The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Compliance

CMMC Waiver: Can You Get One, and What It Won’t Do

By The Defense Compliance Report Editorial Team · Last reviewed:

Don’t build your bid around a CMMC waiver.

A CMMC waiver is a real but narrow exception that lets DoD leave the CMMC assessmentrequirement out of a specific solicitation or contract — “in very limited circumstances,” in the exact words of the rule (32 CFR § 170.5(d)). Only a senior DoD acquisition executive can grant one, the decision is made inside the government in advance of the solicitation, and even a granted waiver leaves every underlying security obligation in place. For most contractors, the honest answer to “can I get a CMMC waiver?” is a hard no.

We’re an independent trade publication, not a law firm and not a vendor. So we did the unglamorous work: we read the CMMC Program Rule at 32 CFR Part 170, the DoD implementation memo that governs waivers, the DFARS contract clauses that decide award eligibility, and the 2026 GAO report on the program. Everything below is sourced to those primary documents.

Who this page is for — and who it isn’t

This is for you if:a CMMC clause just showed up in a solicitation, a prime told you flow-down is coming, an option renewal now hinges on CMMC, or a leadership meeting produced the sentence “can’t we just get a waiver?” You want to know whether a waiver is a live option, who controls it, and what to do if it isn’t.

This isn’t the page for you if:you already know your required level and you’re comparing assessors or readiness partners. In that case, skip the waiver rabbit hole and use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category.

First screen: can a CMMC waiver actually help me?

Find your row. This is the fast answer; the rest of the page is the proof and the follow-ups.

CMMC waiver applicability by contractor situation
Your situationIs a waiver a realistic plan?What controls itWhat to do next
Your solicitation already names a required CMMC level (DFARS 252.204-7025)No — plan for the requirement, not a waiverThe contract clause and your SPRS statusConfirm the inserted level, your CMMC status, and your affirmation in SPRS
You handle FCI only and need Level 1 (Self)No, effectively neverDoD policyComplete the Level 1 self-assessment and annual affirmation
You need Level 2 (Self-Assessment)No, effectively neverDoD policyDo the Level 2 self-assessment; use a permissible POA&M if one applies
You need Level 2 (C3PAO) and aren’t readyRare, and not yours to requestA DoD acquisition executive, per procurementAccelerate readiness, reduce CUI scope, or make a bid/no-bid call
You have a Conditional statusThis is a POA&M clock, not a waiverYou + your assessorClose the POA&M within 180 days
Your prime says “we’ll waive it for you”Be careful — a prime can’t do thatThe flow-down clause; DoD, not the primeConfirm the flow-down level; verify your own status
You’re not sure what clause or level appliesDon’t buy anything yetDepends on your data and contractRead the clause; then use Find My CMMC Path

🔎 CMMC Waiver Reality Check

Sixty seconds, no login, no CUI.Answer a handful of questions — prime or sub, the level in your clause, FCI or CUI, your current SPRS status, your deadline — and get a plain-English read on whether a waiver could conceivably apply to your situation, plus the specific next step for your case.

Run the CMMC Waiver Reality Check →

Do not submit CUI, drawings, export-controlled technical data, or sensitive contract details. This is educational research, not legal or compliance advice.

First move — before you spend a dollar on a provider: map your requirement, not a rumor. Use The Defense Compliance Report’s Find My CMMC Path tool to turn your contract clause, FCI/CUI handling, and timeline into the right provider category. It routes to a category, not a named company, and it isn’t a score, ranking, or compliance advice. Do not submit CUI, drawings, or sensitive contract details.

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist.

What is a CMMC waiver?

A CMMC waiver is a decision by DoD to leave the CMMC assessment requirement out of a specific procurement — or a class of procurements — when including it would block competition or delay mission-critical work. It lives in the CMMC Program Rule at 32 CFR § 170.5(d), it is meant to be used sparingly, and it changes only what a contract requires you to prove, not what the law requires you to do to protect information.

The rule text is worth reading in full. Under 32 CFR § 170.5(d): “in very limited circumstances, and in accordance with all applicable policies, procedures, and requirements, a Service Acquisition Executive or Component Acquisition Executive in the DoD, or as delegated, may elect to waive inclusion of CMMC Program requirements in a solicitation or contract. In such cases, contractors and subcontractors will remain obligated to comply with all applicable cybersecurity and information security requirements.”

How to read 32 CFR § 170.5(d) as a contractor
What 32 CFR § 170.5(d) saysWhat it means for you
“a Service Acquisition Executive or Component Acquisition Executive… or as delegated, may elect to waive”A senior DoD acquisition official decides — not you, and not your prime
“waive inclusion of CMMC Program requirements”It removes the assessment requirement from the deal, not the security work
“in a solicitation or contract”It attaches to one procurement, not to your company across the board
“in very limited circumstances”It’s rare by design — not a planning assumption
“contractors… will remain obligated to comply with all applicable cybersecurity and information security requirements”Your duty to protect FCI and CUI survives the waiver, in full

There’s a mechanical detail that makes this concrete. DFARS Subpart 204.75 instructs contracting officers to insert the CMMC clause into applicable solicitations “unless the requirements at 32 CFR 170.5(d) are met.” In plain English: the clause goes in by default. A waiver is the rare exception that keeps it out, and satisfying 170.5(d) is a call only a senior DoD acquisition executive can make.

Can you actually get a CMMC waiver?

Not in the way most people mean. There is no contractor application for a CMMC waiver — no form, no portal, no hardship petition you submit to DoD. The request originates inside the government, and it’s approved inside the government. As a contractor — an “Organization Seeking Assessment (OSA)” or “Organization Seeking Certification (OSC)” — you are simply not a party to that decision, and a prime cannot grant one to you either.

Here’s the tell that this is a rare, tightly controlled tool. DoD built a dedicated course for the senior acquisition workforce covering when a CMMC waiver “may be appropriate and the process for recording its use.” As of September 2025, the GAO reported that 18 acquisition workforce members had completed it. Eighteen. This is not a lever your contracting officer is casually pulling.

The misconception worth deleting from your head

You’ll find guidance online that describes a contractor “applying” for a CMMC waiver — assembling an economic-hardship case, a good-faith-effort narrative, and submitting it to a contracting officer. Read 32 CFR § 170.5(d) and the DoD implementation memo and that picture falls apart. The decision is made by DoD, at the procurement level, in advance of the solicitation, and it’s driven by the government’s need for competition and speed on a given buy — not by any one company’s compliance situation.

Can you raisethe topic? Nothing stops you from asking a contracting officer for written clarification if a requirement looks ambiguous or misaligned with the data you’ll actually handle. But raising a question is not the same as obtaining a waiver — and betting your capture strategy on a waiver you can’t request or control is a bad hand to play.

What is the CMMC waiver process?

The CMMC waiver process runs entirely inside DoD. A Program Manager or requiring activity requests the waiver, the component Chief Information Officer (CIO) coordinates it, and a Service Acquisition Executive (SAE) or Component Acquisition Executive (CAE) approves it. A contractor can ask a contracting officer for written clarification, but a contractor does not file a waiver.

Here’s the chain, from the DoD implementation memo (“Guidance for Determining Appropriate CMMC Compliance Assessment Levels and Process for Waiving CMMC Assessment Requirements,” January 15, 2025):

  • Standard route:a Program Manager or requiring activity requests the waiver → the component CIO coordinates it → an SAE or CAE approves it.
  • Major-program route (Defense Acquisition Executive oversight): the request is coordinated through the component CIO, the Program Executive Officer, the CAE or SAE, and the Office of the DoD CIO.
  • After the fact:SAEs and CAEs must report their waiver use quarterly to senior DoD leadership, including the DoD CIO — a standing paper trail for a tool a contractor cannot initiate.

Notice who’s missing from every step: you. There’s no contractor input, no application, and no company-level appeal. The most useful thing you can do when someone floats “we’ll just get a waiver” is to ask, in writing, exactly who in that chain has requested or approved one — because if the answer is “nobody yet,” you don’t have a plan, you have a wish.

What a CMMC waiver does not waive

A CMMC waiver removes the CMMC assessment from a contract. It does not remove your legal duty to protect the government’s information. If you handle FCI or CUI, the underlying safeguarding rules keep applying — even on a contract where the CMMC assessment has been waived. This is the single most expensive misunderstanding in this entire topic.

The CMMC Program Rule says so directly. Right after the waiver language, 32 CFR § 170.5(e) states that “the CMMC Program does not alter any separately applicable requirements to protect FCI or CUI, including those requirements in accordance with 48 CFR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, or covered defense information in accordance with 48 CFR 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.”

What survives a CMMC waiver — and why it matters
ObligationSourceSurvives a waiver?What that means in practice
Safeguard FCI (basic safeguarding)FAR 52.204-21YesIf you handle FCI, the 15 basic safeguards still apply
Safeguard CUIDFARS 252.204-7012 + NIST SP 800-171 Rev. 2YesThe 110 requirements across 14 control families still apply to CUI
Report cyber incidentsDFARS 252.204-7012YesThe 72-hour incident-reporting duty is untouched
Enhanced protections (where required)NIST SP 800-172Yes, where applicableThe waiver doesn’t lower a Level 3 program’s security bar
Contract-specific security termsYour contractYesWhatever your award requires, you still owe
Alternate protection plan (for the rare class waiver)DoD memo, Jan 15, 2025Added, not removedClass waivers require you to submit a plan for protecting FCI/CUI, evaluated at selection

Say it plainly and keep it quotable: a CMMC waiver may change the assessment requirement; it does not declassify your data or erase the safeguarding clauses in your contract. And note that last row — even the rare class waiver DoD’s memo contemplates comes with a requirement to submit an alternate protection plan for securing FCI or CUI, evaluated as part of the selection. There is no version of this where the security work disappears.

One more reason “waiver equals we don’t have to implement” is a dangerous translation: your affirmations to the government are legally live. Knowingly false or reckless cybersecurity representations can create False Claims Act (FCA) exposure. The U.S. Department of Justice runs a Civil Cyber-Fraud Initiative, launched in October 2021, that uses the FCA to pursue contractors who misrepresent their cybersecurity compliance — and it’s active: DOJ reported multiple settlements in 2025, including a $4.6 million settlement over inaccurate NIST SP 800-171 representations and a roughly $421,000 settlement from a machining subcontractor over inadequate protection of technical drawings.

Because the security requirements never go away, this is the productive place to start. Download our free CMMC Readiness Checklist, mapped to the 14 NIST SP 800-171 Rev. 2 control families. It’s a self-serve way to see where you actually stand — no matter what your contract clause turns out to require. This is educational research, not legal or compliance advice.

CMMC waiver vs. POA&M vs. COTS exemption vs. “the clause isn’t in my contract yet”

These are four different things, and people mash them together constantly. A waiver is a rare DoD decision on a single procurement. A POA&M is a limited remediation window. The COTS exemption removes CMMC from a narrow category of contracts. And a contract that simply doesn’t carry the clause yet isn’t “waived” — you’re just early in the phase-in. Only the COTS exemption and a granted waiver actually remove the CMMC requirement, and neither one removes your duty to protect the data.

CMMC mechanism comparison: waiver, POA&M, COTS exemption, phase-in, and Enduring Exception
MechanismWhat it actually doesWho controls itRemoves FCI/CUI duty?Common mistake
CMMC waiver (32 CFR § 170.5(d))Leaves the CMMC assessment requirement out of one solicitation/contract, “in very limited circumstances”DoD only — an SAE or CAE (or delegate)No — obligations remain in fullTreating it as something you can apply for
POA&M (32 CFR § 170.21)Lets you reach a Conditional CMMC status and close a limited set of gaps within 180 daysYou + your assessor (or DIBCAC)NoAssuming any control can be left open — some can’t, and Level 1 allows none
COTS exemption (DFARS Subpart 204.75)Contracts solely for commercially available off-the-shelf items are not subject to the CMMC clauseRule-based (automatic)Other FCI/CUI rules can still applyAssuming “commercial” equals “COTS” — it doesn’t
Phase-in (32 CFR § 170.3(e))CMMC is being added to contracts in stages; not having the clause yet is timing, not a waiverDoD (the rollout schedule)No“It’s not in my contract, so I’m exempt” — you’re just early
Enduring Exception (32 CFR § 170.4)A documented system where full compliance isn’t feasible (e.g., certain medical devices, operational technology), recorded in the SSPYou (documented in the SSP)No — it’s a documented gap, not an exemptionUsing it as a catch-all instead of a narrow, documented exception

