CMMC for Staffing Agencies: When Staff Augmentation Is — and Isn’t — in Scope
By The Defense Compliance Report Editorial Team · Last reviewed: July 2026 · Last verified: July 17, 2026
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.
CMMC for staffing agencies is not automatic.Under the Department of Defense’s official CMMC Level 2 Scoping Guide, “an ESP that is used as staff augmentation and the OSA provides all processes, technology, and facilities does not need CMMC assessment.” In plain terms: if you supply people who work inside your customer’s environment, and no controlled information lands on your own systems, your firm generally is notthe thing being assessed — the customer’s environment is.
Educational research only — not legal, contractual, assessment, or compliance advice. Confirm applicability and contract interpretation with a qualified CMMC Registered Practitioner or Registered Provider Organization (RP/RPO) or a federal-contracts attorney.
Here’s the situation most staffing firms are actually in. A prime just sent a cybersecurity questionnaire, or a new solicitation dropped a “CMMC Level 2” clause onto a contract where all you do is place bodies. You’re feeling quiet panic that your whole company just walked into a six-figure audit — or stubborn certainty that this can’t possibly apply to a staffing shop. Both instincts miss the same fact. And the fix is a single question we’ll answer completely below.
Does CMMC apply to your staffing model?
A staffing agency generally lands in one of four current paths: no separate assessment under the narrow staff-augmentation scenario, CMMC Level 1 (Self) for FCI, CMMC Level 2 (Self) for CUI, or a written clarification when the contract and your actual operations disagree. The path turns on your contract, your data flows, and who supplies the environment — not on the label “staffing agency.” Find the row that looks like you, then keep reading to confirm it.
| Your staffing model | Current starting answer |
|---|---|
| Customer supplies all processes, technology, and facilities; no FCI, CUI, or Security Protection Data reaches your systems | No separate agency assessment indicated under DoD staff-augmentation guidance — confirm in writing |
| Your systems handle FCI but not CUI | CMMC Level 1 (Self) may apply if the clause is flowed down |
| Your systems handle CUI | CMMC Level 2 (Self) is the current minimum path for new designations |
| Your contract still says "Level 2 C3PAO" or "Level 3" after July 13, 2026 | Obtain the solicitation amendment or contract modification — don't self-delete the requirement |
Notice what decides the answer. It isn’t your NAICS code, your headcount, or whether you feellike a defense contractor. It’s five specific facts: (1) the issued contract or subcontract, (2) FCI vs CUI vs neither, (3) who supplies the processes, (4) who supplies the technology and facilities, and (5) whether any agency-controlled asset actually receives the information. Get those five right and the path is almost always obvious.
Which staffing firms this page is for — and which it isn’t
This page is built for staffing and recruiting firms facing a DoD contract, subcontract, flowdown, or FCI/CUI question — the ones deciding whether “we only supply people” still holds. It isn’t for purely commercial staffing with no DoD nexus, or for firms that operate and secure their clients’ IT.
This page is for you if you:
- Place W-2 or 1099 personnel with a DoD prime or higher-tier subcontractor
- Received a CMMC or DFARS flowdown, a supplier questionnaire, or a solicitation asking for a “CMMC status”
- Run a cleared staffing or professional-services desk where workers use the client’s systems
- Aren’t sure whether your ATS, VMS, or Microsoft 365 tenant just became a compliance liability
This page is not the right one if you:
- Run a purely commercial staffing firm with no DoD contract connection and no FCI or CUI
- Operate or secure your customers’ IT systems — that makes you an External Service Provider or MSP (see our CMMC for IT MSPs guide)
- Just want a generic list of “best” CMMC vendors — we don’t publish provider rankings
CMMC for staffing agencies: which path fits your operating model?
A staffing agency’s CMMC path follows its contract, its information, and its systems. CMMC — the Cybersecurity Maturity Model Certification — is the DoD program that verifies contractors protect sensitive government information. Per 32 CFR § 170.23, it applies when a contractor or subcontractor processes, stores, or transmits FCI or CUI on contractor information systems. The scoping rules at § 170.19 then determine what’s inside the boundary.
The Staffing Agency CMMC Applicability Matrix
| Your operating model | What reaches your own systems? | Current screening path | Why it points there |
|---|---|---|---|
| 1. Pure personnel augmentation — workers use the customer's systems, credentials, and facilities; you keep only ordinary HR/payroll data | Nothing controlled, based on verified source and contents | No separate agency assessment indicated — confirm in writing | Matches the staff-augmentation scenario named in the Level 2 Scoping Guide; the customer's environment is what gets assessed, not yours |
| 2. Recruiting only — public postings and ordinary candidate resumes; no government-furnished information | No FCI/CUI, based on the source, purpose, authority, and contents of the records | CMMC not triggered by those files alone | Information isn't FCI or CUI just because it's job-related or sensitive; source and authority decide (§ 170.3; NARA CUI Registry) |
| 3. Your email/ATS/VMS holds nonpublic DoD contract information | Potential FCI — verify it was provided by or generated for the Government and isn't for public release | Level 1 (Self) may apply if it's FCI and the requirement is flowed down | Systems that process, store, or transmit FCI are in Level 1 scope (§ 170.19(b)); Level 1 is 15 requirements, self-assessed |
| 4. Your email/ATS/VMS/cloud receives actual CUI | CUI | Level 2 (Self) is the current minimum for new designations | CUI on your systems puts you in Level 2 scope (§ 170.19(c)); during the Phase 2 suspension, new designations are Self, not C3PAO |
| 5. A worker opens CUI on an agency-issued laptop (not a locked-down VDI terminal) | CUI on your endpoint | That laptop is likely inside the Level 2 boundary | Scope follows the data, not the device label; an endpoint that processes or stores CUI is a CUI Asset (§ 170.19) |
| 6. Agency laptop is a locked-down VDI terminal only | No local CUI | The endpoint may be out of scope if every official condition is met and verified | § 170.19 treats a properly configured keyboard/video/mouse-only VDI client as an Out-of-Scope Asset |
| 7. Your people administer the client's security tools; you receive logs, tickets, or configurations | Security Protection Data, possibly CUI | ESP / Level 2 scoping analysis required | An external service enters scope when its assets handle CUI or security-protection data (§ 170.19(c); Scoping Guide) |
| 8. A contract still requires Level 2 C3PAO or Level 3 after July 13, 2026 | Any relevant FCI/CUI | Get the solicitation amendment or contract modification — don't cancel the clause yourself | The suspension directs contracting officers to change instruments; a Department-wide announcement is not your contract modification |
The single most useful conclusion:for a staffing firm, the whole question collapses into the five facts above — the contract, FCI vs CUI, who supplies the processes, who supplies the technology and facilities, and whether any agency-controlled asset actually receives the information. Get those right and the path is almost always obvious.
What does “staff augmentation” actually mean under DoD’s scoping guidance?
The official CMMC Level 2 Scoping Guide describes a narrow scenario in which a staff-augmentation provider needs no assessment of its own: the customer — the Organization Seeking Assessment (OSA) — supplies all processes, technology, and facilities. It is scoping guidance, not a blanket exemption, and it stops protecting you the instant controlled data reaches an agency-controlled system.
“An ESP that is used as staff augmentation and the OSA provides all processes, technology, and facilities does not need CMMC assessment.”— CMMC Level 2 Scoping Guide, Version 2.13
ESP means External Service Provider. OSA is the customer being assessed. Read plainly: if your people plug into the customer’s environment and your company supplies none of the machinery, your firm generally isn’t the thing under assessment — the customer’s environment is. The guide adds the boundary condition that matters just as much: the services your people provide remain within the OSA’s assessment scope. Your workers’ access still gets accounted for — inside the customer’s assessment, not yours.
The three-part test
For the clean staff-augmentation answer to hold, all three of these must be true. If even one slips, re-check your scope.
| The customer must supply all… | What that means in practice | What to verify |
|---|---|---|
| Processes | The customer's policies, workflows, access approvals, and incident procedures govern the CUI work | Whose procedures your workers follow day to day |
| Technology | Workers use the customer's applications, endpoints, identity, and storage | Whether your email, laptops, remote tools, or support systems ever touch the work |
| Facilities | The relevant work happens in the customer's physical or virtual environment | Whether home offices, your offices, or an agency-controlled virtual environment are involved |
What quietly breaks the clean pattern
This is where firms get surprised. Any one of these can pull controlled data back onto your systems and change your answer:
- A recruiter or account manager receives a document by email that turns out to be FCI or CUI
- A worker downloads a file to an agency laptop
- Attachments get parked in your ATS or VMS “for convenience”
- Your firm supplies the remote-support tooling
- You receive security logs, tickets, or configurations from the client’s protected environment
- Your firm — not the customer — supplies the procedure used to protect or administer the work
- Agency facilities are used for CUI work
The staff-augmentation sentence is guidance, not a rule, and it cannot override a requirement written into your contract. It also stops helping the moment your own systems start handling FCI, CUI, or Security Protection Data. Your job is to prove you actually qualify for it: document your contract, map your data flows, and get the customer to confirm the boundary in writing. Do that, and “we only supply people” becomes a position you can defend to a prime, a contracting officer, or an assessor — instead of a hope.
What changed when CMMC Phase 2 was suspended?
On July 13, 2026, the Department announced the suspension of CMMC Phase 2 — the scheduled expansion of Level 2 (C3PAO) assessment requirements set for November 10, 2026 — and began a 60-day review. Phase 1 self-assessment obligations and the underlying DFARS safeguarding rules remain in effect, and new procurements can currently designate only Level 1 (Self) or Level 2 (Self).
Active vs suspended, as of July 17, 2026
| Item | Status | Why it matters to a staffing firm |
|---|---|---|
| CMMC Level 1 (Self) | Active for applicable new designations | Relevant if your systems handle FCI |
| CMMC Level 2 (Self) | Active for applicable new designations | Relevant if your systems handle CUI |
| New Level 2 C3PAO designation | Suspended | Don't route a new staffing lead to an assessor solely because of the old rollout calendar |
| New Level 3 (DIBCAC) designation | Suspended | Rarely relevant to staffing; not a current procurement route |
| DFARS 252.204-7012 (safeguarding + incident reporting) | Operative where included | Covered-defense-information, cloud, and 72-hour incident-reporting obligations can still apply |
| CMMC self-assessment + SPRS entry (DFARS 252.204-7021) | Active | CMMC self-assessment results and affirmations are entered in SPRS |
| An existing instrument that still says Level 2 C3PAO or Level 3 | Requires transaction-specific handling | Get the solicitation amendment or contract modification — don't assume the clause vanished |
What the suspension does not mean
The suspension does not mean:
- You can move CUI onto ordinary agency systems
- You can ignore NIST SP 800-171
- You should delete a CMMC clause from your own contract
- Every self-assessment requirement disappeared
- A prime can no longer impose cybersecurity terms through a subcontract
The risk that didn’t go anywhere is the False Claims Act. When you self-assess and affirm your status, you’re making a representation the government can act on. Under 31 U.S.C. § 3729, a materially false affirmation made knowingly — or with deliberate ignorance or reckless disregard for the truth — can create False Claims Act exposure; the statute does not require a specific intent to defraud. There is no universal November 10, 2026 certification deadline anymore. Your operative deadlines now come from your current solicitation, contract, subcontract, amendment, or modification, plus the ongoing ones: annual affirmations, the 180-day POA&M closeout window, and the 72-hour cyber-incident-reporting deadline where DFARS 252.204-7012 applies.
Which DFARS assessment clauses apply to a staffing agency in 2026?
Read the clause set in your actual instrument, because the numbers changed in February 2026. A DoD class deviation tied to the Revolutionary FAR Overhaul eliminated DFARS 252.204-7019, renumbered 252.204-7020 to DFARS 252.240-7997, and renumbered FAR 52.204-21 to FAR 52.240-93 — all without formal rulemaking, so legacy and deviation-path clause numbers now coexist. Effective Class Deviation 2026-O0025 (February 1, 2026) stood up a new DFARS Part 240. It did not add new cybersecurity obligations — it reorganized how the Department administers NIST SP 800-171 assessment activity while it transitions toward full CMMC.
| Clause | 2026 status | What it means for a staffing agency |
|---|---|---|
| DFARS 252.204-7012 | Operative where included | Safeguarding, cloud, and 72-hour cyber-incident-reporting obligations still apply for covered defense information |
| FAR 52.204-21 (basic safeguarding) | Renumbered to FAR 52.240-93 in deviation-path instruments | The 15 Level 1 safeguards are unchanged; CMMC Level 1 still references 52.204-21. Verify which number is in your instrument |
| DFARS 252.204-7019 (Notice of NIST assessment) | Eliminated | The standalone "Basic" self-assessment / SPRS-upload clause is gone as a separate provision |
| DFARS 252.204-7020 (NIST assessment requirements) | Renumbered to DFARS 252.240-7997 | Used for Government Medium/High NIST SP 800-171 DoD assessments in deviation-path instruments; the "Basic" concept is removed |
| DFARS 252.204-7021 / -7025 (CMMC) | Unchanged | Govern CMMC status and solicitation notice; CMMC self-assessment results and affirmations post to SPRS |
Do not assume 252.204-7019/-7020 are the only current DoD assessment provisions, and don’t assume they’re gone from your existing contract either. Read the instrument you actually hold. One SPRS point worth its own line: if your systems handle CUI, you still self-assess against NIST SP 800-171 Revision 2 and report your score in SPRS— that obligation now sits under the CMMC clause (DFARS 252.204-7021), not the retired 7019. SPRS has become the gate primes and contracting officers check; if your records and affirmations aren’t current, you can be treated as ineligible even while you’re doing the work. For more on the clause history, see our FAR 52.204-21 explained guide.
Is your staffing agency handling FCI, CUI, or neither?
Classify information by its source and governing authority, not by how sensitive it feels. FCI is nonpublic information provided by or generated for the government under a contract; CUI requires a category and safeguarding authority under law, regulation, or government-wide policy. Public job postings and ordinary candidate resumes are not automatically either one.
FCI (Federal Contract Information) is the lower tier: nonpublic information tied to performing a contract, not intended for public release. CUI (Controlled Unclassified Information) only qualifies when a law, federal regulation, or government-wide policy says so. The authoritative reference is the National Archives (NARA) CUI Registry, not a vendor’s marketing list. For a deeper dive, see our FCI vs CUI guide.
FCI vs CUI vs ordinary HR data
| Example | Starting classification | What could change it |
|---|---|---|
| Public job posting copied from a public agency or contractor site | Neither, just because it's government-related | Nonpublic statements of work, program details, or contract attachments added to it |
| Ordinary applicant resume created for commercial recruiting | Private/PII — not automatically CUI | Government-provided personnel-security material, or content created for a government function under an applicable authority |
| Nonpublic subcontract labor requirement in your email | Likely FCI | Whether it was provided by or generated for the Government, and whether it carries a CUI category |
| A marked technical attachment | Likely CUI | Incorrect marking, authorized decontrol, or a different controlling instruction |
| Government personnel-security records | May be CUI | The exact CUI Registry category, source, and handling instruction |
| Any of the above where the answer isn't clear | Classification unresolved | Get written classification before you treat it as either in or out |
Are candidate resumes CUI?
A resume is not CUI merely because it lists a clearance, defense experience, or technical skills. The answer changes when government-controlled personnel-security information, contract-specific nonpublic content, or material covered by a CUI Registry category is embedded in or attached to the recruiting record.
Is a security clearance CUI?
Don’t accept a universal yes or no. Some government-originated personnel-security information may fall within a CUI category. A candidate’s statement that they hold a clearance does not, by itself, turn every resume and ATS record into CUI. Use this script with your prime or customer:
“Please identify the CUI category or subcategory, the governing authority, and the systems through which our personnel are expected to access it.”
If they can’t answer, the classification is unresolved — not disproven.A prime’s failure to explain does not make the material non-CUI. Keep it off unapproved systems and get written classification or contract clarification before you change your scope or your architecture.
When does a staffing agency need CMMC Level 1 vs Level 2?
Level 1 is the path when an applicable CMMC requirement governs the instrument and your contractor information systems handle FCI but not CUI: 15 security requirements from FAR 52.204-21, an annual self-assessment, and an annual affirmation. Level 2 is the minimum when your systems handle CUI: the 110 requirements of NIST SP 800-171 Revision 2 across 14 families, and — during the current suspension — a self-assessment rather than a C3PAO audit. These are different obligations with different costs, so don’t blur them.
CMMC Level 1 (FCI)
Level 1 covers the basics — the 15 basic safeguarding requirements in FAR 52.204-21: limiting system access to authorized users, authenticating identities, controlling physical access, and related safeguards. You self-assess annually and submit an affirmation in SPRS. There is no C3PAO involved. Level 1 is 15 security requirements, not 17.The “17 practices” language belongs to the retired CMMC 1.0 model.
Two things to note: Level 1 does not permit a POA&M— a Plan of Action and Milestones (32 CFR § 170.21). You either meet all 15 or you don’t. And a clause-vintage note: CMMC Level 1 remains the 15 requirements incorporated by 32 CFR Part 170 from FAR 52.204-21, but new DoD solicitations issued under the February 2026 class deviation may cite FAR 52.240-93 as the replacement basic-safeguarding clause. Verify the clause actually in the instrument. See our FCI basic safeguarding requirements guide for all 15 with evidence guidance.
Staffing examples that may point to Level 1:
- Nonpublic contract staffing requirements sitting in agency email
- A nonpublic subcontract or task order stored in your document system
- A VMS or ATS record that contains FCI but no CUI
CMMC Level 2 (CUI)
Level 2 is the real lift. It maps to the 110 security requirements of NIST SP 800-171 Revision 2, organized into 14 control families. Under the current suspension, new procurements designate Level 2 (Self)— but “self-assessment” is not “informal.” You still need an accurate scope, a System Security Plan (SSP), evidence for every requirement, an assessment result, an SPRS score, and an annual affirmation.
The mechanics that trip people up, straight from the rule (32 CFR § 170.16, § 170.21, § 170.17):
- It recurs. Level 2 (Self) must be repeated every three years, with affirmation at assessment and annually thereafter.
- Conditional status is narrow. To earn Conditional Level 2, you need a score of at least 80% — 88 of 110. Only 1-point requirements may go on a POA&M, six specific requirements are barred from POA&M treatment entirely, and everything must be closed out within 180 days or the conditional status expires.
- Keep your proof. Assessment artifacts must be retained for six years from the CMMC Status Date.
CMMC Level 2 currently maps to NIST SP 800-171 Revision 2, not Revision 3. Don’t let a vendor represent Revision 3 as the current CMMC assessment standard.
Staffing examples that may point to Level 2:
- CUI attachments arriving in recruiter or account-manager email
- Agency laptops opening CUI without meeting the strict VDI conditions
- CUI uploaded into your ATS, VMS, collaboration platform, or cloud drive
- Your personnel administering security or collaboration services that expose CUI to your systems
DCR’s editorial conclusion: the biggest controllable lever on Level 2 cost is usually the size and complexity of the defined scope. A staffing firm that places five people inside a customer-controlled environment needs a very different architecture from one whose recruiters, laptops, ATS, and cloud all routinely touch CUI. Before you buy a compliant environment, shrink what has to be in it. Scope first, software second.
Do client devices, VDI, or your ATS keep you out of scope?
Client- or government-owned devices are strong evidence of a customer-controlled environment, but ownership alone doesn’t settle your scope — the data flow does. A virtual desktop can keep an endpoint out of scope, but only when it meets every official condition. And an ATS, VMS, or email system is in or out based on the information it actually holds, not its product category. Verified against 32 CFR § 170.19 and the Department’s current CMMC FAQ.
Client-owned devices are not a magic phrase
The clean path looks like this: a worker uses the customer’s device, authenticates through the customer’s identity system, does the work inside the customer’s environment, and nothing returns to agency email, storage, or endpoints. But watch the ways data sneaks back to you — screenshots emailed to a recruiter, a technical file attached to a timesheet dispute, support tickets copied to your inbox, downloads to agency machines.
Government-furnished equipment (GFE) is a nuance worth its own note. Under § 170.19, GFE is a “Specialized Asset.” At Level 1, Specialized Assets are not part of the assessment scope. At Level 2, GFE is a Specialized Asset that iswithin the assessment scope for asset-inventory, SSP, and network-diagram documentation and risk-based management — it just isn’t assessed against the other Level 2 security requirements. So “it’s GFE” does not mean “it’s outside everything” for a CUI-handling firm.
Can VDI keep your laptops out of scope?
Yes — narrowly. Under 32 CFR § 170.19, an endpoint hosting a VDI client “configured to not allow any processing, storage, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered an Out-of-Scope Asset.”
| Condition | What it requires | How it fails |
|---|---|---|
| Keyboard/video/mouse only | The endpoint transmits only KVM data; CUI stays in the session | A local browser or app handles CUI |
| No local processing, storage, or transmission | Nothing persists on the endpoint | Cache, temp files, or local sync |
| Copy/save/print/file-transfer disabled | Clipboard, screenshots, printing, local-drive mounting all blocked server-side | Any convenience feature left on |
| Separate MFA to the VDI server | A distinct token with password or PIN to reach the session | Shared or weak authentication |
| Configuration verified | You can demonstrate the lockdown, repeatably | You assumed it from vendor marketing |
A remote-desktop icon is not evidence. The configuration and the demonstrated data behavior are the evidence. And a related clarification the current FAQ makes explicit: encrypting CUI does not decontrol it. Encrypted CUI is still CUI, and still in scope.
Does your ATS, VMS, or email need to be “CMMC compliant”?
There is no standalone CMMC label for an ATS or a VMS. The question is what the system holds and what function it performs.
| System | Usually outside scope when… | Enters the analysis when… |
|---|---|---|
| ATS | Only ordinary recruiting records | CUI, FCI, or government personnel-security material is uploaded |
| VMS | Only commercial scheduling and invoicing | Nonpublic contract information or CUI attachments are stored |
| HRIS / payroll | No FCI, CUI, or Security Protection Data | Government-controlled records or FCI land in fields or attachments |
| Agency email | Administrative messages only | FCI, CUI, screenshots, logs, or technical attachments arrive |
| Cloud drive | No FCI/CUI | FCI or CUI is stored or shared |
Attachments are the workflow point to test before you treat any “ordinary” system as outside the boundary. Inspect resume attachments, requisition attachments, onboarding files, timesheet-dispute documents, clearance fields, and email-to-ATS ingestion.
And don’t let anyone tell you your ATS “must be FedRAMP” purely because it’s cloud software. Under 32 CFR § 170.16, the applicable clause can require a cloud service offering to be FedRAMP Authorized at the Moderate baseline — or to meet security requirements equivalent to that baseline — when it stores, processes, or transmits CUI. First confirm whether that’s even happening.
What should you ask the prime before accepting a CMMC flowdown?
Don’t answer an ambiguous flowdown with either instant agreement or a blanket claim of exemption. Ask the prime to identify the required status, the information category, the applicable systems, what the customer supplies, and any amendment resulting from the July 2026 suspension. A flowdown is the point where you either establish a clean boundary or accidentally accept scope you don’t have.
Here are the nine questions we’d put in writing. Copy them, fill in your specifics, and send them — no tool or form required.
- Which exact CMMC and DFARS clauses are being flowed down to us?
- Was this instrument issued or modified under Class Deviation 2026-O0025, and does it use DFARS 252.240-7997 rather than legacy 252.204-7019/-7020?
- What CMMC level and assessment type does the current instrument require?
- Will our company receive FCI, CUI, or Security Protection Data — and through what channel?
- If CUI is involved, which CUI Registry category and governing authority apply?
- Are all relevant processes, technology, and facilities supplied by your organization or the government?
- Could any work product, attachment, ticket, screenshot, or technical record reach our email, ATS, VMS, laptops, or cloud?
- Which organization’s CMMC Assessment Scope covers the systems and services our workers use, and which organization must submit any required assessment result and affirmation?
- Has this solicitation or subcontract been amended or modified following the July 13, 2026 Phase 2 suspension?
The answers do two things: they tell you your real path, and they create a written record you can show a contracting officer or assessor later. If the prime can’t answer question 5 or 6, keep the CUI off your systems until they can. For the mechanics of how flowdowns are written and communicated, see our CMMC Flowdown Letter Template.
Which CMMC provider category should a staffing agency contact first?
Match the provider category to your unresolved problem, not to a sales pitch. Unclear scope or clause → a Registered Provider Organization (RPO) for scoping, plus counsel if contract interpretation is at stake. FCI on your systems → Level 1 readiness support. CUI on your systems → an RPO and a CMMC-focused MSP/MSSP before you think about an assessor.
A quick vocabulary check: a C3PAO (Certified Third-Party Assessment Organization) performs the formal Level 2 certification assessment. An RPO/RP (Registered Provider Organization / Registered Practitioner) provides readiness and advisory help. An MSSP (Managed Security Service Provider) runs security operations. A GRC platform manages evidence and control mapping. A CUI enclave is a hardened, segmented environment that keeps CUI in one small, controlled place.
| Your situation | First category to consider | Not your first move |
|---|---|---|
| Contract or staff-augmentation applicability is unclear | RPO/RP for scoping, plus a federal-contracts attorney if interpretation is material | Buying a large technology stack |
| Staff augmentation seems to fit, but the prime disagrees | Written prime/contracting clarification; targeted RPO or counsel review | Declaring yourself "exempt" |
| Your systems handle FCI only | Level 1 readiness support, or a capable MSP fluent in FAR 52.204-21 | A C3PAO engagement |
| Your systems handle CUI | An RPO/readiness consultant plus a CMMC-focused MSP/MSSP as needed | Booking an assessor before remediation is done |
| You need to shrink a broad CUI footprint | A CUI enclave architecture/provider | Migrating every system before modeling the enclave |
| Evidence management is the main gap after scope is set | A GRC platform (as a supporting layer, not the whole solution) | Treating GRC software as the technical fix |
| An issued formal-assessment requirement survives the suspension | Verify the requirement and current Cyber AB Marketplace status, keeping readiness and assessment separate | Using your assessor as your remediation provider |
One independence rule the industry sometimes blurs: under the Cyber AB Code of Professional Conduct and 32 CFR § 170.8, a C3PAO — and every member of its assessment team — may not perform a Level 2 certification assessment for an organization they helped prepare for any CMMC assessment during the prior three years. A C3PAO may perform a non-certification or “mock” assessment only under the Cyber AB’s separate conditions. Keep readiness and formal assessment in separate lanes, and be skeptical of anyone selling both as one package.
What should a staffing agency budget — and refuse to buy too early?
There’s no honest universal CMMC price for staffing agencies, because the work ranges from documenting a clean staff-augmentation boundary to implementing and evidencing all 110 Level 2 requirements across the defined CMMC Assessment Scope. Your first spend should resolve your biggest uncertainty — usually applicability or scope — not commit you to a platform, enclave, or assessment prematurely.
| Your likely path | Legitimate first spend | What to avoid buying first |
|---|---|---|
| Pure staff augmentation likely | Targeted scope/contract validation and written customer confirmation | A company-wide CUI environment |
| Level 1 likely | A 15-requirement gap assessment and evidence plan | A Level 2 enclave or C3PAO package |
| Level 2 likely | Formal scope, SSP and gap work, a remediation plan | A formal assessment before you're ready |
| ATS/VMS data status unclear | A data inventory and workflow test | Replacing the ATS based on its label |
| Contract still names a suspended requirement | Contracting clarification or qualified legal review | Assuming the clause disappeared |
| Broad agency CUI footprint | An enclave-vs-enterprise architecture analysis | Migrating everything before comparing boundaries |
As of July 2026 we reviewed public provider pricing pages, published CMMC cost surveys, and defense-contractor community discussions, and excluded broad vendor-marketing ranges because none separated the variables that actually drive a staffing firm’s cost. A range that blends all of that looks authoritative and tells you nothing. Your cost is set by your scope, and your scope is set by the five facts at the top of this page.
What CMMC mistakes cost staffing agencies the most?
Staffing firms usually make one of two opposite errors: assuming that supplying people makes the company categorically exempt, or assuming that one flowdown drags every corporate system into Level 2. The correct boundary comes from the issued requirement, the information classification, the operating role, and the demonstrated data flow — in that order. Here are the specific traps, each with a way to test for it.
Calling staff augmentation a blanket exemption.
It's guidance for a narrow scenario, and it can't override your contract or survive controlled data hitting your systems.
Test: Get the customer to confirm, in writing, that it supplies all processes, technology, and facilities.
Treating every resume or clearance mention as CUI.
Apply the CUI Registry and the source-and-authority test first.
Test: Ask for the CUI category and governing authority; if none is given, the classification is unresolved, not disproven.
Trusting the intended workflow instead of testing the real one.
Recruiters forward attachments. Email-to-ATS ingestion runs quietly.
Test: Inspect a sample of real attachments and export your ATS/VMS field inventory.
Assuming client-owned devices settle the whole boundary.
Your email, HR systems, facilities, and support tooling still need review.
Test: Map every place work product could land on an agency-controlled asset.
Treating any remote desktop as out of scope.
Only a properly configured, verified, locked-down VDI qualifies.
Test: Validate the KVM-only, no-local-storage, separate-MFA controls and keep the evidence.
Buying GCC High or an enclave before classifying the information.
The platform decision comes after the data and boundary decision.
Test: Finish your FCI/CUI classification first.
Booking a C3PAO because of the old November 2026 schedule.
New designations can't require one right now.
Test: Confirm a surviving contract requirement or a deliberate business case before engaging an assessor — and never use your assessor as your remediation provider.
Believing the Phase 2 suspension erased DFARS 252.204-7012.
It didn't. Safeguarding, cloud, and 72-hour incident-reporting obligations can still apply.
Test: Check whether 7012 is in your contract.
Relying on the public suspension announcement instead of getting your contract change.
The requirement in your instrument is what binds you.
Test: Obtain the solicitation amendment or contract modification in writing.
Assuming your SPRS record takes care of itself.
SPRS is now the gate primes and contracting officers check.
Test: Confirm your current status and affirmation are posted and current.
What did The Defense Compliance Report actually verify?
We checked the current program status, the governing rule, the acquisition clauses and the February 2026 class deviation, the official Level 2 Scoping Guide, the VDI guidance, and the federal FCI/CUI definitions on July 17, 2026. We did not verify any named provider, any universal staffing cost, or any individual contractor’s scope.
Documents verified (as of July 17, 2026):
- The July 13, 2026 CMMC Phase 2 suspension announcement and the current implementation status
- 32 CFR Part 170 — applicability, levels, scoping, POA&M, and subcontractor flowdown (§§ 170.3, 170.16, 170.17, 170.19, 170.21, 170.23)
- Class Deviation 2026-O0025, effective February 1, 2026, and the current/legacy DFARS clause sets
- DFARS 252.204-7012 and 252.204-7021 on Acquisition.gov
- The staff-augmentation language in the CMMC Level 2 Scoping Guide, Version 2.13
- The VDI out-of-scope conditions in 32 CFR § 170.19 and the Department’s current CMMC FAQ
- Federal FCI and CUI definitions and the NARA CUI Registry
- The Cyber AB Code of Professional Conduct for assessor independence
What we did not claim:
- That every staffing agency with client-owned devices is out of scope
- That any individual contract has been amended or modified
- That all clearance-related information is CUI
- That any specific ATS or VMS is compliant
- That any provider is appropriate for your situation
- That a universal cost or timeline applies
Found a changed rule, clause, or guidance document? See our corrections policy.
What should a staffing agency do next?
Start with the contract and the data path, not a provider quote. Confirm the current requirement, determine whether your systems touch FCI, CUI, or Security Protection Data, document the staff-augmentation conditions, then pursue only the assessment or provider category that fact pattern indicates.
- Read the current instrument.Identify every CMMC and DFARS provision, note whether it’s a legacy or deviation-path clause set, and check for amendments and modifications.
- Classify the information. Neither, FCI, CUI, Security Protection Data, or unresolved. When CUI is asserted, demand the category and authority.
- Map the real data flow. Email, ATS, VMS, laptops, cloud, customer devices, VDI, support tools, facilities.
- Apply the staff-augmentation test. All processes? All technology? All facilities? No agency data path?
- Choose the next path. Written confirmation, Level 1 (Self), Level 2 (Self), provider-category help, or qualified contract advice.
This page is educational research, not legal, contractual, assessment, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO) and, where contract interpretation is material, a qualified federal-contracts attorney. The contract clause and your CUI handling set your level — not a checklist.
Frequently asked questions about CMMC for staffing agencies
- Do staffing agencies need CMMC certification?
- Not automatically — and "certification" is currently the wrong blanket term for many new-procurement scenarios, because Phase 2 is suspended and new designations are limited to Level 1 (Self) or Level 2 (Self). Your contract role, your systems, and your FCI/CUI handling determine the path. A staffing firm whose people work entirely in the customer's environment, with nothing controlled reaching its own systems, generally needs no separate assessment.
- Does a staff-augmentation company need its own CMMC assessment?
- The official CMMC Level 2 Scoping Guide states that no separate assessment is needed when the customer supplies all processes, technology, and facilities. Treat that as a narrow fact pattern to document and confirm in writing — not a universal exemption. The services your people provide are still accounted for within the customer's assessment scope.
- Does CMMC apply if our employees only use the client's computers?
- Possibly not to a separate agency environment, but device ownership alone doesn't settle it. Confirm that no relevant data, logs, attachments, screenshots, or support records reach your own systems, and that the customer supplies all relevant processes and facilities. If controlled data flows back to your email or ATS, your scope changes.
- Does using government-furnished equipment keep us out of scope?
- Government-furnished equipment (GFE) is a "Specialized Asset" under 32 CFR § 170.19. At Level 1 it isn't part of the assessment scope; at Level 2 it's within scope for asset-inventory, SSP, and network-diagram documentation and risk-based management, though it isn't assessed against the other Level 2 requirements. GFE doesn't automatically remove every agency obligation — the clause, the data path, and your own systems still matter.
- Are candidate resumes CUI?
- Not automatically. A privately generated resume is private information; it doesn't become CUI just because it mentions defense work or a clearance. The classification changes if government-controlled personnel-security data, contract-specific nonpublic content, or material covered by a NARA CUI Registry category is embedded in or attached to the record.
- Is security-clearance information CUI?
- There's no universal yes or no. Some government-originated personnel-security information may fall within a CUI category, but a candidate's statement that they hold a clearance doesn't turn every resume or ATS record into CUI. Ask for the category, authority, and source; if it isn't provided, treat the classification as unresolved rather than assuming the material is not CUI.
- Does our ATS or VMS need to be CMMC compliant?
- There's no standalone CMMC label for an ATS or VMS. Determine whether the system stores or processes FCI, CUI, or Security Protection Data, and whether it's part of the assessed environment or an external service supporting it. The product category doesn't decide scope — the data does.
- Does our ATS need FedRAMP authorization?
- Not merely because it's cloud software. Under 32 CFR § 170.16, the applicable clause can require a cloud service that handles CUI to be FedRAMP Authorized at the Moderate baseline, or to meet security requirements equivalent to that baseline. First confirm whether the service is actually storing, processing, or transmitting CUI.
- Which DFARS clauses apply to my contract in 2026?
- It depends on the instrument's vintage. A February 1, 2026 class deviation (2026-O0025) eliminated DFARS 252.204-7019, renumbered 252.204-7020 to DFARS 252.240-7997, and renumbered FAR 52.204-21 to FAR 52.240-93 for new deviation-path solicitations. Existing contracts may still carry the legacy numbers. DFARS 252.204-7012 and the CMMC clause (252.204-7021) are unchanged. Read the clause set in your actual solicitation, contract, or modification.
- Can a prime flow CMMC down to a staffing subcontractor?
- Yes, where your role and information handling meet the applicable conditions. Under 32 CFR § 170.23, CMMC status requirements flow down based on whether the subcontractor processes FCI or CUI on contractor information systems. Separately, DFARS 252.204-7012 has its own flowdown rule for subcontracts involving operationally critical support or covered defense information. Both can apply, but they're different mechanisms.
- Do staffing agencies need an SPRS score?
- If your systems handle CUI, you self-assess against NIST SP 800-171 Revision 2 and report a score in the Supplier Performance Risk System (SPRS); that obligation now sits under the CMMC clause (DFARS 252.204-7021) rather than the retired 252.204-7019. A personnel-only model with no relevant agency system may have a different answer — so resolve applicability and scope first.
- Do staffing agencies need a C3PAO in 2026?
- Don't assume so. Phase 2 is suspended, and new procurement designations are limited to Level 1 (Self) and Level 2 (Self). A C3PAO performs formal Level 2 certification assessments — but if your existing instrument still says "Level 2 C3PAO," that requires the issued amendment or modification, not a self-cancellation. A voluntary non-certification assessment remains possible, but it isn't required by the old rollout calendar.
- Does the CMMC suspension mean we can stop implementing NIST SP 800-171?
- No. The suspension applies to the Phase 2 third-party assessment milestone. It did not erase DFARS 252.204-7012 obligations that apply through an issued contract, and it did not eliminate self-assessment requirements. NIST SP 800-171 Revision 2 remains the controlling standard for CMMC Level 2.
- What if the staffing agency handles CUI only on paper?
- Current DoD guidance indicates that an organization handling only hard-copy CUI is not required to complete a CMMC assessment solely for that paper-only scenario, though applicable safeguarding obligations still apply. The moment that CUI is scanned, photographed, uploaded, printed from a digital system, or emailed, it enters your digital environment and the scoping analysis changes.
- Can VDI keep our laptops out of the Level 2 scope?
- Potentially — but only when the endpoint meets every official condition and you can verify it. Under 32 CFR § 170.19, a VDI client that transmits only keyboard, video, and mouse data — with no local processing, storage, copy, print, or file transfer, and separate multifactor authentication to the VDI server — is an Out-of-Scope Asset. Ordinary remote-desktop software with downloads or caching does not qualify.
- Who should a staffing company call first?
- When the contract or scope is unclear, start with a Registered Provider Organization (RPO) experienced in scoping, and bring in a qualified federal-contracts attorney if contract interpretation is material. Don't start with a C3PAO or a broad technology migration before the applicable requirement and your boundary are established.
Disclosure
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.
Independence & scope
The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This page is educational research, not legal, contractual, assessment, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO) and, where contract interpretation is material, a qualified federal-contracts attorney.
Primary sources
- 32 CFR Part 170 — CMMC Program rule (§§ 170.3, 170.16, 170.17, 170.19, 170.21, 170.23)
- CMMC Level 2 Scoping Guide, Version 2.13 — staff-augmentation and VDI guidance
- DFARS 252.204-7012 and 252.204-7021 — Acquisition.gov
- Class Deviation 2026-O0025 — February 2026 FAR/DFARS renumbering
- NIST SP 800-171 Revision 2 and NIST SP 800-172
- NARA CUI Registry — CUI categories and governing authorities
- Cyber AB — Code of Professional Conduct and Marketplace
- 31 U.S.C. § 3729 — False Claims Act