of the program.
Who Needs CMMC: Company Size Doesn’t Matter
A common misconception is that small businesses are exempt from CMMC requirements. This is false.
The CMMC final rule explicitly states that CMMC requirements apply regardless of company size. According to DoD estimates:
- Approximately 229,818 small entities will be subject to CMMC requirements
- This represents about 68% of all affected entities
- No blanket exceptions exist for small businesses
Small entity means a small business as defined by the Small Business Administration (SBA), typically companies with fewer than 500 employees, though specific size standards vary by industry.
While the DoD implemented a phased approach to give all companies—including small businesses—time to prepare, company size does not exempt you from CMMC requirements if you handle FCI or CUI.
Who Needs CMMC: Contract Value Thresholds
CMMC requirements apply to contracts based on specific value thresholds:
Contracts Above Micro-Purchase Threshold
CMMC applies to contracts valued above the micro-purchase threshold, which is currently $10,000 for most DoD procurements.
Micro-purchase threshold means the dollar amount below which the government can make simplified purchases without most contracting requirements. It’s currently $10,000 for most contracts.
Contracts Below Micro-Purchase Threshold
Contracts valued at or below the micro-purchase threshold are generally exempt from CMMC requirements.
However, even if CMMC doesn’t apply, you may still have other cybersecurity obligations under existing regulations like FAR clause 52.204-21 or DFARS clause 252.204-7012.
FAR stands for Federal Acquisition Regulation—the primary set of rules governing federal government purchases. DFARS stands for Defense Federal Acquisition Regulation Supplement—the DoD’s additional rules for defense contracts.
Who Needs CMMC: The COTS Exemption
One important exception to who needs CMMC compliance involves commercially available off-the-shelf (COTS) items.
Contracts exclusively for COTS items are exempt from CMMC requirements.
According to FAR 2.101, a COTS item is defined as any item of supply that:
- Is a commercial product
- Is sold in substantial quantities in the commercial marketplace
- Is offered to the government without modification in the same form it’s sold commercially
Commercially available off-the-shelf (COTS) means products sold to the general public without any customization or modification for government use.
Important: The COTS exemption only applies to contracts that are exclusively for COTS items. If your contract includes any non-COTS products or services—even if COTS items are part of it—the exemption does not apply.
Examples of COTS items include:
- Standard office software (Microsoft Office, Adobe products)
- Commercial hardware (laptops, printers, network equipment)
- Off-the-shelf telecommunications equipment
- Standard commercial vehicles
Examples that are NOT COTS:
- Software customized for DoD use
- Commercial products with government-specific modifications
- Custom-built equipment
- Professional services (even using commercial tools)
Who Needs CMMC: Foreign Entities and International Contractors
If you’re a foreign entity or international contractor, you might wonder whether CMMC requirements apply to you. The answer is yes—CMMC applies to foreign suppliers with no exemptions.
According to official DoD guidance, the CMMC program does not exempt foreign suppliers from requirements. If you’re a foreign entity bidding on DoD contracts that involve handling FCI or CUI, you must:
- Meet the same CMMC requirements as U.S. contractors
- Achieve the required CMMC level before contract award
- Report your CMMC status in SPRS
- Flow down requirements to your subcontractors
This requirement exists because the value and sensitivity of government information doesn’t change based on where the contractor is located. Foreign entities present additional security considerations, making CMMC compliance even more critical.
Who Needs CMMC: Joint Ventures and Partnerships
If your company is part of a joint venture (JV) or partnership, determining who needs CMMC compliance becomes more complex.
The rule: Each individual entity within the joint venture that has information systems processing, storing, or transmitting FCI or CUI must achieve CMMC certification for those specific systems.
For example, if Company A and Company B form a joint venture:
- Company A must certify its information systems that handle FCI/CUI
- Company B must certify its information systems that handle FCI/CUI
- The joint venture cannot rely on just one partner’s certification
This ensures that all entities with access to sensitive government information maintain proper security controls.
Who Needs CMMC: System Types That Require Certification
CMMC requirements apply to specific types of information systems based on what they do:
Systems That Require CMMC Certification
You need CMMC certification for contractor-owned information systems that:
- Process, store, or transmit FCI or CUI during contract performance
- Provide security protections for systems that handle FCI or CUI
- Are not logically or physically isolated from systems that handle FCI or CUI
Contractor-owned information systems means computer systems, networks, servers, cloud services, and other IT infrastructure that your company owns, leases, or controls—not systems owned and operated by the government.
