The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC for VARs and Resellers: Who Needs It, the COTS Exceptions, and Your Current 2026 Path

By The Defense Compliance Report Editorial Team · Last reviewed July 2026 · Last verified July 17, 2026 · Not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, or NIST.

CMMC for VARs and resellers comes down to what your contract requires and what information touches your systems — not your business model. Three things decide it. Is the contract exclusivelyfor commercially available off-the-shelf (COTS) products, and above the $15,000 micro-purchase threshold? Then CMMC generally doesn’t reach that order — 32 CFR § 170.3(c) excludes it. Does the contract impose a requirement and does FCI touch your covered systems? Level 1 (Self) applies. Does CUI touch your covered systems? Level 2 (Self) is the current minimum.

Here’s the part that gets lost when someone’s trying to sell you compliance: plenty of resellers are being told they need Level 2 when the facts may not support it — and some who assume they’re exempt are quietly wrong. Both mistakes are expensive. This page gives you the test to tell which one you’re at risk of, with the primary source behind every branch, so you stop guessing before you spend six figures.

Your situation at a glance

Where you sitYour starting answer
You sell standard OEM products as-is, and only ever see public catalog data and payment infoLikely out of scope — document a COTS/no-scope position
A CMMC or DFARS clause appears, and FCI lives in your email/CRM/ERPLevel 1 (Self) candidate
A clause appears, and you handle CUI (controlled drawings, technical data)Level 2 (Self) candidate during the current suspension
You modify, image, integrate, or build product to a government specThe COTS analysis changes — level then depends on FCI vs CUI
You administer a customer's cloud tenant, or hold their logs/configs/backupsExternal Service Provider (ESP) scope analysis needed
You pass CUI to an OEM or drop-ship partnerDownstream Level 2 (Self) flow-down candidate
Your solicitation still says "Level 2 (C3PAO)" or "Level 3"Confirm the amendment the suspension requires — don't assume it vanished

Read the rows that sound like you. Every one is explained, and sourced, below.

One honest admission:some reseller transactions genuinely don’t require any CMMC status. If you’re a true “box mover” — unmodified commercial product, no nonpublic government information touching your systems — you may owe nothing for that sale, and we’ll show you why in the COTS section. But don’t confuse “I’m a reseller” with “I’m exempt.” Those are different claims. The reseller who assumes exemption and signs a compliance representation anyway is the one taking on False Claims Actrisk — knowingly false, material cybersecurity representations are exactly what the Department of Justice’s Civil Cyber-Fraud Initiative pursues. The first compliance task isn’t buying a tool. It’s establishing the facts and writing them down.


Does CMMC apply to VARs and resellers?

Sometimes — and the deciding factors are what your contract requires and what information touches your systems, not what you sell. A pure reseller moving standard COTS products as-is, who never handles government information beyond public catalog data and payment fields, generally falls outside CMMC for that order under 32 CFR § 170.3(c). Once the contract imposes a requirement and FCI or CUI enters your covered systems, the rule applies.

Section 170.3(c) applies CMMC to DoD solicitations and contracts where a contractor “will process, store, or transmit FCI or CUI on unclassified contractor information systems, including those for the acquisition of commercial items (except those exclusively for COTS items)valued at greater than the micro-purchase threshold.” The trigger is the informationcrossing your covered systems, gated by the COTS carve-out and the threshold. “VAR,” “reseller,” and “distributor” are business labels, not scope determinations. Not sure what your required level even is? Start with our plain-English CMMC Level 1 vs Level 2 vs Level 3 breakdown.

The reseller applicability matrix

* This column is The Defense Compliance Report’s editorial triage based on the assumptions in each row — not a determination. Current-program note: under the July 13, 2026 suspension, only Level 1 (Self) and Level 2 (Self) can currently be required; Level 2 (C3PAO) and Level 3 requirements are suspended for new designations. Verified against 32 CFR Part 170 and FAR/DFARS on July 17, 2026.

Reseller operating modelExclusively COTS?Touches FCI?Touches CUI?Governing authorityCurrent likely status*What to verify first
Pure box mover — unmodified OEM product, sees only public catalog + payment dataYesNoNoCOTS exclusions applyLikely noneThat the order is exclusively COTS and no specs/drawings will be sent
Configuring / modifying VAR — images, integrates, or builds to a gov specOften no (fact-specific)UsuallySometimesFAR 52.240-93; possibly DFARS 7012Level 1 (Self), or Level 2 (Self) if CUIWhether the config is a gov-unique modification, and whether the tech package is CUI
VAR handling controlled tech data — receives CUI drawings, CAD, engineering dataUsually noYesYesDFARS 252.204-7012; § 170.23Level 2 (Self) minimumWhere CUI lives in your environment; enclave options
Cloud / license reseller — customer owns the tenant, you have no admin accessN/A (service)SometimesPossiblyDepends on data you holdDepends on your systems, not the productThat reselling a compliant cloud ≠ your environment being compliant
Reseller who administers the tenant or holds logs/configs/backupsNoLikelyPossibly§ 170.4; § 170.19 (ESP)ESP in the customer's scopeWhether you hold CUI vs only Security Protection Data
Reseller providing managed/professional services touching gov systems or dataNo (services)LikelyPossiblyFAR 52.240-93; DFARS 7012 if CDILevel 1 or 2 (Self) by data typeWhether your support reaches FCI/CUI systems
Distributor passing CUI to an OEM or fulfillment partnerUsually noYesYes§ 170.23 flow-downLevel 2 (Self) flows downstreamThe exact data the prime will send, and to whom
Sub-tier supplier to a prime, any of the abovePer scenarioPer scenarioPer scenario§ 170.23Flows down per information typeThe prime's flow-down language and the data behind it

Does CMMC apply to reseller orders at or below the micro-purchase threshold?

Generally no — the CMMC exclusion in 32 CFR § 170.3(c) applies to acquisitions at or below the micro-purchase threshold, which is currently $15,000 for most buys. That threshold rose from $10,000 to $15,000 effective October 1, 2025 (FAR 2.101, inflation adjustment at 90 FR 41872). An order at or below $15,000 generally isn’t a vehicle for CMMC obligations even if some covered information touches the transaction.

Don’t over-read this. The $15,000 figure is the generalmicro-purchase threshold — FAR 2.101 sets different figures for certain circumstances. And a low-dollar order doesn’t erase separate obligations that ride on other clauses in the instrument, or your duty to protect any covered information you do receive.


Are COTS resellers exempt from CMMC?

Not automatically — the exemption is narrower than the word “commercial” makes it sound, and it hinges on two separate questions. First, is the item itself COTS under FAR 2.101: a commercial product, sold in substantial quantities in the commercial marketplace, offered to the Government without modification, in the same form it’s sold commercially? Second, is the acquisition exclusively for COTS items? You can fail the exemption on either axis.

When an acquisition is genuinely COTS-only, three separate obligations fall away at once:

The two-axis COTS test

Most explainers collapse COTS into a single yes/no. It isn’t. Run both axes:

Axis 1 — Is the item still COTS?A COTS item must be offered “without modification, in the same form in which it is sold in the commercial marketplace.” A government-unique modification— changing the product to meet a Government spec — takes it out of the COTS definition. Routine commercial setup that’s typically available in the marketplace may not be a disqualifier; that’s a fact question.

Axis 2 — Is the acquisition exclusively for COTS items? Even if the underlying product stays COTS, separately purchasedconfiguration, integration, imaging, kitting, installation, or support can mean the acquisition isn’t exclusively for COTS items. Read the line items and the statement of work, not just the part number.

Is my situation COTS-only?

