Can't Bid Without CMMC Certification? What the Rule Actually Says
If a solicitation, a prime contractor, or a contracting officer says you can’t bid without CMMC certification, the claim is usually incomplete. CMMC is an award-eligibility gate, not a scored evaluation factor or set-aside. You may still be able to submit a proposal — but if DFARS 252.204-7025 is in the solicitation, your proposal must list your CMMC unique identifier(s) from SPRS, and you cannot be awarded without a current CMMC status and affirmation at the required level.
Take a breath, because the full picture is more workable than the panic. Here’s the part most pages bury: depending on your contract, you may only need a self-assessment you run yourself — not a six-figure third-party certificate — and for Level 2 and Level 3, a conditional status can let you win the award while you close the last gaps. Which of those is true for you comes down to about five facts in your solicitation. The rest of this page pulls those facts out and gives you the answer for each scenario.
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
Which situation are you in?
Most people who land here are reacting to one specific trigger. Find yours, get the short answer, then take the first action. The detail — and the proof — is below.
| Your situation | What the answer probably is | Your first move |
|---|---|---|
| A solicitation includes DFARS 252.204-7025 | A current CMMC status + affirmation in SPRS is an award gate, and your proposal must list your CMMC UID(s). | Find the inserted CMMC level and assessment type in the notice. |
| The solicitation says Level 1 | FCI-only path. An annual self-assessment — not a certificate. | Confirm/post your Level 1 status and affirmation in SPRS. |
| The solicitation says Level 2 (Self) | CUI path, but no C3PAO required for this contract. | Confirm your Level 2 (Self) CMMC status and affirmation are current in SPRS. |
| The solicitation says Level 2 (C3PAO) | Formal third-party certification path. | Do readiness first unless you’re already assessment-ready. |
| The clause is only 7019/7020, not 7025 | The gate may be a current NIST SP 800-171 score in SPRS, not CMMC certification. | Check your SPRS score, date, and scope. |
| A prime said “you must be CMMC compliant” | The phrase is incomplete. You need the level, assessment type, and scope. | Ask the prime for the clause and level (script in our prime-flow-down guide). |
| You need access to CUI drawings to price the bid | The access gate may require SPRS evidence — and a safe place to store the data. | Do not download CUI into an unmanaged environment. |
Not sure which row is you? That’s the whole problem — and it’s fixable in a couple of minutes. Use The Defense Compliance Report’s Find My CMMC Path tool to turn your clause, level, FCI/CUI scope, and timeline into a clear read on where you stand, before you call a single vendor.
Check My CMMC Path →The CMMC Bid Eligibility Matrix: bid vs. win, by level and assessment type
No CMMC status is scored in the competition — CMMC is not an evaluation factor or set-aside. But award eligibility requires the status the solicitation names, and for Levels 2 and 3 a conditional status can carry you to award for up to 180 days, while Level 1 requires a final status at award. The differences that matter most are whether your contract needs a self-assessment or a third-party certification.
CMMC Bid/Award Gate Checker
| Requirement | Level 1 (Self) | Level 2 (Self) | Level 2 (C3PAO) | Level 3 (DIBCAC) |
|---|---|---|---|---|
| Protects | FCI (Federal Contract Information) | CUI (Controlled Unclassified Information) | CUI | CUI on the most sensitive programs |
| Standard / # of requirements | FAR 52.204-21 — 15 basic safeguards | NIST SP 800-171 Rev. 2 — 110 reqs across 14 families | NIST SP 800-171 Rev. 2 — 110 | Level 2 plus 24 selected reqs from NIST SP 800-172 |
| Who assesses it | You (self-assessment) | You (self-assessment) | A C3PAO (authorized third party) | DCMA DIBCAC (government) |
| Is it a “certification”? | No — a self-assessed status | No — a self-assessed status | Yes — third-party certification | Yes — government certification |
| Scored in the competition? | No — not an evaluation factor | No | No | No |
| Can you be AWARDED without it? | No — CO “shall not award” without the required status | No | No | No |
| Conditional status can carry you to award? | No — Final required at award | Yes — up to 180 days | Yes — up to 180 days | Yes — up to 180 days |
| Minimum to reach Conditional | n/a — must be 100% met, no POA&M | Score ÷ total ≥ 0.8 (≥ 88/110); only 1-point items on the POA&M; critical controls met; SSP in place | Same ≥ 0.8 threshold, via the C3PAO | Score ÷ total ≥ 0.8 of L3 reqs; certain reqs not POA&M-eligible |
| POA&M allowed? | No | Yes — limited; closeout ≤ 180 days | Yes — limited; closeout by C3PAO ≤ 180 days | Yes — limited; closeout by DIBCAC ≤ 180 days |
| How long it’s valid | 1 year (annual self-assessment) | 3 years + annual affirmation | 3 years + annual affirmation | 3 years + annual affirmation |
| First provider category to consider | Internal owner; RP/RPO if unsure | RPO/MSP/MSSP, GRC platform, or CUI enclave | Readiness first, then a C3PAO | Advanced readiness + the DIBCAC path |
| Common panic mistake to avoid | Buying a C3PAO you don’t need | Treating “Self” as “easy”; skipping the SSP | Hiring one firm to remediate and assess | Treating it as “just more Level 2” |
| When it typically appears | Phase 1 (now) | Phase 1 (now) | DoD discretion in Phase 1; standard in Phase 2 () | DoD discretion in Phase 2; broader in Phase 3 () |
Read the proposal instructions before you read this as “I can submit a blank bid.” “Not scored” is not the same as “no evidence required.” When DFARS 252.204-7025 is in the solicitation, the provision requires you to provide your CMMC UID(s) in the proposal for each system that will touch FCI or CUI — and a UID is only generated in SPRS afteryou enter your assessment results. So in practice, a fully compliant proposal usually means you’ve already posted a CMMC status.
The one line to remember: the only column that cannot win on a conditional status is Level 1 — and Level 1 is the cheapest, fastest one to finish.
“Can’t bid without CMMC certification” — is that actually true?
It’s usually incomplete.CMMC is not a scored evaluation factor or set-aside, so it doesn’t block you from competing the way the phrase implies. But it is a pass/fail award-eligibility gate: the contracting officer “shall not award” a covered contract to an offeror that lacks the required CMMC status, and if DFARS 252.204-7025 applies, your proposal must include your CMMC UID(s) from SPRS.
We read the rule so you don’t have to assemble it from a dozen vendor blogs. When the DoD published the final acquisition rule in the Federal Register (DFARS Case 2019-D041, published ), it answered this exact question in response to a public comment. Someone asked whether CMMC was a competition evaluation factor or a set-aside. The DoD’s answer: it is neither. The mechanism is simpler and harsher than “you get points for it.” It’s a gate.
DFARS 204.7502 — the policy that took effect — puts it plainly: contracting officers “shall not award a contract, task order, or delivery order to an offeror that does not have a current CMMC status at the CMMC level required by the solicitation,” and contractors must “achieve, at time of award,” that status for every system that will process, store, or transmit FCI or CUI.
So why does everyone say “you can’t bid”? Because business development teams and primes compress the rule into a warning — and because the proposal itself isn’t a clean free pass. If the solicitation carries the DFARS 252.204-7025 notice, your proposal has to list your CMMC UID(s), which you can only get after posting an assessment in SPRS. Functionally, if you can’t reach the required status by award, submitting spends money you won’t recover. That’s exactly why the 7025 notice (“Notice of CMMC Level Requirements”) appears in the solicitation itself— to tell you the required level up front, before you sink hours into a bid you can’t win.
The expensive mistake we watch contractors make
The instinct, mid-panic, is to call the most aggressive-sounding vendor and ask for “CMMC certification, fast.” Don’t. CMMC has four distinct status paths — Level 1 self-assessment, Level 2 self-assessment, Level 2 C3PAO certification, and Level 3 DIBCAC certification — and they differ by an order of magnitude in cost and time. Buying a C3PAO engagement when your contract only requires a Level 1 self-assessment is like hiring a structural engineer to hang a picture. The solicitation, not a salesperson, tells you which one you actually need.
What CMMC UID or SPRS evidence goes in your proposal?
When DFARS 252.204-7025 is in the solicitation, the offeror must provide, in the proposal, the CMMC unique identifier(s) (CMMC UIDs) issued by SPRS for each contractor information system that will process, store, or transmit FCI or CUI, and must update the list as new UIDs are generated.A CMMC UID is created in SPRS only after you enter your self-assessment results — so you generally need a posted CMMC status before the proposal is due.
This is the detail that turns “we’ll deal with CMMC at award” into “we need a status now.” The 7025 provision spells out three things the offeror needs:
- In the proposal: your CMMC UID(s) from SPRS for each in-scope system. No posted assessment, no UID.
- For award eligibility: a current CMMC status at the required level and a current affirmation of continuous compliance, both in SPRS.
- If your status is Conditional: you must close out a valid POA&M to reach Final, under 32 CFR § 170.21.
A practical sequence: scope the systems that will touch FCI or CUI, run the required assessment (self or C3PAO), post results in SPRS to generate the UID, complete the affirmation, and reference the UID(s) in the proposal. If you’re reading this with a proposal due soon and no posted status, that gap — not the certificate itself — is the thing to move on today.
Which clause decides whether CMMC blocks the award?
The clause that creates the award gate is usually DFARS 252.204-7025, the solicitation provision that names the required CMMC level and ties award eligibility to a current status in SPRS. DFARS 252.204-7021 then requires you to maintain that status during performance and flow it down to subcontractors. DFARS 252.204-7019 and 7020 can independently affect award through a separate NIST SP 800-171 score requirement, even where CMMC certification is not yet the gate.
Four DFARS clauses and one FAR clause do different jobs. Reading them as one blob is how contractors talk themselves into the wrong purchase.
| Clause | What it actually does | Why it matters to “can’t bid” panic |
|---|---|---|
| DFARS 252.204-7025 | Solicitation provision; names the required CMMC level and assessment type; ties award eligibility to current status in SPRS; requires CMMC UID(s) in the proposal. | This is the most direct “not eligible for award” gate. Read it first. |
| DFARS 252.204-7021 | Contract clause; requires a current CMMC status, annual affirmation, and flow-down to subs. | Controls performance and subcontract awards — not scoring. |
| DFARS 252.204-7019 | Requires a current NIST SP 800-171 DoD Assessment score in SPRS to be considered for award. | If CMMC isn’t in the solicitation yet, this may be your real gate. |
| DFARS 252.204-7020 | Requires DoD assessment access and restricts subcontracting without the required NIST score. | Affects DoD verification and subcontract eligibility. |
| DFARS 252.204-7012 | Safeguarding covered defense information; NIST SP 800-171 implementation; 72-hour cyber-incident reporting. | The underlying obligation — not the same thing as a CMMC certificate. |
| FAR 52.204-21 | Basic safeguarding for FCI. | The 15-requirement foundation that is CMMC Level 1. |
A note on DFARS 252.204-7012 — because the date matters: the clause required contractors to implement NIST SP 800-171 “as soon as practical, but not later than ” for the covered systems it describes. What it never did was verifythat work — there was no score and no audit. That verification gap is exactly what the SPRS score (7019/7020) and CMMC (7021) closed.
Where to find it in the solicitation
Pull the actual document and search it. Check Section I (contract clauses), Section L (proposal instructions), Section M (evaluation factors), the attachments and CDRLs, any prime subcontract terms, and the CUI-handling or data-access instructions. The required CMMC level and assessment type live in the 7025 notice; the proposal instructions tell you exactly what evidence — including your CMMC UID(s) — to include.
Copy this into your internal bid/no-bid note
You don’t have enough information to make a bid decision until you can fill in every line.
Solicitation / opportunity: ____________________
Clauses present: 7025 □ 7021 □ 7019 □ 7020 □ 7012 □
Required CMMC level: L1 □ L2 (Self) □ L2 (C3PAO) □ L3 □
Data in scope: FCI □ CUI □
Systems in scope: enterprise / enclave / program system
Required timing: proposal □ award □ option □ subcontract award □
Current SPRS evidence: status □ NIST score □ affirmation □ CMMC UID □
Gap: none / missing affirmation / missing UID /
not assessment-ready / unclear prime language
Owner + next action: ____________________Do you need “certification” — or just a CMMC status?
Many contractors panicking about “certification” don’t need one.Only Level 2 (C3PAO) and Level 3 (DIBCAC) produce a third-party or government certification. Level 1 and Level 2 (Self) are met by a self-assessment you perform and post in SPRS with a senior-official affirmation — no outside assessor and no certificate. The word “certification” in the program’s name does not mean every contract requires an audit; the assessment type is set by your contract clause.
There are four CMMC statuses, and the gap between the cheapest and the most expensive is enormous:
- Level 1 (Self): an annual self-assessment against the 15 FAR 52.204-21 safeguards, affirmed in SPRS by a senior company official. No third party. (32 CFR § 170.15)
- Level 2 (Self): a self-assessment against the 110 NIST SP 800-171 Rev. 2 requirements, scored and posted in SPRS, valid three years with annual affirmation. Still no third party. (32 CFR § 170.16)
- Level 2 (C3PAO): the same 110 requirements, but assessed and certified by a Certified Third-Party Assessment Organization (C3PAO). (32 CFR § 170.17)
- Level 3 (DIBCAC): builds on a Final Level 2 (C3PAO) and adds a government-led DCMA DIBCAC assessment of 24 selected NIST SP 800-172 requirements.
One accuracy point worth more than it looks: for CMMC, Level 2 maps to NIST SP 800-171 Revision 2, not Revision 3, unless and until the DoD amends the rule. If a vendor’s pitch leans on Rev. 3 as the controlling CMMC standard, treat it as a flag, not a feature.
Not sure whether your contract needs a self-assessment or a C3PAO certification? That single distinction can be the difference between a few weeks of internal work and a six-figure engagement. Map it with The Defense Compliance Report’s Find My CMMC Path tool — it reads your level, FCI/CUI scope, and assessment type and points you to the right provider category, not a vendor’s sales line.
Map My CMMC Requirement →Is CMMC required at bid time, award time, option exercise, or subcontract award?
For the offeror, the requirement is an award gate: a current CMMC status and affirmation at the required level must be in SPRS before award, and maintained throughout performance. A contracting officer may not exercise an option or extend performance unless your status is current at the required level. For subcontractors, the prime must ensure the right status before awarding the subcontract.
The timing is where “can’t bid” gets misread most often. There are five distinct moments, and they don’t all carry the same gate.
| Moment | What to verify | Why it matters |
|---|---|---|
| Before proposal submission | Proposal instructions; your CMMC UID(s) in SPRS. | If 7025 applies, UID(s) must be in the proposal. |
| Before award | Required CMMC status + current affirmation in SPRS. | This is the main 7025/204.7502 award-eligibility gate. |
| Before subcontract award | The subcontractor’s status at the appropriate level, if FCI/CUI flows down. | A prime can be eligible while a sub on its team is not. |
| Option exercise / extension | Your current status at the required level. | A CO shall not exercise an option or extend performance without it. |
| CUI package access | The access portal’s SPRS/NIST requirements. | Access to drawings can be gated before you finish pricing the bid. |
The DoD’s own Regulatory Impact Analysis states it cleanly: “Before contract award, the offeror must achieve the specified CMMC level for the contractor information system… that will process, store, or transmit the information to be protected.” And DFARS 204.7502 is explicit that a contracting officer may award, exercise an option, or extend performance only when your CMMC status is at the required level or higher.
The phased schedule — and why it isn’t a grace period
CMMC is rolling into contracts in four phases, set out in 32 CFR § 170.3(e) and on the DoD CIO’s CMMC site. The schedule controls whena given level can appear in your solicitations — it does not give anyone permission to wait.
| Phase | Begins | What it adds |
|---|---|---|
| Phase 1 | Level 1 and Level 2 self-assessments as a condition of award. DoD may, at its discretion, require Level 2 (C3PAO) in place of Level 2 (Self). | |
| Phase 2 | Level 2 (C3PAO) as a condition of award for applicable contracts. DoD may delay Level 2 (C3PAO) to an option period, and may also require Level 3 (DIBCAC) at its discretion. | |
| Phase 3 | Level 2 (C3PAO) for all applicable awards and to exercise options on contracts awarded after the effective date; Level 3 (DIBCAC) for all applicable awards (DoD may delay Level 3 to an option period). | |
| Phase 4 | Full implementation across applicable contracts, including option periods on earlier contracts. |
Can you still win while you’re finishing? (Conditional status)
For Levels 2 and 3, yes — within limits. DFARS 204.7502 allows award with a Conditional CMMC status for up to 180 days, and 32 CFR § 170.21 sets the bar: your score must be at least 80% (for Level 2, at least 88 of 110 points), only low-value 1-point items may sit on a POA&M, specified critical requirements may not be deferred, and a System Security Plan must be in place. You then have 180 days to close the POA&M via a closeout assessment or the conditional status expires. Level 1 has no conditional path — it requires a final status at award and allows no POA&M.
Conditional status requirements at a glance (Level 2)
- Score must be at least 88 of 110 points (≥80% of maximum score)
- Only 1-point items may remain on the POA&M — no multi-point requirements deferred
- Specified critical requirements cannot be on the POA&M (see 32 CFR § 170.21 for the specific list)
- A System Security Plan (SSP) must be in place for the assessed systems
- POA&M closeout required within 180 days of the conditional status date
- Closeout requires a follow-on assessment by the same assessor type (self-assessment for Level 2 Self; C3PAO for Level 2 C3PAO)
Important: CUI access during bidding
If you need access to CUI drawings or technical data to price the bid, the access portal may require SPRS evidence beforeyou finish pricing. Never download CUI into an unmanaged environment. Authorized systems — those meeting the applicable NIST SP 800-171 requirements — are the only appropriate destination for that data.
Do not submit CUI, export-controlled drawings, technical data, SSPs, POA&Ms, vulnerability details, or sensitive contract information through any form on this site. Use only high-level facts: required level, assessment type, timeline, company size, and current provider category.
Before you hire a C3PAO, verify it yourself
Verify a C3PAO’s current status in the Cyber AB Marketplace yourself, and keep readiness work separate from the formal assessment.Under the CMMC Assessment Process and Code of Professional Conduct, a C3PAO must disclose and avoid or sufficiently mitigate conflicts of interest, and a 2025 DoD Inspector General audit found gaps in how some C3PAOs were authorized — so a current, self-checked status matters more than a vendor’s marketing.
Two facts should shape how you choose an assessor. First, independence.The CMMC Assessment Process (the Cyber AB’s published procedure) requires conflicts of interest to be disclosed and either avoided or sufficiently mitigated; where a conflict can’t be mitigated, the C3PAO shall not proceed. In practice, that means keeping readiness/remediation and the formal assessment in separate lanes — a C3PAO that has given you implementation advice to improve your readiness can conflict itself out of performing your assessment.
Second, don’t assume the registry polices itself perfectly. In DoD OIG Report No. DODIG-2025-056 (), the Inspector General reviewed 11 of the 48 C3PAOs authorized as of September 2023 and reported that two C3PAOs were authorized without a signed C3PAO Agreement and Code of Professional Conduct, four without verifying their quality-control leads’ certification, and all without adequately confirming a certified assessor and quality-control lead on the team. The fix is simple and free: before you sign anything, confirm the C3PAO’s current authorization in the Cyber AB Marketplace and ask for the assessment team’s credentials. (This is due diligence, not a claim that any specific C3PAO is unreliable.) See also: how to evaluate C3PAOs for CMMC Level 2.
What we actually verified for this page
Every regulatory statement on this page is tied to a primary source we read directly, with the date we checked it. We separate regulatory facts (sourced to the rule) from editorial judgments (clearly labeled as our analysis).
Last verified: What we read and cross-checked:
- The bid-vs-award rule — DFARS 204.7502 and 204.7503, and the Federal Register final rule (DFARS Case 2019-D041, published ) confirming CMMC is “not an evaluation factor or set-aside requirement.”
- The proposal gate — DFARS 252.204-7025 (NOV 2025): CMMC level “required prior to award,” the offeror “will not be eligible for award” without a current status and affirmation, and the offeror “shall provide, in the proposal, the CMMC unique identifier(s).”