Systems That Do NOT Require CMMC Certification
CMMC requirements do NOT apply to:
- Federal information systems operated by contractors on behalf of the government
- Systems that never process, store, or transmit FCI or CUI
- Systems that are completely isolated from networks handling FCI or CUI
- Personal devices not used for contract work
Who Needs CMMC: When Waivers May Apply
In very limited circumstances, DoD may waive CMMC requirements for specific contracts.
According to 32 CFR 170.5(d), a Service Acquisition Executive or Component Acquisition Executive may waive CMMC Program requirements in a solicitation or contract. However:
- Waivers are granted at DoD’s discretion
- Waivers are rare and limited to exceptional circumstances
- Even with a CMMC waiver, you must still comply with underlying security requirements (FAR 52.204-21, DFARS 252.204-7012)
- You cannot request a waiver—only DoD can initiate one
Important: Do not assume you’ll receive a waiver. Plan to achieve CMMC certification as required.
Who Needs CMMC: Phased Implementation Timeline
Who needs CMMC compliance also depends on when your contract is awarded or renewed. The DoD implemented a four-phase rollout:
Phase 1 (November 10, 2025 – November 9, 2026)
- Self-assessments required for Level 1 and Level 2
- DoD may require third-party assessments (C3PAO) for select high-priority Level 2 contracts
Phase 2 (November 10, 2026 – November 9, 2027)
- Third-party assessments (C3PAO) required for Level 2 contracts
- Level 3 assessments may be required for select critical programs
Phase 3 (November 10, 2027 – November 9, 2028)
- Level 3 assessments required for applicable contracts
- Existing contracts require certification before option exercise
Phase 4 (November 10, 2028 and beyond)
- Full implementation
- CMMC required in all applicable DoD contracts (except COTS-only contracts)
Who Needs CMMC: Special Situations
Cloud Service Providers (CSPs)
If you’re a cloud service provider hosting FCI or CUI for defense contractors, you have specific requirements:
- For CUI, you must meet FedRAMP Moderate or DoD-approved equivalent
- You must allow your customers (the contractors) to verify your compliance
- Defense contractors must only use compliant cloud providers for CUI
FedRAMP stands for Federal Risk and Authorization Management Program—the government’s standardized approach to security assessment and authorization for cloud services.
Managed Service Providers (MSPs)
If you’re a managed service provider supporting defense contractors:
- You need CMMC certification if you process, store, or transmit FCI or CUI
- Your clients cannot outsource their CMMC responsibility to you
- Each entity handling government information needs its own certification
Commercial Item Contractors Using FAR Part 12
Even if you provide commercial products or services under FAR Part 12 procedures, you still need CMMC compliance—unless your contract is exclusively for COTS items.
The commercial item exemption that existed under some previous cybersecurity rules does NOT apply to CMMC (except for COTS-only contracts).
Key Takeaway: Who Needs CMMC Compliance
You need CMMC compliance if you are:
✓ A DoD prime contractor handling FCI or CUI
✓ A subcontractor at any tier handling FCI or CUI
✓ A small business working on defense contracts
✓ A foreign entity bidding on DoD work
✓ Part of a joint venture with access to government information
✓ A service provider (cloud, managed services) for defense contractors
You do NOT need CMMC compliance if:
✗ Your contract is exclusively for COTS items
✗ Your contract is below the micro-purchase threshold ($10,000)
✗ You never process, store, or transmit FCI or CUI
✗ You operate government-owned information systems (not contractor-owned)
The bottom line: If you handle government information on your own systems for DoD contracts, you need CMMC compliance. Company size, location, and tier level don’t matter—only whether you process, store, or transmit FCI or CUI.
Start preparing now, as achieving CMMC certification typically takes 6-12 months depending on your current cybersecurity posture and the required level.
Related Articles:
Official Sources: This article is based on 32 CFR Part 170 “Cybersecurity Maturity Model Certification Program” (effective December 16, 2024), the DFARS Final Rule implementing CMMC (effective November 10, 2025), FAR 2.101 definitions, and official DoD guidance published by the Department of Defense Chief Information Officer.