FactSupports COTS-onlyCuts against it
Standard commercial SKU, sold widely in the marketplaceProduct sold only to government/niche buyers
Supplied without modificationA government-unique modification to meet a spec
No separately purchased servicesIntegration, installation, engineering, administration as line items
You see only public + simple payment dataAny nonpublic performance or technical data
Instrument expressly identifies a COTS-only procurementStrong supportMixed product-and-service line items

If you land on the COTS-only side, don’t just believe it — document it.Keep the manufacturer catalog and evidence of commercial sales, a statement that the item ships without modification, your line-item analysis, a short data-flow note showing no covered information enters your systems, and the full instrument. A documented COTS position is a defensible answer to a prime’s questionnaire. An undocumented assumption is a liability.

One more trap: COTS-only doesn’t mean data-free.If a buyer hands you covered information — a controlled drawing, a marked spec, nonpublic performance data — to perform the order, that’s a signal the work may not be exclusively COTS, or that a separate clause like DFARS 252.204-7012 attaches on its own terms.


Which CMMC level does a VAR or reseller need right now?

Where a CMMC requirement applies, the information you handle sets the level: FCI maps to Level 1 (Self); CUI maps to Level 2 (Self) at minimum. FCI in your covered systems puts you in Level 1 territory — the 15 basic safeguarding requirements, self-assessed annually (32 CFR § 170.23). CUI puts you at Level 2 minimum — the 110 requirements of NIST SP 800-171 Revision 2 across 14 control families.

Level 1 (Self) — for FCI. Fifteen basic safeguarding requirements, originally at FAR 52.204-21(b)(1) and now carried in FAR 52.240-93 after the 2026 renumbering. You self-assess annually, an affirming official affirms it, and you post it in SPRS. There’s no Plan of Action and Milestones (POA&M) at Level 1 — it’s pass or fix. For the full control-by-control walkthrough, see our FCI basic safeguarding guide.

Level 2 (Self) — for CUI. The full 110 requirements of NIST SP 800-171 Revision 2, in 14 families. You self-assess every three years, affirm annually in SPRS, and need a minimum assessment score of 88 out of a possible 110to be award-eligible with a limited POA&M. POA&M items must be closed within 180 days, and not every requirement is POA&M-eligible. CMMC Level 2 is assessed against NIST SP 800-171 Revision 2, not Revision 3. If a vendor is building your program to Revision 3, make sure it’s also closing every gap against the Revision 2 baseline the rule actually requires.

Your information, where a requirement appliesCurrent CMMC pathAssessment frequencyAffirmation
FCI, Level 1 requiredLevel 1 (Self)AnnualAfter assessment / annual
CUI, Level 2 appliesLevel 2 (Self) during the suspensionEvery 3 yearsAnnual
New Level 2 (C3PAO) designationPaused — not currently designable in new procurements
New Level 3 designationPaused — not currently designable in new procurements

Are purchase orders, quotes, BOMs, and drawings FCI or CUI?

A document’s filename or purpose doesn’t set its status — the information does. Public information and simple transactional data fall outside FCI. Nonpublic information provided by or generated for the Government under a contract is FCI. Controlled technical or other protected information can be CUI when a law, regulation, or Government-wide policy requires safeguarding. For a reseller, the same quote can be nothing, FCI, or CUI depending on what’s inside it.

Usually outside FCI: public catalog descriptions, published solicitation material, public price lists, and the payment-processing fields needed to get paid. The FCI definition expressly excludes information the Government has already made public and simple transactional information such as that used to process payments.

Likely FCI (review it):a nonpublic purchase order, a nonpublic statement of work, delivery schedules tied to a contract, nonpublic customer requirements, internal contract-status detail. Don’t reflexively tag every nonpublic record tied to a government customer as FCI; test it against the definition and the actual contract.

Potentially CUI (check the source and authority): controlled technical information, technical drawings, government-unique configurations, engineering data, and information-system vulnerability data. A big one for resellers: export-controlled technical data.“Export Controlled” is a formal CUI category (NARA CUI Registry), so export-controlled technical data on a DoD contract typically means CUI, and Level 2 should be on your radar. A CUI marking is strong evidence; a missing or wrong marking doesn’t automatically resolve the underlying contractual responsibility.

