Defense Industrial Base CMMC

Who Needs a CMMC Certification?

Omer Aslim selfie
By: Omer Kaan Aslim
May 30, 2020
Learn which companies need to earn a CMMC certification to work on DoD contracts.

Companies handling “controlled unclassified information” CUI and “federal contract information” will need to earn a Cybersecurity Maturity Model Certification (CMMC).
Companies with DFARS clause 252.204-7012 in their DoD contracts are already required to implement NIST SP 800-171. DFARS clause 252.204-7012 was included in contracts that involved handling “controlled unclassified information” (CUI). As a result it can be deduced that these companies will have a CMMC requirement of level 3 or higher.
Companies that are subcontractors may also have CMMC requirements. These requirements do not necessarily have to be the same as the prime contractor's. For example, a prime contractor may have a level 3 CMMC requirement but a sub contractor working on the same contract may have a level 1 requirement.
Companies only providing Commercial-Off-The-Shelf (COTS) products to the DoD may not require a CMMC certification . Commercially available off-the-shelf (COTS) are commercial items (as defined in paragraph (1) of the definition at FAR 2.101), sold in substantial quantities in the commercial marketplace, offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace. COTS do not include bulk cargo, as defined in section 3 of the Shipping Act of 1984 (46 U.S.C. App. 1702), such as agricultural products and petroleum products.
Summary: All companies with a DoD contract who handle either “controlled unclassified information” (CUI) or information that is “for official use only” (FOUO) will need to earn a CMMC certification.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance