Defense Industrial Base CMMC

Who Needs a CMMC Certification?

Learn which companies need to earn a CMMC certification to work on DoD contracts.

Join our newsletter:
Companies handling “controlled unclassified information” CUI and “federal contract information” will need to earn a Cybersecurity Maturity Model Certification (CMMC).
CUILevels
Companies with DFARS clause 252.204-7012 in their DoD contracts are already required to implement NIST SP 800-171. DFARS clause 252.204-7012 was included in contracts that involved handling “controlled unclassified information” (CUI). As a result it can be deduced that these companies will have a CMMC requirement of level 3 or higher.
Companies that are subcontractors may also have CMMC requirements. These requirements do not necessarily have to be the same as the prime contractor's. For example, a prime contractor may have a level 3 CMMC requirement but a sub contractor working on the same contract may have a level 1 requirement.
Companies only providing Commercial-Off-The-Shelf (COTS) products to the DoD may not require a CMMC certification . Commercially available off-the-shelf (COTS) are commercial items (as defined in paragraph (1) of the definition at FAR 2.101), sold in substantial quantities in the commercial marketplace, offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace. COTS do not include bulk cargo, as defined in section 3 of the Shipping Act of 1984 (46 U.S.C. App. 1702), such as agricultural products and petroleum products.
Summary: All companies with a DoD contract who handle either “controlled unclassified information” (CUI) or information that is “for official use only” (FOUO) will need to earn a CMMC certification.
 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.