The most common trap in this table is the phase-in row: “our current contract doesn’t mention CMMC, so we must be exempt.” You’re not exempt — you’re in Phase 1 (which runs through ), and the clause reaches more contracts as the phases progress. See our explainer on the CMMC Phase 2 deadline for what changes on . The requirement is coming; the absence of the clause today is a runway, not a reprieve.

Which CMMC levels can be waived?

Almost none of them, in practice.DoD’s own guidance says there are “no circumstances likely to warrant approval” of a waiver at Level 1 or at Level 2 self-assessment. It leaves the door open only for Level 2 third-party (C3PAO) and Level 3 assessments, and only “in rare circumstances” — with hard limits, a built-in expiration, and an alternate protection plan attached.

Built from Attachment 2 of the DoD implementation memo (January 15, 2025), read line by line. As far as we’ve found, no competing page assembles the exact by-level language, conditions, and citations in one place — so this is ours.

CMMC waiver availability by level — what the DoD memo actually says
CMMC requirementCan DoD waive the assessment?What the DoD memo actually saysConditions if it’s granted
Level 1 (Self-Assessment) — FCI; 15 requirements from FAR 52.204-21Effectively never“There are no circumstances likely to warrant approval of requests to waive CMMC Level 1 requirements.”Not applicable
Level 2 (Self-Assessment) — CUIEffectively neverBecause of the existing self-assessment expectation under DFARS 252.204-7019 and the availability of POA&Ms, “there are no circumstances likely to warrant approval of requests to waive CMMC Level 2 self-assessment requirements.”Not applicable
Level 2 (C3PAO) — CUI; 110 requirements from NIST SP 800-171 Rev. 2Rare“In rare circumstances, such as when seeking competition from non-traditional DoD sources, waivers may be warranted” — but not for contracts requiring performance by a cleared defense contractorClass waivers must carry a planned expiration date and a plan to require certification in later solicitations; the solicitation must require an alternate protection plan for FCI/CUI, evaluated at selection
Level 3 (DIBCAC) — high-sensitivity CUI; Level 2 (C3PAO) requirements plus 24 selected requirements from NIST SP 800-172Rare“In rare circumstances, waivers may be warranted for CMMC Level 3 third-party assessment requirements” — but not where the work requires access to both unclassified and classified DoD informationSame expiration and alternate-protection-plan logic applies

Source: DoD memo, “Implementing the CMMC Program,” January 15, 2025, Attachment 2. Level definitions: 32 CFR Part 170; Level 3 builds on Level 2 (C3PAO) requirements and adds 24 requirements from NIST SP 800-172.

The pattern is deliberate. The levels almost everyone in the DIB actually faces — Level 1 for FCI, Level 2 self-assessment for lighter CUI work — are exactly the ones DoD says it won’t waive. The rare exceptions live at the top of the stack, on high-end C3PAO and Level 3 buys, and even there they come with an expiration date and a requirement to prove you’ll protect the data anyway. Translation for planning purposes: do not treat a waiver as available at your level.

What if the CMMC requirement is already in my solicitation?

If you’re looking at DFARS 252.204-7025 in a live solicitation, your problem isn’t waiver strategy — it’s award eligibility. That provision (the “Notice of Cybersecurity Maturity Model Certification Level Requirements”) is the gate. It tells you the CMMC level you must already hold to be eligible, and if you don’t hold it, your proposal isn’t in the running. So stop hunting for an exit and start working the clause.

The provision has a blank in it — literally. The contracting officer inserts one of four options: CMMC Level 1 (Self); CMMC Level 2 (Self); CMMC Level 2 (C3PAO); or CMMC Level 3 (DIBCAC).That inserted level, “or higher,” is required prior to award for each contractor information system that will process, store, or transmit FCI or CUI during performance. And DFARS Subpart 204.75 is explicit: contracting officers “shall not award a contract, task order, or delivery order to an offeror that does not have a current CMMC status at the CMMC level required by the solicitation.”

To be eligible at award, DFARS 252.204-7025 requires two things to be current in SPRS for each relevant information system: a current CMMC status at the required level, and a current affirmation of continuous compliance.

“Current” isn’t vague. DFARS 252.204-7021 defines it:

  • Final Level 1 (Self): current for up to one year.
  • Final Level 2 (Self or C3PAO) and Final Level 3 (DIBCAC): current for up to three years.
  • Conditional Level 2 or Level 3: current for only 180 days.
  • In every case: your affirmation of continuous compliance must be no older than one year.

Note two things that trip people up: Level 1 has no conditional path— it requires a Final status, and POA&Ms aren’t permitted at Level 1. But at Levels 2 and 3, a Conditional status can be enough to win an award. So if you’ve done the work and you’re carrying a limited POA&M, you may still be in the game — you just have to close that POA&M within 180 days to reach Final status. For most contractors staring at a deadline, that’s a far more realistic path than a waiver.

DFARS 252.204-7025 blank-inspection checklist

  1. The inserted level. Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC)? Everything else follows from this.
  2. Your SPRS status. Do you have a current status at that level (or higher) for every in-scope system?
  3. Final vs. Conditional. If Conditional (Level 2/3), when does the 180-day clock run out — before or after expected award?
  4. Your affirmation. Is your affirmation of continuous compliance less than one year old? If it’s near the one-year mark, renew it now.
  5. CMMC UIDs. Do you have the SPRS-issued CMMC unique identifier (UID) — a 10-character code — for each system that will handle FCI or CUI, ready to put in the proposal?
  6. System scope. Which of your information systems will actually process, store, or transmit FCI or CUI on this contract? That set defines everything above.

Can a prime contractor waive CMMC for a subcontractor?

No. A prime contractor has no authority to waive a subcontractor’s CMMC requirement — only DoD can waive CMMC, and only at the procurement level. If your prime says “don’t worry, we’ll waive it for you,” treat that as a red flag, not a green light.

DFARS 252.204-7021 requires contractors to flow the CMMC requirements down to subcontracts where a subcontractor will process, store, or transmit FCI or CUI, and to ensure — before subcontract award — that the subcontractor holds a current CMMC status at the appropriate level. That obligation runs down the supply chain regardless of what any single prime prefers. Our CMMC flow-down explainer covers how the level is determined at each tier.

One operational wrinkle worth knowing: under the DFARS Procurement Rule, DoD does not give primes automatic access to a subcontractor’s CMMC status in SPRS. Prime contractors cannot view a subcontractor’s CMMC certificates or self-assessment information and must independently verify compliance — often by having the subcontractor share status evidence directly. So flow-down isn’t a formality your prime can wave off — it’s something they have to confirm, which means they’ll be asking you for proof, not offering you a pass.

Subcontractor verification checklist

  • CMMC status and level — current, at the level appropriate to the FCI/CUI being flowed down (or higher).
  • Status evidence — your certificate (for C3PAO/DIBCAC) or self-assessment status, since the prime can’t pull it from SPRS on its own.
  • Affirmation — a current affirmation of continuous compliance (no older than one year).
  • CMMC UID(s) — for each of your systems that will handle the flowed-down FCI or CUI.
  • Scope — a clear line around which of your systems are in performance of the subcontract.

Why “can we get a waiver?” is being asked so often right now

Waiver rumors spike during a capacity crunch, and CMMC is in one.DoD only began putting CMMC requirements into contracts in late 2025, the number of authorized assessors is small relative to demand, and small businesses are feeling the cost. That pressure is real — but the federal watchdog has already warned that leaning on waivers to relieve it would be a mistake.

The numbers tell the story. The Federal Register’s own analysis estimated roughly 8,350 medium and large entities would need a Level 2 C3PAO assessment as a condition of award. On the supply side, the GAO reported that as of December 2025 there were 92 authorized C3PAOs.That gap — thousands of companies needing certification assessments against fewer than a hundred authorized assessors — is exactly why “is there a way around this?” is on every capture team’s mind. (Authorized-assessor counts change over time; for the current number, check the Cyber AB Marketplace, the official directory of authorized C3PAOs.)

In March 2026, the GAO published GAO-26-107955, “Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation”. DoD officials told GAO that leaders can issue waivers if external factors cause significant challenges — but GAO’s response was blunt: such waivers “would not address underlying challenges.” GAO went further, warning that “depending on the frequency and number of waivers DOD uses, the process could also undermine the long-term viability of the CMMC program and its intent to verify that companies are implementing federal cybersecurity requirements.”

Read that as a strategic signal. Even the mechanism DoD points to for relieving capacity pressure is one the GAO is cautioning against overusing. None of that makes waivers a plan you can bank on — it makes readiness the safer bet, which is precisely GAO’s implicit conclusion.

So a waiver won’t save you. What should you do instead?

Replace the waiver question with a path question.The useful question isn’t “how do I avoid CMMC?” — it’s “what level do I need, what information do I handle, what systems are in scope, what status do I already have, and what deadline am I working against?” Answer those five, and the right next step almost always turns out to be readiness, scope reduction, a secure enclave, evidence support, managed compliance, or a formal assessment path — not a waiver.

Most people who search “cmmc waiver” don’t actually have a waiver problem. They have a readiness problem, a scoping problem, an evidence problem, or a timing problem wearing a waiver costume. Here’s how the real problem maps to the provider category that fits it:

From waiver question to real problem to right provider category
Your real problemThe provider category that usually fitsWhere not to start
The clause or flow-down is unclearAn RPO/RP plus, where needed, a qualified federal-contracts attorneyBooking a C3PAO assessment
You handle FCI only and need Level 1RPO/RP readiness support, or internal self-assessment helpA C3PAO (Level 1 is self-assessed)
You need Level 2 (Self-Assessment)RPO/RP, a GRC platform, or an MSSPA formal C3PAO assessment unless the contract requires it
You need Level 2 (C3PAO) but aren’t readyRPO/RP, MSSP, GRC/evidence support, or a CUI enclave to get readyBooking the assessment before you’ve remediated
Your CUI is scattered across systemsA CUI enclave and a cloud strategy (e.g., a government-community cloud), often with an MSSPA full-enterprise overhaul before you’ve scoped
Your evidence is thin or disorganizedA GRC/evidence platform and documentation (SSP/POA&M) supportAssuming software alone equals compliance — it doesn’t
You’re genuinely assessment-readyAn authorized C3PAOUsing your readiness consultant as your assessor for the same scope
You have a POA&M and a 180-day clockA remediation partner plus the applicable closeout assessorWaiting for a waiver

A note on that last-column discipline: readiness/remediation help and the formal C3PAO assessment must stay separated where impartiality or conflict-of-interest rules require it. C3PAOs operate under conflict-of-interest and impartiality requirements (32 CFR § 170.9), so before you engage an assessor, ask how the C3PAO documents conflict-of-interest and impartiality controls for the personnel who would work on your assessment. And no tool, by itself, makes you compliant — software is a supporting layer, not the whole solution.

This is the logic behind what we call The CMMC Path Framework— the way we map a contractor’s required CMMC level, FCI vs. CUI handling, assessment type, IT and cloud environment, and contract timeline to the provider category they need. It routes to a category, never a named provider, and it is not a score, a ranking, or compliance advice.

You came here for a way out. Here’s the way forward.

If you’re not sure whether you need an RPO, an MSSP, a GRC platform, a CUI enclave, or a C3PAO, don’t guess and don’t overbuy. Map your situation with The Defense Compliance Report’s Find My CMMC Path tool — tell us your level, scope, assessment type, and timeline, and we’ll point you to the right provider category before you request quotes.

Map your situation with Find My CMMC Path →

Do not submit CUI, drawings, export-controlled technical data, proprietary customer files, or sensitive contract details through any form or tool. This is educational research, not legal, contractual, or compliance advice.

What we actually verified for this page

We take primary-source citation as the whole job, so here’s exactly what we checked and when — no borrowed summaries.

Verified as of :

  • 32 CFR § 170.5(d) and (e)on the eCFR — confirming the waiver language (SAE/CAE authority “or as delegated,” “very limited circumstances,” obligations remain) and that CMMC does not alter FAR 52.204-21 or DFARS 252.204-7012 duties.
  • 32 CFR § 170.3(e)— the four-phase rollout and Phase 1 dates.
  • The DoD implementation memo of January 15, 2025, Attachment 2 — the request-and-approval chain (component CIO → SAE/CAE, plus the Defense Acquisition Executive route), the level-by-level waiver limits, the quarterly reporting requirement, and the alternate-protection-plan condition.
  • DFARS Subpart 204.75 and provision 252.204-7025on Acquisition.gov — the “unless the requirements at 32 CFR 170.5(d) are met” instruction, the four inserted-level options, the “not eligible for award” language, the SPRS status and affirmation requirements, and the 180-day Conditional-status window.
  • DFARS 252.204-7021— the definition of “current” (Final Level 1 up to one year; Final Level 2/3 up to three years; Conditional Level 2/3 up to 180 days; affirmation no older than one year), and the subcontractor flow-down obligation.
  • GAO-26-107955(released March 2026) — the waiver cautions and the assessor-capacity figure (92 authorized C3PAOs as of December 2025).

Where a number or status could drift, we date it and re-check it on a schedule.

Frequently asked questions about CMMC waivers

Can CMMC be waived?

Yes, but only in a narrow, acquisition-level sense. DoD may waive inclusion of CMMC requirements in a solicitation or contract “in very limited circumstances” under 32 CFR § 170.5(d). That is not the same as a company-level exemption, and it doesn’t remove your duty to protect FCI or CUI.

Can my company apply for a CMMC waiver?

No. There is no contractor application. The request is made inside DoD by a Program Manager or requiring activity, coordinated through a component CIO, and approved by a Service or Component Acquisition Executive — all before the solicitation is issued. A contractor is not a party to that decision.

Who approves a CMMC waiver?

A Service Acquisition Executive or Component Acquisition Executive, or a delegate, per 32 CFR § 170.5(d). Under the DoD implementation memo, requests are coordinated through the component CIO first, with additional routing (Program Executive Officer and the Office of the DoD CIO) for programs under Defense Acquisition Executive oversight.

What is the CMMC waiver process?

It runs entirely inside DoD: a Program Manager or requiring activity requests the waiver, the component CIO coordinates it, and an SAE or CAE (or, for major programs, the Defense Acquisition Executive) may approve it. A contractor can ask a contracting officer for written clarification, but the contractor does not file the waiver.

Does a CMMC waiver waive NIST SP 800-171 or DFARS 252.204-7012?

No. 32 CFR § 170.5(e) states that the CMMC Program does not alter separately applicable requirements to protect FCI or CUI, including FAR 52.204-21 and DFARS 252.204-7012. A waiver removes the CMMC assessment, not your underlying security obligations.

Is a POA&M the same as a CMMC waiver?

No. A Plan of Action & Milestones (POA&M) is a limited remediation path tied to a Conditional CMMC status that must be closed within 180 days. A waiver is an acquisition-level decision about whether the assessment requirement is included at all. Different mechanisms, different controllers.

Are Level 1 or Level 2 self-assessment waivers available?

Don’t plan around them. The DoD memo states there are “no circumstances likely to warrant approval” of requests to waive Level 1 requirements, or Level 2 self-assessment requirements. Those are the levels most contractors face — and the ones DoD says it won’t waive.

Are Level 2 (C3PAO) or Level 3 waivers available?

Rarely, and only through the acquisition process — not by contractor request. The DoD memo says a Level 2 third-party waiver may be warranted “in rare circumstances,” such as seeking competition from non-traditional DoD sources, but not for work requiring a cleared defense contractor; Level 3 waivers may be warranted rarely, but not where the work requires access to both unclassified and classified DoD information.

Can a prime contractor waive CMMC for a subcontractor?

No. Only DoD can waive CMMC, at the procurement level. DFARS 252.204-7021 requires primes to flow down the appropriate CMMC level and to confirm a subcontractor’s status before subcontract award. A prime has no waiver authority.

What happens if I don’t have a current CMMC status at award?

Under DFARS 252.204-7025, you’re not eligible for award if you lack a current CMMC status at the required level and a current affirmation of continuous compliance in SPRS for the relevant systems. For Level 2 and Level 3, a Conditional status can support award, with a 180-day POA&M closeout; Level 1 requires a Final status.

Can I bid now and get certified later?

Sometimes — if the clause allows your current or Conditional status. DFARS Subpart 204.75 permits award with a Conditional Level 2 or Level 3 status (not to exceed 180 days from the status date). It does not let you win a contract with no qualifying status at all.

The solicitation mentions CMMC but I don’t think I handle CUI. Now what?

Ask for written clarification rather than a waiver. CMMC applicability turns on FCI/CUI handling and the specific level the contracting officer inserted. Confirm the data flow, the required status, and the affected systems in writing before you invest in a proposal — or a provider.

The bottom line

A CMMC waiver is real, rare, and not yours to request. It removes an assessment from a single contract, not your obligation to protect the government’s information, and it lives at the top of the stack — on the C3PAO and Level 3 buys most contractors never touch — with an expiration date attached. For nearly everyone in the DIB, the durable path isn’t a waiver. It’s knowing your level, scoping your environment, and moving on readiness before a solicitation forces your hand.

Need help deciding what type of CMMC provider you need?Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Get matched with Find My CMMC Path →

⚠️ Do not submit CUI, drawings, export-controlled technical data, proprietary customer files, or sensitive contract details through any form or tool. This is educational research, not legal, contractual, or compliance advice.

Primary sources

  1. 32 CFR § 170.5 (Policy — waiver at (d), safeguarding duties at (e)), eCFR
  2. 32 CFR § 170.3 (Applicability — phased implementation), eCFR
  3. 32 CFR § 170.4 (Acronyms and definitions — Enduring Exception), eCFR
  4. 32 CFR § 170.9 (C3PAO requirements, including conflict-of-interest/impartiality), eCFR
  5. 32 CFR §§ 170.21 and 170.22 (POA&M and affirmation), eCFR
  6. CMMC Program Final Rule (32 CFR Part 170), Federal Register (published Oct. 15, 2024; effective Dec. 16, 2024)
  7. DFARS CMMC Procurement Rule, Federal Register (published Sept. 10, 2025; effective Nov. 10, 2025)
  8. DoD memo, “Guidance for Determining Appropriate CMMC Compliance Assessment Levels and Process for Waiving CMMC Assessment Requirements” (Jan. 15, 2025)
  9. DFARS Subpart 204.75 (Cybersecurity Maturity Model Certification), Acquisition.gov
  10. DFARS 252.204-7025 (Notice of CMMC Level Requirements), Acquisition.gov
  11. DFARS 252.204-7021 (Contractor Compliance With CMMC Level Requirements), Acquisition.gov
  12. NIST SP 800-171 Revision 2 (110 requirements across 14 families), NIST
  13. GAO-26-107955, “Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation” (released Mar. 12, 2026)
  14. U.S. Department of Justice, Civil Cyber-Fraud Initiative (announced Oct. 2021)

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Independence: The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This article is educational research, not legal, contractual, or compliance advice. Confirm your scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney; your contract clause and CUI handling set your level, not a checklist.

A note on naming:this article uses “Department of Defense (DoD),” the statutory legal name used throughout 32 CFR Part 170, the DFARS clauses, and the DoD implementation memo. In September 2025, Executive Order 14347 authorized “Department of War” as a secondary title for non-statutory communications; the CMMC rules and clauses continue to use “DoD.”