CMMC Compliance for Software and SaaS Companies
The honest, sourced answer to whether CMMC applies to your software company — and what to do if it does.
By The Defense Compliance Report Editorial Team · Last verified: June 12, 2026
If you run a software or SaaS company and a defense customer just asked whether you’re “CMMC compliant,” here’s the short version: CMMC compliance for software and SaaS companies depends on three things — your contract, the data you touch, and your role — not on the word “software” in your pitch deck. A software company does not need its own CMMC status just because it sells into the defense market. Some do need it. A specific group needs FedRAMP instead. Some sit only in a customer’s scope. And some are genuinely outside the boundary.
Cybersecurity Maturity Model Certification (CMMC) is the U.S. Department of Defense’s (DoD) program for verifying that companies in the defense supply chain protect sensitive government information. It became a federal rule when 32 CFR Part 170 took effect on December 16, 2024, and became contractually enforceable when the implementing acquisition rule, DFARS 252.204-7021, took effect on November 10, 2025. CMMC applies to companies in the defense industrial base (DIB) that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
So here’s the map. If your company only handles FCI, your likely path is CMMC Level 1 (a self-assessment). If your systems process, store, or transmit CUI, your likely path is CMMC Level 2. If your SaaS product hostsCUI for a defense customer and you’re acting only as their cloud provider, the requirement that lands on you is usually FedRAMP Moderateauthorization or equivalent evidence — not a CMMC certificate. If your product provides a security function for a customer’s environment but doesn’t hold CUI, you’re a Security Protection Asset, evaluated inside the customer’s scope. And if your product never touches FCI, CUI, or security-protection data, you are likely outside the boundary entirely.
Find your position: the Software & SaaS CMMC Position Matrix
There are five positions a software or SaaS company can occupy. Each carries a different binding requirement, a different controlling citation, and a different “do you even need this” answer. Find yourself in the table, then read the section that matches.
| Your position | This is you when… | Do you need your own CMMC status? | Does FedRAMP apply to you? | The one binding requirement | Controlling source |
|---|---|---|---|---|---|
| 1. You're a DoD contractor or subcontractor yourself | You hold (or are bidding) a DoD contract or subcontract and receive or create FCI or CUI while performing it — including delivering software, an SBIR award, or a prime's flow-down | Yes — at the CMMC level and assessment type your contract requires | Only if you use a cloud service to handle that CUI | FCI-only generally maps to Level 1 Self; CUI generally maps to Level 2 Self or Level 2 C3PAO depending on the solicitation | 32 CFR §170.14–170.17; DFARS 252.204-7021 |
| 2. Your product stores, processes, or transmits CUI for defense customers (Cloud Service Provider) | Defense customers put CUI into your SaaS, PaaS, or IaaS | Generally no — you don't need your own CMMC status | Yes — your offering must meet FedRAMP Moderate authorization or equivalency | FedRAMP Moderate Authorized (listed on the FedRAMP Marketplace), or FedRAMP Moderate equivalent evidence supported by a FedRAMP-recognized 3PAO | DFARS 252.204-7012(b)(2)(ii)(D); DoD CIO memo Dec 21, 2023; 32 CFR §170.4 |
| 3. Your product handles only security data, or provides a security function (Security Protection Asset) | Compliance/GRC tooling, SIEM, MFA/identity, EDR, vulnerability scanning, log or backup management — it touches Security Protection Data or protects the environment, but not CUI | No | No (unless it also touches CUI) | Your service can be pulled into a customer's CMMC assessment scope as a Security Protection Asset and assessed against the relevant requirements; provide a service description and CRM | 32 CFR §170.19(c) |
| 4. Your product touches FCI but not CUI | Defense customers use it for FCI only (basic, non-public contract info), no CUI | No status of your own | No | Support your customer's Level 1 scope; the customer accounts for external providers that handle FCI | FAR 52.204-21; 32 CFR §170.19(b) |
| 5. Your product never touches FCI, CUI, or security data | No FCI, no CUI, no Security Protection Data, no security-protection role, and it's separated from any CUI environment | No | No | Likely out of CMMC scope entirely — but be ready to confirm it in writing, because procurement will still ask | 32 CFR §170.19 |
What does CMMC compliance for software and SaaS companies actually require?
CMMC status is required of a contractor or subcontractor when its contract, subcontract, or other contractual instrument requires it for the information systems used in performance that process, store, or transmit FCI or CUI. A CMMC certificate applies only where the required status is Level 2 (C3PAO) or Level 3 (DIBCAC)— Level 1 and Level 2 self-assessments produce a status and an annual affirmation in the Supplier Performance Risk System (SPRS), not a certificate.
Let’s name the three roles people blur together:
The software company that is itself a contractor or subcontractor
You signed a DoD contract, took a subcontract from a prime, or won an SBIR, and CUI or FCI flows to you to do the work. CMMC applies to you.
The SaaS vendor whose product stores customer CUI
Your customers are the contractors; your platform is where their CUI lives. Your path runs through FedRAMP, not a CMMC certificate of your own.
The software or security tool that protects a customer's CUI environment
You don't hold the CUI, but your SIEM, identity platform, or scanner is part of how the customer defends it. You're a Security Protection Asset, assessed inside the customer's scope.
The legal anchor is short. DFARS 252.204-7021 requires a contractor to hold and maintain the CMMC status its contract specifies for the information systems it uses to process, store, or transmit FCI or CUI in performance. Your obligation is defined by what data enters your environment and what your contract says. Full stop.
CMMC, FedRAMP, both, or neither? The distinction that ends most of this confusion
CMMC and FedRAMP solve different problems, and conflating them is the single biggest source of wasted effort for software companies. CMMC assesses a contractor’s information systems against NIST SP 800-171 Revision 2 to protect CUI. The Federal Risk and Authorization Management Program (FedRAMP) authorizes a cloud service offering against NIST SP 800-53 for federal use. When a defense contractor uses an external cloud service to store, process, or transmit covered defense information, DFARS 252.204-7012 requires that service to meet FedRAMP Moderate or equivalent — which makes yourFedRAMP posture your customer’s CMMC gating item.
Are SaaS vendors ESPs, CSPs, or both?
A SaaS vendor is a Cloud Service Provider (CSP) when its offering processes, stores, or transmits CUI; it is treated as an External Service Provider / Security Protection Assetwhen it handles Security Protection Data or performs a security function without hosting CUI. The same company can occupy more than one role depending on the customer’s use case, and the role drives the requirement.
If your product stores, processes, or transmits CUI
You are a CSP under 32 CFR §170.4, and the binding bar is FedRAMP Moderate (authorization or equivalency). This is a higher, separate requirement than the general ESP rule. See our guide: FedRAMP Moderate for CMMC Cloud Services.
If your product handles only Security Protection Data or provides a security function (and never holds CUI)
You are a Security Protection Asset. You don’t need FedRAMP. Instead, your service is examined inside your customer’s CMMC assessment, and you provide a service description and a Customer Responsibility Matrix (CRM) under 32 CFR §170.19(c).
The two FedRAMP paths for a CUI-hosting SaaS company
Details confirmed against the DoD CIO’s December 21, 2023 memo (“FedRAMP Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings”).
| Dimension | FedRAMP Moderate Authorization | FedRAMP Moderate Equivalency |
|---|---|---|
| What it is | Full FedRAMP authorization of your cloud offering, listed publicly | A DoD-recognized status for cloud providers serving the defense base, under DFARS 252.204-7012 |
| Who validates it | A FedRAMP-recognized 3PAO plus federal authorization | A FedRAMP-recognized 3PAO assessment that produces a "body of evidence" |
| Listed on the FedRAMP Marketplace? | Yes | No — there is no equivalency registry; the contractor (your customer) validates your body of evidence |
| Open POA&Ms at attestation? | Some findings can be addressed after authorization | None resulting from the 3PAO assessment — all such items must be corrected and validated as closed; operational POA&Ms unrelated to that assessment may still exist |
| Can a defense customer use it without further assessment? | Yes — a Marketplace-Authorized offering can be leveraged without additional assessment, per the DoD memo | Not automatically — the customer owns validating your body of evidence, which DIBCAC and/or the customer's C3PAO may review |
| Typical cost (market estimate) | ~$500K–$1.5M initial; ~$200K–$500K/year | Lower-lift than full authorization for defense-only providers — but the "no assessment POA&Ms" bar raises the engineering ceiling |
| Typical timeline (market estimate) | ~12–18+ months | Varies; gated by your 3PAO and remediation |
| Best for | SaaS targeting both civilian-federal and DoD markets, and any vendor that wants frictionless customer adoption | SaaS serving only the defense base that doesn't need a civilian-agency Marketplace listing |
The hard truth: no platform makes you CMMC compliant
No platform — not GCC High, not Azure Government, not AWS GovCloud, not PreVeil, not any “CMMC-ready” SaaS tool — makes a software or SaaS company automatically CMMC compliant. A qualified cloud or secure-collaboration platform can reduce your scope, provide inherited controls, and supply part of your evidence package. But you still own your configuration, your users, your policies, your System Security Plan (SSP), your Plan of Action and Milestones (POA&M), your day-to-day operations, and your assessment evidence. Microsoft’s own CMMC guidance says it directly: compliance depends on customer configuration, implementation, and operational controls.
What a strong cloud or enclave platform genuinely helps with:
- Provides FedRAMP authorization or equivalency evidence (the Position-2 requirement)
- Shrinks your assessment boundary by isolating CUI in a defined enclave
- Supplies inherited control evidence and a shared-responsibility matrix
- Handles secure collaboration, logging, and identity in a defensible way
What no platform does for you:
- Write your SSP or define your scope
- Make your support and DevOps workflows compliant
- Fix how your people actually handle CUI
- Post your assessment score and affirmation in SPRS
- Satisfy all 110 NIST SP 800-171 Revision 2 requirements on its own
And about that phrase “FedRAMP equivalent” you’ll see in vendor marketing: the DoD CIO’s guidance is clear that there is no government registryfor FedRAMP Moderate equivalency. The contractor (or, when vetting a vendor, the contractor’s assessor) has to evaluate the cloud provider’s body of evidence directly. “We’re FedRAMP equivalent” is a claim to verify, not a certificate to accept.
If you already bought a platform expecting it to be the whole answer, you’re not back to zero — you likely have a strong foundation. The fix is to document what the platform covers, identify what’s still yours, and build the SSP and evidence around it. That’s a readiness exercise, not a restart. Related: CMMC Enclave vs. Enterprise Compliance · Best CMMC Software Tools.
Which of your systems and tools are actually in CMMC scope?
For a software company, the CMMC boundary is usually wider than just production infrastructure. Source repositories, build pipelines, cloud consoles, support tickets, developer laptops, vulnerability scanners, SIEM tools, identity providers, and backups can all enter scope if they process, store, transmit, or protect CUI. Tools that touch no FCI, no CUI, and no security data — and play no security role for an in-scope system — should be documented as out of scope, not casually ignored. The CMMC Scoping Guide – Level 2 sorts assets into categories that decide how each is treated: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and out-of-scope assets.
Scope map last verified against 32 CFR §170.19 and the CMMC Scoping Guide – Level 2 on June 12, 2026.
| Tool / system | In scope when… | Likely asset category | What to verify | Common mistake |
|---|---|---|---|---|
| Source repository (GitHub, GitLab, Azure Repos) | It stores CUI source, customer-provided CUI, CUI specs, or scripts that protect in-scope assets | CUI Asset or Security Protection Asset | Repo contents, access control, branch protections, audit logs | Assuming repos are exempt because they're "just development" |
| CI/CD pipeline | It builds or deploys in-scope systems, or stores secrets and configs | Security Protection Asset | Secrets handling, build logs, admin access, runners | Leaving build logs and secrets in commercial SaaS |
| Artifact / package registry | It stores deployable components for in-scope systems | Security Protection Asset | Access, integrity, provenance, logging | Treating artifacts as ordinary files |
| Cloud console / control plane | It hosts CUI or administers the CUI environment | CUI Asset / Security Protection Asset | The specific offering's FedRAMP status, boundary, privileged access | Assuming "we're in GovCloud" settles it |
| Customer support platform / ticketing | Tickets contain CUI screenshots, logs, files, or descriptions | CUI Asset | Intake rules, attachment handling, redaction, retention | Letting customers upload CUI into an uncontrolled queue |
| SIEM / logging | It stores logs, configs, or security events for in-scope systems | Security Protection Data | Log contents, access, retention, monitoring | Saying "no CUI here" while holding security data |
| MDR / MSSP portal | A third party monitors or administers your CUI environment | ESP / Security Protection Asset | Shared-responsibility matrix, admin access, evidence | Forgetting third-party administrative access |
| SSO / identity provider | It controls access to in-scope assets | Security Protection Asset | MFA, conditional access, logs, admin roles | Treating identity as out of scope |
| Developer laptops / endpoints | They access CUI, in-scope source, tickets, or admin consoles | CUI Asset / Risk-Managed Asset / Security Protection Asset | Encryption, EDR, local storage, controls | Allowing local CUI downloads |
| Backup platform | It backs up in-scope systems | CUI Asset | Encryption, access, retention, restore testing | Backing CUI into a non-compliant SaaS |
| HR / accounting SaaS | Usually out if it holds no CUI and plays no security role | Out of scope (when documented) | Data type, no CUI, no security function | Dragging every SaaS app into scope "to be safe" |
| AI coding / chat tools | They receive code, logs, configs, or CUI | Potential CUI / Security Protection Data exposure | Vendor terms, data retention, usage restrictions | Pasting CUI or in-scope source into public AI tools |
The support-ticket trap
What CMMC Level 2 actually requires of a software team
CMMC Level 2 currently maps to NIST SP 800-171 Revision 2: 110 security requirements across 14 control families, assessed against 320 assessment objectives defined in NIST SP 800-171A, all aimed at protecting CUI in non-federal systems. For software teams, the real burden shows up in identity, privileged access, logging, configuration management, incident response, vulnerability management, developer endpoints, cloud configuration, and the evidence to prove it all (32 CFR §170.14).
| NIST SP 800-171 family | What it means for a software / SaaS team |
|---|---|
| Access Control | Least privilege across repos, cloud consoles, and support access |
| Awareness & Training | Developers and support staff actually know the CUI-handling rules |
| Audit & Accountability | Logging for repos, CI/CD, cloud, endpoints, and admin actions |
| Configuration Management | Secure baselines for cloud, endpoints, containers, and pipelines |
| Identification & Authentication | MFA, SSO, and disciplined control of privileged accounts |
| Incident Response | A real plan, a reporting path, and evidence preservation |
| Maintenance | Controlled maintenance and remote administration |
| Media Protection | Downloads, exports, removable media, and backups |
| Personnel Security | Onboarding/offboarding and prompt access removal |
| Physical Protection | Offices, developer devices, and hosting where applicable |
| Risk Assessment | Vulnerability scanning, risk reviews, third-party risk |
| Security Assessment | The SSP, the POA&M, control testing, and evidence |
| System & Communications Protection | Network boundaries, encryption, segmentation |
| System & Information Integrity | Patching, flaw remediation, monitoring |
For a full gap analysis against these 14 families, see our NIST 800-171 Gap Analysis guide.
Self-assess or hire a C3PAO? You don’t choose — the contract does
A software company does not pick self-assessment versus a third-party assessment based on preference. The required CMMC level and assessment type come from the solicitation or contract. Level 1 is self-assessed annually. Level 2can be either a self-assessment or a C3PAO certification assessment — the solicitation specifies which. Level 3 is assessed by DIBCAC and requires a Final Level 2 (C3PAO) certification first. DFARS 252.204-7021 also requires you to maintain a current status and submit annual affirmations in SPRS.
Level 1 (FCI only)
Fifteen basic safeguarding requirements from FAR 52.204-21, assessed by an annual self-assessment with an executive affirmation. Don't inflate FCI-only work into Level 2 because a vendor told you to — check the contract first.
Level 2, self-assessment
The full 110 NIST SP 800-171 Revision 2 requirements, with the score and affirmation posted in SPRS. This path applies when the solicitation calls for a Level 2 self-assessment rather than certification.
Level 2, C3PAO certification
Required when the contract calls for a certification assessment. A C3PAO is the only entity that can issue a Level 2 certificate, valid for three years. During an active assessment, a requirement marked NOT MET can be re-evaluated only within a tight 10-business-day window if you produce evidence you already had — that window is not a remediation period. If you earn a conditional Level 2 with a limited POA&M, you generally have 180 days to close every item, and certain high-value requirements can't go on a POA&M at all (32 CFR §170.21).
Level 3 (most sensitive CUI)
Adds a selected set of 24 enhanced requirements from NIST SP 800-172, assessed by DIBCAC, and requires Final Level 2 certification first (32 CFR §170.18).
The assessor independence rule, stated precisely
A quick note on the related clauses: DFARS 252.204-7019 requires offerors to have a current NIST SP 800-171 DoD Assessment posted in SPRS; DFARS 252.204-7020 describes the Basic, Medium, and High assessment methodology behind that score; and DFARS 252.204-7021 adds the CMMC status requirement and annual affirmations on top.
When does this actually hit you? The Phase 2 clock
CMMC is phasing into contracts over four phases. Phase 1 runs November 10, 2025 through November 9, 2026— DoD solicitations can require Level 1 or Level 2 self-assessments now, with discretion to require a Level 2 C3PAO certification. Phase 2 begins November 10, 2026, when DoD intends to include Level 2 C3PAO certification as a condition of award in applicable solicitations. Because FedRAMP work and CMMC readiness each take many months, a software company whose customers will need certification by Phase 2 is, in practice, already on the clock.
Phase 1 — Nov 10, 2025 to Nov 9, 2026
Level 1 and Level 2 self-assessment requirements appear in applicable solicitations; DoD may require Level 2 C3PAO certification at its discretion.
Phase 2 — begins Nov 10, 2026
DoD intends to add Level 2 C3PAO certification as a condition of award, though it may instead defer that requirement to an option period; it may also include Level 3 (DIBCAC) requirements at its discretion.
Phase 3 — begins Nov 10, 2027
DoD intends to require Level 2 C3PAO status for all applicable awards and as a condition of exercising an option, and to include Level 3 (DIBCAC) requirements.
Phase 4 — begins Nov 10, 2028
Full implementation across all applicable solicitations and contracts, including option periods on contracts awarded before Phase 4.
What to say when a customer asks, “Are you CMMC compliant?”
Answer with your role, your data boundary, your assessment or FedRAMP status, and what the customer can and can’t inherit from you — never with a blanket “yes, our software is CMMC compliant.” That phrase overclaims unless you can document the exact assessed organization and boundary, and an overclaim on a compliance question is how vendors lose trust (and deals) the moment a customer’s assessor probes it.
Here are three templates you can adapt. (These are starting points, not legal language — have counsel review anything you send.)
If your product does not handle FCI, CUI, or Security Protection Data, and provides no security protection for a CUI environment:
“Our platform is not intended to process, store, or transmit FCI, CUI, or security-protection data, and it does not provide a security function for your CUI environment. Based on your current use case, we do not believe it falls inside your CMMC boundary. We’re glad to provide a data-flow description so your team can confirm scope on your side.”
If your product does handle CUI:
“Our platform may process, store, or transmit CUI for this use case. We can provide our current FedRAMP authorization or equivalency evidence, our security documentation, our Customer Responsibility Matrix, and our incident-response and contact procedures so your team can evaluate the service within your CMMC scope.”
If you’re a security tool or managed provider:
“Our service supports security functions for your CMMC environment. We can provide evidence for the controls and procedures we operate, but you remain responsible for your own scope, SSP, evidence package, and assessment. Here’s our shared-responsibility matrix.”
What this actually costs and how long it takes
Cost and timeline depend on your position, your current maturity, your CUI volume, and your cloud architecture — not on a single sticker price. A software company that is itself a contractor pursuing CMMC Level 2 typically runs in the low-to-mid six figures over roughly 6 to 18 months. A SaaS company that needs FedRAMP Moderate authorization has historically faced roughly $500,000 to $1.5 million and 12 to 18+ months, while FedRAMP Moderate equivalencyis a lighter lift for defense-only providers, with the caveat that its “no assessment POA&Ms” bar raises the engineering ceiling.
The ranges below are market-rate estimates compiled from public cost reporting current to June 2026 — not regulatory figures, and not quotes from a fixed provider panel. Your actual number turns on scope, maturity, tooling, and remediation, so treat these as planning anchors and re-check current quotes.
| Scenario | Likely timeline (estimate) | Cost band (market estimate) | Notes |
|---|---|---|---|
| Small software team, FCI only, modern stack | ~1–3 months | Mostly internal effort | Level 1 path: documentation and basic safeguards |
| Software contractor with CUI, decent security maturity | ~6–18 months | ~$100K–$300K | Level 2 readiness, SSP, evidence, SPRS |
| SaaS company with CUI spread across DevOps, support, and cloud | ~6–18 months | Highly variable | Scope reduction often saves more than vendor shopping |
| SaaS offering that needs FedRAMP Moderate authorization | ~12–18+ months | ~$500K–$1.5M initial; ~$200K–$500K/yr | Separate FedRAMP authorization or equivalency work |
| FedRAMP 20x (emerging) | Early pilots ~3–4 months | Not yet established | Automation-first GSA path; broad Moderate availability targeted for late 2026 — confirm current status and DoD/CUI fit before planning around it |
One emerging item worth watching: FedRAMP 20x, GSA’s automation-first authorization path. Early pilots reached authorization far faster than the traditional process, and broad Moderate availability is targeted for late 2026. It’s still maturing, so confirm its current status and your eligibility before you plan around it. For a deeper cost breakdown, see our CMMC Level 2 Cost guide.
The mistakes that sink software and SaaS CMMC planning
The costliest CMMC mistakes for software companies aren’t technical — they’re scope and claim mistakes. Calling a tool “CMMC compliant,” assuming FedRAMP or SOC 2 equals CMMC, letting CUI leak into support and DevOps systems, ignoring security-protection data, hiring the wrong provider category first, and waiting until a solicitation already demands a current status — each one turns a manageable project into an expensive scramble. CMMC gets expensive when the boundary is vague.
1. Telling customers "our SaaS is CMMC compliant"
An overclaim you can't document. No software product has a CMMC status — an organization does.
2. Assuming FedRAMP equals CMMC
They're different frameworks for different things. FedRAMP authorizes cloud service offerings. CMMC assesses defense contractor organizations. A FedRAMP authorization helps your customers but doesn't give you a CMMC status.
3. Assuming SOC 2 equals CMMC
Useful evidence, not a substitute. SOC 2 and ISO 27001 can reduce your lift but don't replace an implementation of NIST SP 800-171 Revision 2.
4. Forgetting support tickets
The most common way clean scopes get contaminated. One CUI-laden screenshot in a ticket can pull your support platform, file-sharing tool, and workflow into scope.
5. Forgetting logs and security data
"No CUI" doesn't mean "no scope." Security Protection Data — logs, configs, monitoring events — pulls tooling into the assessment boundary even when it never touches CUI directly.
6. Treating every SaaS tool as in scope
Fear-driven over-scoping wastes budget. HR, accounting, and collaboration tools that hold no CUI, FCI, or security data and play no security role are typically out of scope — document it and move on.
7. Calling a C3PAO before you're ready
A wasted quote, and an independence risk if they also did your prep. Under the three-year prohibition, a C3PAO that consults on your readiness cannot then assess you.
8. Not preparing customer-facing language
Your sales and support teams will answer the "are you compliant?" question whether or not you've given them the right words. Without a prepared answer, they'll say something that overclaims — and a procurement officer will catch it.
What we actually verified for this guide
We built this from primary and authoritative sources, not vendor marketing. We separated three kinds of claims throughout: regulatory facts (cited to 32 CFR Part 170, the DFARS clauses, the DoD FedRAMP equivalency memo, and NIST), current-state facts (cost ranges and rollout phase, dated and re-checked on a schedule), and editorial judgments (which path fits a given situation).
What we verified — as of June 12, 2026:
- 32 CFR Part 170 (the CMMC Program rule) is in effect; it took effect December 16, 2024.
- The implementing DFARS acquisition rule took effect November 10, 2025, introducing DFARS 252.204-7021 and the solicitation provision at 252.204-7025.
- The phased schedule — Phase 1 (Nov 10, 2025–Nov 9, 2026) focusing on Level 1 and Level 2 self-assessments — confirmed on the DoD CIO CMMC page and 32 CFR §170.3.
- CMMC Level 2 maps to NIST SP 800-171 Revision 2: 110 requirements, 14 families, 320 assessment objectives (32 CFR §170.14).
- The CSP requirement to meet FedRAMP Moderate or equivalent for covered defense information: DFARS 252.204-7012(b)(2)(ii)(D) and the DoD CIO memo of December 21, 2023.
- The ESP/CSP scoping rules — including that a provider handling CUI/SPD is documented in the customer's SSP via a service description and CRM — at 32 CFR §170.19(c).
- The asset categories (CUI Assets, Security Protection Assets, Security Protection Data, Contractor Risk Managed Assets, Specialized Assets) in the CMMC Scoping Guide – Level 2.
- The assessor conflict-of-interest rule — the three-year consultant prohibition — at 32 CFR §170.8(b)(17)(ii)(G) and the Cyber AB Code of Professional Conduct.
- The FedRAMP Marketplace as the authoritative source for a cloud offering's FedRAMP status.
Cost ranges and the FedRAMP 20x rollout are fast-moving; we re-check them quarterly and update this page’s “Last verified” date when we do.
Frequently asked questions
Do SaaS companies need CMMC?
SaaS companies need CMMC only when a DoD contract, subcontract, or flow-down requires it and the company's systems process, store, or transmit FCI or CUI. A SaaS company does not need CMMC merely because it sells software. If your product hosts CUI for defense customers, your binding requirement is usually FedRAMP Moderate authorization or equivalency under DFARS 252.204-7012, not a CMMC status of your own.
Do software vendors need CMMC certification?
Only when their contract path requires a certification assessment. Some software companies are Level 1 self-assessed, some are Level 2 self-assessed, some need a Level 2 C3PAO certification, and some are not in scope. A CMMC certificate applies only at Level 2 (C3PAO) or Level 3 (DIBCAC); Level 1 and Level 2 self-assessments produce a status and affirmation in SPRS, not a certificate. The level and assessment type come from the solicitation, not the company's preference.
Is FedRAMP required for CMMC?
