Do CMMC requirements apply to non-DoD contracts?
By: Omer Kaan Aslim
June 04, 2020
As of June 2020, CMMC requirements will only apply to DoD contracts.
As of now CMMC requirements will only apply to U.S. Department of Defense contracts. This is clearly stated on the official CMMC website. However Katie Arrington who is leading the cybersecurity maturity model certification (CMMC) program said that she “knows other federal agencies are already looking at it (CMMC). So I've got to work all the bugs out.”
FAR 52.204-21 applies to Federal Contracts
Federal contracts where a contractor's system processes, stores, or transmits Federal contract information (FCI) require the implementation of the security controls specified in FAR 52.204-21. As of June 2020, non-DoD contracts do not require CMMC. Please note that the CMMC level one requirements are drawn from FAR 52.204-21. By implementing your FAR 52.204-21 controls you will be prepared if the Federal government starts requiring CMMC.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance