Is CMMC Required to Bid on a Contract?

By The Defense Compliance Report Editorial Team · Last reviewed: June 2026 · Every regulatory claim here is cited to a primary source.

Short version: in most cases, CMMC is not required just to submit a proposal — but it is a condition of award, and that gap is where contractors get hurt.Whether CMMC is required to bid on a contract depends entirely on which “bid” you actually mean: clicking submit, getting the drawings you need to price the job, winning the award, performing the work, exercising an option, or taking a subcontract from a prime. Each one is a separate gate — controlled by the solicitation language, the DFARS clauses in effect, and your CMMC status in SPRS.

Which gate do you mean by “bid”? The CMMC Bid/Award Gate Matrix

“CMMC required to bid” is really six different questions. Under the DFARS CMMC clauses effective November 10, 2025, CMMC is enforced primarily as a condition of award — DFARS 252.204-7025 makes an offeror ineligible for award without the required CMMC status and affirmation reflected in SPRS (the Supplier Performance Risk System). But CMMC can also block earlier steps. The table below separates each gate. Last verified: June 18, 2026.

The row most people miss is the second one. You can be fully eligible to submit a proposal and still be unable to buildone, because the drawings, technical data package (TDP), or CUI you need to price the work won’t be released to a contractor without the required CMMC status in SPRS. On paper that isn’t a “bidding requirement.” In practice, it ends your bid just as completely.

Is CMMC required to bid on a DoD contract, or only before award?

The clean rule is that CMMC is an award-and-performance requirement, not a universal bar on clicking submit. DFARS 252.204-7025 states that an offeror is not eligible for award without the required current CMMC status and a current affirmation of continuous compliance reflected in SPRS for each applicable system, and that proposals must report the relevant CMMC UID(s). So if the clause is in your solicitation and you don’t have the status, you can often still submit — you just can’t win.

That “you can submit but can’t win” line sounds like good news. Three things collapse it back into a hard requirement:

• The proposal itself may demand your CMMC UID. When DFARS 252.204-7025 applies, you have to report the CMMC UID for each system that will process, store, or transmit Federal Contract Information (FCI — information provided by or generated for the Government under a contract, not for public release) or Controlled Unclassified Information (CUI — government information that’s unclassified but protected by law, regulation, or policy). No record, nothing to report — and DoD can reject the proposal as non-responsive. See also: FCI vs. CUI explained.
• Award eligibility is checked, not assumed. The contracting officer verifies your status in SPRS before award. DFARS Subpart 204.75directs that the contracting officer shall not award — or exercise an option, or extend performance — without the required current CMMC status. A statement of intent or “we’re working on it” doesn’t satisfy a contractual requirement.
• The drawings gate can hit before any of that.As the matrix showed, some solicitations won’t release the controlled data you need to price the work until your CMMC status is in SPRS. That’s a pre-submission problem, not an after-award one.

The one hard truth we won’t sugarcoat

If your proposal is due in two weeks, you genuinely handle CUI, and you have no System Security Plan (the SSP — the document describing how you protect that data), no score in SPRS, and no defined boundary around where CUI lives in your environment, then no consultant, software platform, or C3PAO can make you award-eligible in time for that bid. Anyone who tells you otherwise is selling something.

Now the part that matters more: that almost never means defense work is closed to you. It means this onedeadline may not be winnable on an honest CMMC basis — and the smartest move is to find out fast whether the requirement bites at submission, at document access, or only at award, because the answer changes your whole play. There’s often more room than the panic suggests. A self-assessment path (where the contract allows it), conditional status with up to 180 days to close the POA&M, or scoped remediation can all change the math — but only if you’re honest about where you actually stand.

Match your real deadline to a realistic move

Stop thinking in one deadline and split it into the deadlines that actually exist — proposal due date, document-access date, expected award date, option date, subcontract date. Then match the nearest one to a path you can actually execute.

How to check your own solicitation in 10 minutes

The fastest way to answer “is CMMC required to bid on this contract” is to read the clause language yourself. Open the solicitation, the attachments, Sections L and M, and any cybersecurity or controlled-document instructions, and search for the CMMC provisions and the words that signal which gate applies. The clause text controls — not the headline of the opportunity, and not what a competitor told you.

Copy and paste these into your search bar, one at a time:

• 252.204-7025 — the CMMC notice provision (tells you the required level and the award-eligibility rule)
• 252.204-7021 — the CMMC contract clause (status, maintenance, flow-down)
• CMMC and CMMC UID
• SPRS and affirmation
• prior to award
• Federal Contract Information / FCI
• Controlled Unclassified Information / CUI
• drawings / technical data / TDP / JCP
• subcontractor / flow down
• Level 1 / Level 2 Self / Level 2 C3PAO / Level 3

What DFARS 252.204-7025 means.This is the solicitation provision (the “Notice of CMMC Level Requirements”). It names the required CMMC level for the work and states that an offeror is not eligible for award without the required current CMMC status and a current affirmation in SPRS for each applicable system, and that the proposal must report the relevant CMMC UID(s). If you see -7025, the level it names is the level you have to hit to win.

What DFARS 252.204-7021 means.This is the contract clause (the “Contractor Compliance with the CMMC Level Requirements”). It requires the contractor to have and maintain the required CMMC status for the life of the contract, to process/store/transmit FCI or CUI only on systems with that status, to keep an annual affirmation current, to close out any POA&M when on conditional status, and to flow the requirement down to subcontractors that will handle FCI/CUI. If -7021 is in the contract, CMMC isn’t a one-time gate at award — it’s a standing obligation through every option year.

If anything is ambiguous, put it to the contracting officer in writing before you spend. Here’s a copy/paste starting point:

Reference: [Solicitation No. ___]. To confirm our approach, we’d appreciate clarification on the cybersecurity requirements: (1) Does this solicitation include DFARS 252.204-7025, and what CMMC level and assessment type are required? (2) Is the required CMMC status needed at proposal submission, before access to drawings/CUI, before award, or at performance? (3) Are a Conditional CMMC status and a POA&M acceptable for this procurement? (4) Are any drawings or technical data restricted to offerors that already hold a current CMMC status in SPRS? Thank you.

The answers tell you which gate you’re actually facing — and whether this bid is reachable.

What CMMC level does your contract require to bid?

Your required level is set by the contract clause and the sensitivity of the information you’ll handle — not by a checklist you choose. FCI generally points to Level 1 (the 15 basic safeguarding requirements from FAR 52.204-21). CUI generally points to Level 2 (the 110 requirements in NIST SP 800-171 Revision 2, organized into 14 control families). The most sensitive CUI can require Level 3 (Level 2 plus 24 selected requirements from NIST SP 800-172, assessed by the Government). The DoD’s CMMC program documentation defines all three.

A quick vocabulary note, because these terms get blurred constantly. A C3PAO (Certified Third-Party Assessment Organization) is a firm authorized by the Cyber AB to conduct official Level 2 certification assessments. DIBCAC (the Defense Industrial Base Cybersecurity Assessment Center, part of DCMA) conducts Level 3 assessments. An RPO/RP (Registered Provider Organization / Registered Practitioner) advises and prepares you — it does not certify you. The rules keep those roles separate on purpose.

Self-assessment vs C3PAO: which one lets you bid?

Both Level 2 paths map to the same 110 requirements in NIST SP 800-171 Revision 2, but they are not interchangeable for bidding. Level 2 (Self) means you assess your own environment, post the result in SPRS, and affirm annually. Level 2 (C3PAO) means an authorized third party conducts the assessment, with results flowing through eMASS to SPRS — and self-assessment is not an option when the solicitation requires C3PAO. The solicitation decides which one applies to your bid.

Why this matters to your wallet: a contractor on a self-assessment path needs help implementing controls, building evidence, and writing an SSP — not a six-figure assessment invoice. A contractor on a C3PAO path needs readiness work first, and then a clean separation between the firm that helped them prepare and the firm that assesses them.

That separation isn’t a nicety — it’s a conflict-of-interest rule. Under the Cyber AB’s CMMC Assessment Process and conflict-of-interest rules, a C3PAO cannot provide you readiness, consulting, implementation, or remediation help and then assess that same work, and it cannot give advice or recommendations during the assessment. A firm that helped you prepare generally cannot serve as your certifying assessor for three years. We verified this against the Cyber AB’s published ecosystem and assessment-process guidance — and it’s the reason we never route a readiness lead to a C3PAO as if one firm can do both ends of the same job.

One scheduling reality to plan around: a C3PAO assessment isn’t a one-week event you book on short notice. Between scoping, evidence prep, the assessment itself, and any POA&M closeout, the cycle commonly runs months. Demand is climbing toward the November 10, 2026 phase change, which tightens availability further. (For how to vet and choose one, see our guide to selecting a CMMC Level 2 C3PAO.)

Can you use Conditional status or a POA&M to win an award?

Sometimes — but it’s narrower than “we’ll fix it after we win.” Under 32 CFR § 170.17, a Level 2 (C3PAO) assessment that lands with an allowable POA&M can earn a Conditional status, giving you up to 180 days to close the POA&M and reach Final. You must already hold that Conditional status at award. Level 1 has no conditional status — it must be Final at award.

The rules around what can sit on a POA&M are strict, so don’t treat it as a safety net. Only lower-weighted requirements are eligible, certain requirements can’t be deferred at all, and you generally need a passing score before a POA&M is even on the table. Most important for bidding: a Conditional status only helps if you’ve already earned it. If your conditional status expires without closeout, the status lapses — and you become ineligible for further awards that require that level until you earn a new one. Conditional status buys time. It doesn’t forgive the work.

When CMMC blocks the drawings or CUI you need to price the bid

Some opportunities make CMMC feel like a bidding requirement because you can’t get the drawings, technical data package, or CUI needed to price the work unless you already hold the required CMMC status in SPRS.That’s a different mechanism than a proposal-submission bar, but the practical result is identical: no access, no credible bid. Technical data can be CUI when it’s marked or identified that way, and if the data is CUI, the systems that process, store, or transmit it fall inside the CMMC protection framework under 32 CFR Part 170.

This trips up shops that assumed CMMC was purely an after-award problem. Two access gates can stand between you and the data you need:

• The long-standing one: militarily critical and export-controlled technical data has been gated for years behind the U.S./Canada Joint Certification Program (JCP) and DD Form 2345. That’s separate from CMMC and predates it.
• The newer one: when controlled data qualifies as CUI, a solicitation can condition its release on your holding the required CMMC status in SPRS — so the cybersecurity gate now sits in front of the bid, not behind the award.

Some solicitations condition access to controlled data on CMMC or SPRS status; others don’t. The only way to know is to read yours — search your opportunity for the drawings, technical data, and JCP terms above. If you find access-conditioning language, treat document access as a gating milestone with its own deadline — earlier than the proposal due date — and plan backward from it.

Do subcontractors need CMMC to bid?

Yes — when the subcontractor will process, store, or transmit FCI or CUI in performing the work. DFARS 252.204-7021requires prime contractors to flow the CMMC requirement down and to ensure subcontractors and suppliers have the required status/affirmation before subcontract award. A sub that won’t touch FCI or CUI generally isn’t subject to CMMC under that contract.

The dynamic on the ground is often blunter than the regulation. Primes are increasingly asking suppliers for proof of CMMC status before the government award is even made — because the prime carries the flow-down risk and wants to field a compliant team. For a large share of the Defense Industrial Base, that prime pressure is the real forcing function, arriving well ahead of any phase deadline.

One operational wrinkle: primes generally can’t pull your SPRS record directly. SPRS protects each entity’s own data, so you’ll likely be asked to share a screenshot or your affirmation. Decide in advance what proof you’ll provide and how, without exposing sensitive internal detail — and ask the prime what form of proof it can accept.

What to ask your prime before you spend anything:

• What CMMC level are you flowing down — and is it Level 2 (Self) or Level 2 (C3PAO)?
• What systems and data are actually in scope for our piece of the work?
• Are we receiving FCI, CUI, drawings, a TDP, or export-controlled data?
• Do you need proof before quote, before subcontract award, or before any CUI is transferred?
• What form of proof will you accept?

Which clause applies now? What changed on February 1, 2026

For bid and award eligibility, the two controlling clauses are DFARS 252.204-7021 and DFARS 252.204-7025 — both unchanged. But on February 1, 2026, the DoD’s Revolutionary FAR Overhaul renumbered several neighboring cybersecurity clauses and consolidated them under new FAR Part 40and DFARS Part 240. These are class deviations pending formal rulemaking, so you’ll see both old and new numbers in live solicitations during the transition.

Here’s the crosswalk worth saving. Last verified: June 18, 2026.

Two things not to misread. First, the removal of DFARS 252.204-7019 did not end self-assessment obligations — those responsibilities now flow through the CMMC framework under -7021, while the separate safeguarding and incident-reporting duties under DFARS 252.204-7012 remain in force unchanged. Several headlines got that wrong. Second, on the standard itself: NIST SP 800-171 Revision 3 now supersedes Revision 2 in NIST’s own catalog, but CMMC Level 2 still maps to Revision 2under 32 CFR Part 170, and will until DoD amends the rule. If you build your evidence to Rev. 3 thinking it’s the CMMC baseline, you’ll waste effort.

Is November 10, 2026 a universal CMMC deadline?

No. November 10, 2026 is the start of Phase 2 of the CMMC rollout, when the DoD intends to include Level 2 (C3PAO) certification requirements in more applicable new solicitations and may add Level 3 (DIBCAC) for the most sensitive programs. CMMC becomes required when the clause appears in your specific solicitation — not on a blanket calendar date. Full implementation across all applicable contracts begins November 10, 2028 (Phase 4). The phase schedule is set in 32 CFR § 170.3(e).

The “everyone must be certified by November 2026” framing is the most common piece of misinformation in this market right now. Here’s the actual schedule, set in the program rule.

So why does everyone treat November 2026 as a wall? Because the readiness math forces the issue. As reported at the Cyber AB’s March 2026 Town Hall, the ecosystem had roughly 103 authorized C3PAOs and about 759 Certified CMMC Assessors, and only about 1,000 organizations had achieved Level 2 certification — a sliver of the tens of thousands of contractors expected to need it. With industry readiness timelines commonly running 6 to 18 months, the contractor who waits for a deadline to appear in a solicitation is already behind it. (Ecosystem counts move every month — check the current figures on the Cyber AB Marketplace.)

What does it cost — and how long — to become eligible?

The DoD’s official cost estimate in the CMMC Program Rule (32 CFR Part 170) is roughly $6,000 for a Level 1 self-assessment and affirmation, $34,277 for a Level 2 self-assessment, and $101,752 for a Level 2 (C3PAO) certification assessment plus initial affirmation for a small entity ($104,670 over three years with annual affirmations). Critically, those figures assume you’ve already implemented the underlying security requirements — they cover proving compliance, not achieving it. Industry readiness timelines commonly run 6 to 18 months.

That last sentence is the trap inside the official numbers. The DoD’s cost analysis assumes you’ve been meeting NIST SP 800-171 since 2017 (a DFARS 252.204-7012 obligation), so it excludes the part that actually hurts: remediation, an enclave build, an SSP, technology, and labor.

Treat these as government planning anchors, not market quotes. Independent industry reporting and provider pricing put realistic all-in first-year Level 2 spend far higher — commonly $100,000 to $300,000 depending on starting maturity, scope, environment, evidence quality, and CUI footprint. The biggest lever you control is scope: isolating CUI in a defined enclave can sharply reduce both the cost and the risk of the assessment, because everything CUI touches falls in scope. (For the full breakdown, see our CMMC certification process and cost guide.)

Shortcuts that get contractors disqualified

The most damaging CMMC mistakes aren’t technical — they’re decision errors made under deadline pressure.Treating SPRS as a checkbox, confusing Level 2 (Self) with Level 2 (C3PAO), hiring an assessor to fix your controls, posting a status you can’t defend, or moving CUI into out-of-scope systems can each cost you an award — or create False Claims Act risk when a cybersecurity representation is tied to a government contract or payment.

One that deserves its own line: posting or affirming a cybersecurity status you can’t defend. The U.S. Department of Justice’s Civil Cyber-Fraud Initiative has pursued contractors under the False Claims Act for cybersecurity misrepresentations and unmet control requirements. An affirmation is a formal statement; treat it like one.

Which provider category fits — and what to do next

The right next step depends on your required level, your FCI/CUI handling, your assessment type, your environment, and your timeline — which is exactly why a generic “best vendor” answer is useless here. If you’re not assessment-ready, a C3PAO is not your first call. The Defense Compliance Report’s CMMC Path Framework maps your situation to a provider category — readiness, enclave, GRC, managed compliance, or assessment — never to a ranked list of names.

What we actually verified

Last verified: June 18, 2026. Regulatory facts are dated because phases and rules change.

• CMMC Program Rule — 32 CFR Part 170, effective December 16, 2024; phased rollout in § 170.3(e); Level 2 conditional/180-day rules in § 170.17.
• DFARS CMMC clauses — 252.204-7025 (proposal CMMC UID; not eligible for award without current status and affirmation) and 252.204-7021 (maintain status; flow-down); effective November 10, 2025. Award/option verification in DFARS Subpart 204.75.
• February 1, 2026 Revolutionary FAR Overhaul — DFARS 252.204-7019 removed; DFARS 252.204-7020 → 252.240-7997; FAR 52.204-21 → 52.240-93; -7021 and -7025 unchanged. (FAR Overhaul materials, Acquisition.gov)
• Levels — Level 1 = 15 requirements (FAR 52.204-21); Level 2 = 110 requirements across 14 families (NIST SP 800-171 Rev. 2); Level 3 = Level 2 plus 24 selected requirements from NIST SP 800-172, with a Final Level 2 (C3PAO) prerequisite. (DoD CMMC program documentation)
• Standard pinning — NIST SP 800-171 Rev. 3 supersedes Rev. 2 in NIST’s catalog, but CMMC Level 2 remains on Rev. 2 under 32 CFR Part 170.
• Cost anchors — Level 1 self ≈ $6,000; Level 2 self = $34,277 initial / ~$37,196 over three years; Level 2 (C3PAO) = $101,752 initial / $104,670 over three years (small entity), excluding implementation. (CMMC Regulatory Impact Analysis, 32 CFR Part 170)
• Ecosystem — roughly 103 authorized C3PAOs, ~759 CCAs, and ~1,000 Level 2 certifications, as reported at the Cyber AB’s March 2026 Town Hall. Counts change monthly — verify on the Cyber AB Marketplace.
• Conflict-of-interest rule — a C3PAO cannot provide readiness/consulting/implementation to an organization it assesses, and a firm that prepared you generally cannot assess you for three years. (Cyber AB CMMC Assessment Process and conflict-of-interest rules)

Frequently asked questions

Last reviewed: June 2026

Editorial standards and corrections: see our Methodology, Editorial & Advertising Policy, and Corrections Policy.