FedRAMP and CMMC are different programs, but they connect. When an external cloud service stores, processes, or transmits covered defense information, DFARS 252.204-7012 requires that service to meet the FedRAMP Moderate baseline or equivalent. A CUI-hosting cloud or SaaS company's path runs through FedRAMP, while its contractor customers run through CMMC.
Is encrypted CUI in a SaaS platform still CUI?
Treat encrypted CUI as CUI unless your contract, your assessor, or authoritative guidance clearly supports another conclusion. Encryption is a control, not a scope eraser, and should not be assumed to remove a service from your assessment boundary without documented analysis.
Is SOC 2 enough for CMMC?
No. SOC 2 can provide useful evidence and reduce your lift, but it does not replace an implementation of NIST SP 800-171 Revision 2, which is what CMMC Level 2 is assessed against.
Is ISO 27001 enough for CMMC?
No. ISO 27001 supports a strong security program and maps to some requirements, but CMMC Level 2 is assessed specifically against NIST SP 800-171 Revision 2.
Does GCC High, Azure Government, or AWS GovCloud make us CMMC compliant?
No. Government cloud can support a compliant environment and reduce scope, but the customer still owns its configuration, scope, policies, System Security Plan, Plan of Action and Milestones, operations, and evidence. Microsoft's own CMMC guidance states that compliance depends on customer configuration and implementation.
Are GitHub, GitLab, Azure DevOps, and CI/CD tools in scope?
They are in scope when they process, store, transmit, or protect CUI or security-protection data. They may be out of scope only if they hold no CUI, no FCI, and no security role for in-scope systems — and that rationale is documented.
Are support tickets in scope for CMMC?
Yes, when they contain CUI, FCI, or Security Protection Data — including screenshots, log exports, attachments, vulnerability details, admin information, or security-event data tied to an in-scope system. A support platform, file-sharing tool, and workflow can all enter scope through a single CUI-laden ticket, which is why defense-serving SaaS companies need controlled support intake.
Is source code CUI?
Not automatically. Source code can be CUI when it's marked as such, contractually defined, government-provided, or export-controlled — but it isn't CUI by default. Confirm against the specific contract and CUI category before treating it either way.
Do subcontractors need CMMC?
Yes, when the subcontract requires them to process, store, or transmit FCI or CUI. DFARS 252.204-7021 includes flow-down requirements, and the required level for a subcontractor is based on the sensitivity of the information flowed down to them (32 CFR §170.23).
Can our CMMC consultant also be our C3PAO?
Not if that C3PAO — or a member of its assessment team — served as a consultant to prepare your organization for any CMMC assessment within the prior three years (32 CFR §170.8(b)(17)(ii)(G) and the Cyber AB Code of Professional Conduct). Keep readiness/remediation and Level 2 certification assessment separated unless the C3PAO can document that no prohibited conflict exists.
What's the first step for a software company?
Map your contract clauses and your data flow before you buy anything or schedule an assessment. Once you know whether you handle FCI, CUI, or security-protection data — and whether your product hosts CUI — your path (Level 1, Level 2 self, Level 2 C3PAO, Level 3, or FedRAMP) becomes clear.
Need help deciding what type of CMMC provider you need?
You’ve placed yourself in one of the five positions. The next move depends on which one — and on whether you need readiness help, a CUI enclave, evidence and GRC tooling, FedRAMP advisory, or a formal assessment. The wrong vendor category wastes months, so we route by your actual situation, not by who’s selling hardest.
Before you reach out, pin down your position:
- Contractor or subcontractor handling FCI/CUI yourself (Position 1)
- CUI-hosting SaaS / Cloud Service Provider (Position 2)
- Security or compliance tool / External Service Provider (Position 3)
- FCI-only tool (Position 4)
- Likely out of scope (Position 5)
Here’s how we route, so you know what to expect:
Also relevant: CMMC for SBIR Companies · CMMC for ITAR Companies · CMMC for DoD Subcontractors · Managed IT for Defense Contractors · vCISO Services for CMMC · GCC High for CMMC · CMMC Provider Categories