Questions to send your prime in writing

  1. Exactly what data will be provided to us to perform this order?
  2. Is it FCI, CUI, public information, or simple transactional information?
  3. If CUI, which category and safeguarding authority apply?
  4. Does that information have to enter our systems, or can it go directly from you (or the Government) to the OEM?
  5. Which of our systems are expected to carry the required CMMC status?
  6. Will the instrument be amended to reflect the intended scope?
Reseller artifactStarting treatmentWhat changes the answerWho can clarify
Public catalog / SKUUsually publicNonpublic mission contextContracting officer / prime
Payment fieldsOften simple transactionalBundled nonpublic performance/funding detailPrime / contracts
Purchase orderFact-specificPublic vs nonpublic performance contentPrime / contracting officer
QuoteFact-specificEmbedded technical requirements or mission configPrime / contracting officer
Bill of materials (BOM)Fact-specificGovernment-unique or controlled technical contentPrime / data owner
DrawingPotentially CUISource, marking, category, authority, contractData owner / contracting officer
Configuration filePotentially CUI / Security Protection DataWhether it describes protected systems or deliverablesSecurity lead / prime
Logs, vulnerability dataPotential Security Protection Data / CUI scopeSystem relationship and contractual purposeSecurity lead / contracting officer

This is triage to help you ask the right question — not a classification of your documents.

Not sure what actually crosses your systems? See what a Level 2 path really involves — or, if you’re likely FCI-only, start with our FCI basic safeguarding guide. Map the data first; buy the environment second.


When does reselling cloud or managing a tenant put you in CMMC scope?

Reselling a cloud license does not, by itself, make you a Cloud Service Provider or drag you into a customer’s assessment. Handling their protected data does. Under the CMMC rule (32 CFR § 170.4 and § 170.19), you become an External Service Provider (ESP) when you process, store, or transmit FCI, CUI, or Security Protection Data (SPD)— logs, configurations, security telemetry — in providing IT or cybersecurity services.

1. License-only resale.The customer owns the tenant subscription. You hold no standing administrator account, receive no customer data, and route support to the OEM or CSP. In that posture, reselling the license doesn’t make you an ESP or a CSP.

2. SPD-only administration or security services.The moment you administer the environment, run the SIEM, or manage endpoints, you’re processing that customer’s Security Protection Data. What triggers scope isn’t the job title; it’s that your service handles that protected data. Your relevant assets are assessed as Security Protection Assetsinside the customer’s assessment. You do not need your own separate CMMC certification for this.

3. Non-CSP ESP that handles CUI.Even if your service processes, stores, or transmits CUI, and you’re nota CSP, you still don’t automatically need your own separate CMMC certification. Under 32 CFR § 170.17, a customer may use a non-CSP ESP that processes, stores, or transmits CUI as long as the arrangement is documented in the customer’s SSP and the ESP’s services are assessed within the customer’s assessment. You may electyour own CMMC assessment to avoid being re-scoped for every client, but the rule doesn’t force it.

4. You become the CSP. If you contract for and modify the underlying cloud service, or stand up your own cloud offering that handles CUI, you can land in the CSP category. A CSP that processes, stores, or transmits CUI must be FedRAMP Moderate authorized, or meet the DoD’s FedRAMP Moderate equivalency requirements, per DFARS 252.204-7012. Reselling Microsoft GCC High or another compliant cloud does not, on its own, make your environment compliant.

Your roleLikely treatmentOwn certification?Main evidence to keep
License seller only, no accessNot an ESP/CSPNoTenant ownership + no-access record
SPD-only admin / security servicesESP → Security Protection Assets in customer's scopeNoPrivileged roles + responsibility matrix
Non-CSP ESP that handles CUICUI Assets assessed within customer's scopeNot required (may elect)SSP entry, service description, customer responsibility matrix
You contract for and modify the cloud service, handling CUICSPFedRAMP Moderate (authorized or DoD equivalency)CSP contracts + service architecture + authorization/equivalency evidence

How does CMMC flow down from a prime to a reseller, distributor, or OEM?

Flow-down follows the information, not the tier or the label. Under 32 CFR § 170.23, CMMC requirements flow to subcontractors at every tier that will process, store, or transmit FCI or CUI in performance — FCI-only subs to Level 1 (Self), CUI subs to Level 2 (Self) minimum. The rule does not require flowing CMMC down to a supplier that receives neither FCI nor CUI from the prime.

Prime → VAR. Does the prime send you only a public product request, or nonpublic order and performance data, or an actual controlled drawing? Each answer is a different level.

VAR → OEM or distributor. Before you forward anything, ask: does the OEM actually need the covered data, or can the Government or prime send it directly? Can the OEM work from public product specs alone? A distributor moving SKU, quantity, and shipping data is in a very different position from one receiving a controlled technical package.

Drop-ship.Physical possession of the product doesn’t answer the information question. A drop-ship partner that never sees nonpublic order or technical data may be outside flow-down entirely; one receiving a controlled drawing or nonpublic BOM is not.

Whatever you conclude, keep the record: the information categories, the required level, the systems involved, the clause text, the COTS determination, any amendment, and the supplier’s acknowledgment. See our CMMC Flowdown Letter Template for the mechanics of how flowdowns are written and communicated.


What changed in 2026: the clause renumbering and the Phase II suspension

Two 2026 events reshaped what resellers see in their contracts. First, a February 1, 2026 class deviation moved several cybersecurity clauses for affected acquisitions. Second, on July 13, 2026, the Department suspended CMMC Phase II. Neither rolled back your underlying obligations — but both change the words on your paperwork.

The clause changes (Class Deviation 2026-O0025, effective February 1, 2026)

Because this is a class deviation ahead of formal rulemaking, the codified regulations still list the legacy numbers — so you’ll see both old and new numbers depending on when your contract was issued.Seeing “FAR 52.240-93” instead of “52.204-21” doesn’t mean a new obligation appeared. We keep a fuller, dated crosswalk on our CMMC Final Rule breakdown if you need to reconcile a specific instrument.

The Phase II suspension (July 13, 2026)

The Department suspended the Phase II transition — the phase that would have required third-party (C3PAO) assessments starting November 10, 2026 — and launched a 60-day review. During the pause, contracting officers may designate only Level 1 (Self) or Level 2 (Self). What remains in force:

QuestionBefore July 13Current answer
Phase II C3PAO transition on Nov 10, 2026?ScheduledSuspended
New Level 2 (C3PAO) requirement?ExpandingNot currently designable
New Level 3 requirement?Future phaseNot currently designable
Level 1 (Self) / Level 2 (Self)In effectRemain in effect
DFARS 252.204-7012Applies where includedRemains
Existing L2 (C3PAO) / L3 contract languageCould remainFormal amendment/modification process applies

We track the suspension and the 60-day review as they develop on our CMMC Phase II status page. If your active solicitation still names Level 2 (C3PAO) or Level 3, look for — or request — the actual amendment or modification in writing before you act on it.


What should a VAR do when a PO or subcontract shows up with CMMC or DFARS language?

Don’t ignore the clause, and don’t accept a blanket level without testing the facts. Save the instrument, map each clause to its function, check the dollar value against the applicable threshold, determine whether the acquisition is exclusively COTS, inventory the information and systems involved, reconcile the 2026 clause numbers and the suspension status, and get written clarification where the clause set conflicts with the transaction. Then do only the assessment the verified requirement actually supports.

  1. Save the complete instrument — solicitation, contract, subcontract, or PO, plus every attachment, flow-down letter, amendment, and modification.
  2. List every cyber clause present and match it to its function (use the 2026 crosswalk if the numbers look unfamiliar).
  3. Check the dollar value against the applicable micro-purchase threshold.
  4. Test the two COTS axes — item-level and acquisition-level. Separate product line items from services.
  5. Inventory the information — public, simple transactional, FCI, possible CUI, Security Protection Data.
  6. Map the systems and providers that touch it — email, CRM, ERP, file transfer, support portals, cloud admin, OEM, distributor, MSP/MSSP.
  7. Apply the current path: FCI + valid requirement → Level 1 (Self) candidate; CUI + valid requirement → Level 2 (Self) candidate during the suspension; a suspended assessment type still in the instrument → amendment issue; no FCI/CUI downstream → no-flow-down candidate; you administer or protect the environment → ESP analysis.
  8. Get disputed facts in writing. Contract ambiguity isn’t resolved by a website or a sales call — it’s resolved by your contracting officer, your prime, or counsel.
  9. Assemble the evidence, then choose a provider category — not before.

Before you answer a prime’s questionnaire, build this file:


What does CMMC cost a reseller — and what should you not buy yet?

There’s no honest one-size cost, because validating a COTS/no-scope transaction and operating a Level 2 CUI environment are different projects with different price tags. A straightforward COTS/no-scope analysis might cost only internal time. Level 1 (Self) is usually the lighter lift. Level 2 (Self) is the expensive tier, and its cost is driven far more by scope— how much of your environment touches CUI — than by any vendor’s price list. (For grounded Level 2 ranges built from real market data, see our CMMC Level 2 cost breakdown.)

The scope-reduction lever.For many resellers, the cheapest compliant path isn’t certifying the whole company — it’s keeping CUI in a small, well-defined enclave and keeping the rest of your CRM, ERP, and email out of the boundary. Fewer users and systems in scope means less to secure, less to assess, and less to maintain. This is where a CUI enclave genuinely earns its cost — but only after you’ve confirmed you actually have CUI.

The expensive mistake, stated plainly:a reseller can spend more buying a “CMMC environment” too early than it would have spent establishing whether covered information ever needed to enter its systems in the first place. GCC High purchased because someone said the word “CMMC.” An enclave stood up before anyone confirmed there’s CUI. A C3PAO engagement treated as a substitute for readiness — and, right now, one that can’t even be a required assessment type during the suspension. Confirm scope, reduce scope, then buy the smallest thing that satisfies the verified requirement.


What we actually verified

We don’t ask you to take our word for regulatory facts, so here’s exactly what we checked and when.

What we verified for this page (July 17, 2026):

What we did not verify:your actual contract, your document’s CUI status, your system architecture, or a universal reseller cost figure. Those depend on facts only you and your contracting chain hold. This page is educational research, not legal, contractual, or compliance advice. Confirm your scope and applicability with a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO) or a qualified federal-contracts attorney. See our methodology, editorial standards, and corrections policy for how we source and update this work.


Frequently asked questions: CMMC for VARs and resellers

Does reseller status automatically require CMMC?
No. The actual instrument, whether the acquisition is exclusively COTS, whether it's above the micro-purchase threshold, the information you handle, and the systems it touches decide the path — not the label VAR, reseller, or distributor (32 CFR § 170.3(c)).
Are all COTS resellers exempt from CMMC?
No. The exclusions apply to acquisitions exclusively for COTS items, and COTS has a specific FAR 2.101 definition: a commercial product sold in substantial quantities and offered without modification. Both the item and the acquisition have to qualify.
Does standard commercial configuration count as a COTS modification?
It's fact-specific. A government-unique modification — changing the product to meet a Government spec — takes it out of the COTS definition. Routine commercial setup that's typically available in the marketplace may not. And separately purchased configuration or services can make the acquisition not-exclusively-COTS even if the underlying product stays COTS.
Does CMMC apply to orders at or below the micro-purchase threshold?
Generally no. 32 CFR § 170.3(c) applies CMMC to covered acquisitions above the micro-purchase threshold, currently $15,000 for most buys (FAR 2.101, effective October 1, 2025). Some circumstances carry different thresholds, and other clauses in the instrument can still apply.
What CMMC level does a reseller need?
It depends on the information. Under 32 CFR § 170.23, a reseller handling only FCI needs Level 1 (Self); one handling CUI needs Level 2 (Self) at minimum. The contract clause sets the level.
Can a prime require a reseller to have the prime's CMMC level?
A prime flows down the level appropriate to the information and systems involved — not automatically its own level. The rule does not require CMMC flow-down to a supplier that receives neither FCI nor CUI from the prime (32 CFR § 170.23).
Are purchase orders automatically FCI?
No. It depends on whether the information is nonpublic and provided by or generated for the Government under a contract. Public information and simple transactional (payment) information are excluded from the FCI definition; other order details are fact-specific.
Are BOMs and drawings automatically CUI?
No. Source, content, contractual purpose, marking, CUI category, and safeguarding authority all matter. Confirm with the party who can classify it — don't self-classify a customer's document.
Does drop shipping keep a reseller out of scope?
Not automatically. A drop-ship partner receiving no FCI or CUI is a different case from one receiving a controlled drawing, nonpublic BOM, or contract-performance data.
Does a software-license reseller need CMMC?
License resale alone doesn't answer it. Analyze the two COTS axes, the order information, tenant ownership, your support access, and the instrument.
Does reselling a cloud tenant make me a Cloud Service Provider?
Not automatically. An MSP isn't the CSP merely because it resold a tenant licensed to the customer. Contracting for and modifying the underlying cloud service can change that (32 CFR § 170.4).
Can an MSP or reseller be in CMMC scope without receiving CUI?
Yes. Handling Security Protection Data — logs, configurations, security telemetry — as an External Service Provider brings your service into the customer's assessment scope as Security Protection Assets, even without CUI (32 CFR § 170.19).
Do I need my own CMMC certification if I'm an ESP?
Usually not. A non-CSP ESP is assessed as part of the customer's assessment — even when it processes, stores, or transmits CUI (32 CFR § 170.17). You may elect your own assessment to avoid per-client re-scoping, but the rule doesn't require it. A CSP handling CUI is the exception — it must meet FedRAMP Moderate authorization or the DoD's equivalency requirements.
Does export-controlled (ITAR/EAR) data mean CMMC Level 2?
Export-controlled technical data typically qualifies as CUI under the "Export Controlled" category, so on a DoD contract, expect Level 2 to be in play. Confirm the CUI category, authority, and required status for your specific data; ITAR/EAR status by itself doesn't set a given system's CMMC level.
Why does my 2026 solicitation say FAR 52.240-93 instead of 52.204-21?
The February 1, 2026 class deviation (2026-O0025) moved it under the new FAR Part 40 for affected acquisitions. The 15 basic safeguarding requirements are unchanged; the number and location moved.
What is DFARS 252.240-7997?
For affected deviation-era acquisitions, it carries the Government Medium/High NIST SP 800-171 assessment role (formerly under DFARS 252.204-7020). It drops the "Basic" self-assessment track and carries a solely-COTS exclusion.
Did the Phase II suspension mean resellers can stop CMMC work?
No. Phase II and the later milestones are suspended, but Level 1 (Self), Level 2 (Self), NIST SP 800-171 Revision 2, and DFARS 252.204-7012 remain in force where applicable, and False Claims Act risk is unchanged.
What if my solicitation still requires Level 2 (C3PAO) or Level 3?
The suspension procedures direct that such requirements be amended, but the announcement doesn't rewrite your contract on its own. Look for — or request — the formal amendment or modification in writing.
Who should confirm an ambiguous scope decision?
A CMMC Registered Practitioner or Registered Provider Organization (RP/RPO) can help with technical scoping; contested contractual applicability and any representation you make should be reviewed by a qualified federal-contracts attorney. Note that the firm that helps you get ready generally can't be the one that later runs your certification assessment.

Choose the right CMMC path before you hire

You came here to answer one question — does this apply to us, and what do we do next — and you now have the test, the levels, the clause map, and the current status, all sourced. The last step is the cheapest one to get right and the most expensive to get wrong: pick the right kind of help before you spend.

Disclosure

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Independence

The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This page provides educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner/Registered Provider Organization or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level — not a checklist.