- Maintain and flow down — DFARS 252.204-7021, including the duty to ensure a subcontractor’s status before subcontract award.
- Conditional status, POA&M, scoring — 32 CFR Part 170 §§ 170.16, 170.17, 170.21, and 170.24 (80% threshold; 180-day closeout).
- Subcontractor levels — 32 CFR § 170.23.
- The levels — FAR 52.204-21 (15 Level 1 safeguards); NIST SP 800-171 Rev. 2 (110 requirements, 14 families); NIST SP 800-172 (Level 3 enhanced).
- The pre-CMMC SPRS gate — DFARS 252.204-7019/7020.
- Phase timing — 32 CFR § 170.3(e) and the DoD CIO CMMC site.
- Cost — DoD’s Regulatory Impact Analysis.
- Assessor oversight — the Cyber AB CMMC Assessment Process and DoD OIG Report DODIG-2025-056.
CMMC bid eligibility FAQ
Can I submit a proposal if I don't have CMMC yet?
Sometimes, but it’s risky. CMMC is not scored in the competition, so it doesn’t disqualify your proposal the way a missed evaluation factor would. But if DFARS 252.204-7025 is in the solicitation, your proposal must include your CMMC UID(s) from SPRS, and you can’t be awarded without a current status and affirmation at the required level. Read the proposal instructions before you assume you can submit.
Is CMMC required at the time of bid or the time of award?
At award, and then maintained throughout performance. DFARS 204.7502 says contractors must achieve, at time of award, a CMMC status at the CMMC level specified in the solicitation, or higher. If 7025 applies, your CMMC UID(s) also belong in the proposal.
Can I win a DoD contract with a conditional CMMC status?
For Levels 2 and 3, yes — award can occur with a Conditional status for up to 180 days, after which you must close the POA&M via a closeout assessment or the status expires. Level 1 has no conditional path and requires a Final status at award. See our Conditional CMMC Level 2 closeout guide.
Does Level 2 always mean a C3PAO certificate?
No. Level 2 can be met by self-assessment or by a C3PAO certification, depending on what the solicitation requires. The 110 NIST SP 800-171 Revision 2 requirements are the same; only the assessor differs. See: self-assessment vs C3PAO.
Does an SPRS score count as CMMC certification?
No. A NIST SP 800-171 DoD Assessment score posted in SPRS may be required under DFARS 252.204-7019 and 7020 and may be part of your path, but it is not a CMMC status or a CMMC certificate. See: what the SPRS score is and isn’t.
What CMMC level do subcontractors need?
It depends on the data flowed to you and the prime contract. FCI only points to Level 1; CUI points to at least Level 2 (Self); and if the prime contract requires Level 2 (C3PAO) or Level 3, a subcontractor handling CUI generally needs at least Level 2 (C3PAO) unless DoD gives specific guidance. See: CMMC flow-down requirements.
Can a Registered Provider Organization (RPO) certify my company?
No. An RPO or Registered Practitioner can help with readiness, scoping, documentation, and implementation, but a Level 2 (C3PAO) certification must be performed by an authorized C3PAO when the contract requires it. See: CMMC provider categories.
What happens if I don't have CMMC when a contract requires it?
You're not eligible for that award unless the required status is current; the award can go to an eligible competitor, or the government may delay, amend, or cancel. For incumbents, a contracting officer may not exercise an option or extend performance unless your status is current at the required level. Separately, misrepresenting your status — affirming compliance you don't have — can carry False Claims Act exposure under the Justice Department's Civil Cyber-Fraud Initiative; that's about false statements, not about honestly not being ready yet.
Is the phased rollout a grace period?
No. Requirements can already appear in your Phase 1 solicitations now; the schedule controls when a level can be required, not whether you may wait. See the full CMMC phases guide.
The bottom line
You came here afraid you were locked out. You’re not. CMMC mostly gates the award, not the score— though if DFARS 252.204-7025 is in your solicitation, your CMMC UID belongs in the proposal too. You may only need a self-assessment, not a certificate. And for Level 2 and Level 3, a conditional status can carry you across the line while you finish. The only real enemy is time — and the fix for that is starting now, on the right path, instead of guessing.
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →