Do I Need CMMC to Win My Contract?
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
It’s the question landing in every defense contractor’s inbox the moment CMMC shows up in a solicitation: do I need CMMC to win my contract? Here’s the straight answer. Yes — when the solicitation, contract, option, or prime flow-down requires a CMMC status for systems that will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you need the required current CMMC status and affirmation posted in SPRS before award, or you’re ineligible.But the requirement is not uniform across all DoD work, and “do I need CMMC” has a much narrower answer than most vendor content suggests.
Here’s the part that matters more than it sounds. The most expensive mistake on this topic isn’t missing a CMMC requirement. It’s over-buyingone you don’t have — paying for a third-party assessment when your contract only asked for a self-assessment. We read the actual rule text and clause language so we can show you how to tell the difference before you spend a dollar.
Check these four things first
If you’re staring at a solicitation, a prime’s email, or an option notice right now, this is your 60-second triage:
- Does the solicitation or flow-down reference DFARS 252.204-7025 or DFARS 252.204-7021? (The provision and the clause, both defined below.)
- What exact status does it name — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC)? “Level 2” alone isn’t enough; the assessment type is the part that costs money.
- Will your own systems process, store, or transmit FCI or CUI to perform the work? That’s what determines whether you’re in scope.
- Is your required CMMC status — plus your CMMC Unique Identifier (UID) and your annual affirmation — current in SPRS? That’s what a contracting officer checks before award.
Here’s the quick read on what each answer means:
| If your contract says… | Your likely answer |
|---|---|
| Level 1 (Self) | You need a current Level 1 CMMC status and affirmation in SPRS before award. Annual self-assessment. No third party. |
| Level 2 (Self) | You need a current Level 2 self-assessment status and affirmation in SPRS before award. No C3PAO required. |
| Level 2 (C3PAO) | You need a Final — or valid Conditional — Level 2 status from a third-party assessor before award. |
| Level 3 (DIBCAC) | You need the Level 3 path, which requires a Final Level 2 (C3PAO) first, then a government assessment. |
| No CMMC clause, but you see 7012 / 7019 / 7020 | You may already owe NIST 800-171 safeguarding and a SPRS score — but don’t assume a CMMC award gate without reading the clause. |
| Solely commercial off-the-shelf (COTS) | CMMC may not apply at all — but confirm it’s truly COTS-only. |
The honest part vendors tend to flatten: CMMC does not mean every DoD contractor needs an expensive third-party (C3PAO) assessment right now, and it does not mean a subcontractor needs the same level as its prime. The contract clause and the data you actually handle decide your leveland assessment type — and once you read them correctly, the requirement is often smaller and more achievable than the worst-case story in your head.
The right CMMC provider isn’t the same for every contractor. The category you need depends on your required level, whether you handle FCI or CUI, your assessment type, and your timeline. Use The Defense Compliance Report’s Find My CMMC Path toolto map your situation to the right provider category before you request quotes — no CUI required.
Find My CMMC Path →The CMMC Contract Award Eligibility Matrix
We built this table to put the whole award decision in one place — the clause, the information you handle, the SPRS action, the subcontract effect, and the provider category — instead of making you piece it together from the rule, the clause text, and a stack of vendor blogs. To assemble it, we read the live clause text on Acquisition.gov and the CMMC Program Rule (32 CFR Part 170) on the eCFR.
| If your situation is… | What you likely need before award | Assessment path | SPRS / affirmation action | Provider category that usually acts first | Common mistake | Primary source |
|---|---|---|---|---|---|---|
| Solicitation includes DFARS 252.204-7025 and inserts Level 1 (Self) | Current Level 1 CMMC status + annual affirmation in SPRS | Annual self-assessment of FCI systems against 15 requirements | Post status; keep affirmation current; provide CMMC UID(s) | Internal owner or RPO for documentation help | Hiring a C3PAO when the clause only calls for Level 1 (Self) | DFARS 252.204-7025; 32 CFR § 170.15 |
| Solicitation inserts Level 2 (Self) | Current Level 2 (Self) status + affirmation | Triennial self-assessment vs NIST SP 800-171 Rev. 2 (110 requirements) | Submit Level 2 self-assessment results/status in SPRS, including the overall Level 2 score; keep annual affirmation current | RPO, MSSP, GRC platform, or CUI enclave depending on scope | Assuming every Level 2 contract requires a C3PAO | 32 CFR §§ 170.16, 170.17 |
| Solicitation inserts Level 2 (C3PAO) | Final — or valid Conditional — Level 2 (C3PAO) status + affirmation | Certification assessment by an authorized C3PAO | Results post to SPRS; affirmation still required | Readiness help first if not assessment-ready; C3PAO only for the formal assessment | Calling a C3PAO before you can survive an evidence review | DFARS 252.204-7025; 32 CFR § 170.17 |
| Solicitation inserts Level 3 (DIBCAC) | Final Level 2 (C3PAO) prerequisite, then the Level 3 path | Government assessment by DCMA DIBCAC against 24 selected NIST SP 800-172 requirements | Level 3 status + affirmation as required | Specialized readiness, architecture help, and counsel before DIBCAC | Treating Level 3 as “Level 2 plus paperwork” | 32 CFR §§ 170.18, 170.14(c)(4) |
| Contract has DFARS 252.204-7012 and CUI, but no 7025/7021 yet | NIST SP 800-171 obligations may already apply; CMMC status depends on clause insertion | Not automatically a CMMC certification path | Check whether a NIST 800-171 self-assessment score is required in SPRS | RPO or federal-contracts attorney for clause review | Treating 7012 alone as a CMMC award gate | DFARS 252.204-7012; 252.204-7019/-7020 |
| Prime flows down work involving FCI only | Level appropriate to the information flowed — often Level 1 if only FCI | Self-assessment if Level 1 | Confirm SPRS/affirmation expectations with the prime | RPO or contracts lead | Assuming a sub always needs the prime’s exact level | DFARS 252.204-7021; 32 CFR § 170.23 |
| Prime flows down CUI, drawings, or technical data | Usually Level 2 minimum; assessment type set by the flow-down | Level 2 (Self) or Level 2 (C3PAO) | Verify CMMC UID / status / affirmation path | RPO + MSSP / GRC / enclave before a C3PAO if not ready | Letting CUI leak into email, SaaS, or backups outside the assessed boundary | 32 CFR § 170.23 |
| Acquisition is solely COTS | CMMC likely does not apply under the COTS exception | Usually no CMMC path if truly COTS-only | Document why the COTS exception applies | Contracts manager or attorney | Assuming “we sell commercial products” equals “COTS-only” | DFARS 204.7501; FAR 2.101 |
| You hold a Conditional Level 2 or Level 3 status with open POA&M items | You may be eligible only while the conditional status is valid and you hit closeout deadlines | POA&M closeout assessment within 180 days | Track the 180-day clock; convert to Final status | Current readiness provider + assessment body as applicable | Letting conditional status expire and expecting continued eligibility | 32 CFR § 170.21 |
Editorial conclusion (not legal advice):This matrix is The Defense Compliance Report’s contract-award triage framework, built from current primary sources. It is not legal, contractual, or compliance advice. Confirm contract-specific applicability with the contracting officer, your prime, a qualified CMMC Registered Practitioner (RP/RPO), or a federal-contracts attorney before you make a bid or representation decision.
The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.
Use the Find My CMMC Path Tool →Do I need CMMC to win my contract? The straight answer
You need CMMC to win the contract when the solicitation, contract, task order, option, or prime flow-down requires a current CMMC status at a stated level for systems that handle FCI or CUI. DFARS 252.204-7025 — the solicitation provision titled “Notice of Cybersecurity Maturity Model Certification Level Requirements” — says the offeror must have the required level (or higher) before award, and that an offeror is ineligible if the required current CMMC status and affirmation are not in SPRS (DFARS 252.204-7025, Acquisition.gov).
We pulled the live text of that provision on June 18, 2026, and the language is blunt. The contracting officer fills in one of four options — CMMC Level 1 (Self), CMMC Level 2 (Self), CMMC Level 2 (C3PAO), or CMMC Level 3 (DIBCAC) — and that level “or higher” is required prior to award for each contractor information system that will process, store, or transmit FCI or CUI (DFARS 252.204-7025(b)(1)).
If CMMC is in the award gate, you don’t fix it after award. You prove the required status before award.
A few terms, defined once so the rest of this page reads cleanly:
- CMMC (Cybersecurity Maturity Model Certification) — the DoD framework that verifies a contractor’s cybersecurity against set standards as a condition of contract award (32 CFR Part 170).
- FCI (Federal Contract Information) — information not intended for public release that the government provides or that you generate to deliver a product or service. Handling only FCI points to Level 1 (FAR 52.204-21). See also: FCI vs CUI.
- CUI (Controlled Unclassified Information) — information the government requires to be safeguarded under law, regulation, or policy. Handling CUI points to Level 2 or Level 3 (32 CFR Part 2002).
- SPRS (Supplier Performance Risk System) — the DoD system where your CMMC status, score, and affirmation live, and where contracting officers verify them (sprs.csd.disa.mil). Learn how to verify your status: How to verify CMMC status in SPRS.
- C3PAO (Certified Third-Party Assessment Organization) — an authorized company that performs the formal Level 2 certification assessment.
- DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) — the DCMA group that performs Level 3 government assessments.
The requirement is real, it’s current, and it’s phasing in fast. The CMMC Program Rule (32 CFR Part 170) became effective December 16, 2024. The DFARS acquisition rule that actually puts CMMC clauses into contracts became effective November 10, 2025 — the first day of a four-phase rollout (32 CFR § 170.3(e)). As of this writing we’re inside Phase 1 (November 10, 2025 – November 9, 2026), when DoD includes Level 1 (Self) or Level 2 (Self) as a condition of award on applicable contracts, with discretion to require Level 2 (C3PAO) on selected ones. The date the whole industry is circling is November 10, 2026 — Phase 2 — when DoD intends to include Level 2 (C3PAO) on applicable solicitations and contracts(with discretion to delay that requirement to an option period rather than initial award) (32 CFR § 170.3(e)(2)). If your work touches CUI, that’s the deadline to build toward.
How do I know if a specific contract requires CMMC?
Read the contract, in this order: look for DFARS 252.204-7025 in the solicitation and DFARS 252.204-7021 in the resulting contract or flow-down. The provision tells you the required level before award; the clause carries the ongoing obligation and the duty to flow it downto subs. If neither appears and your work touches no FCI or CUI, a CMMC status usually isn’t the award gate for those systems — but confirm the clause and flow-down first, because subcontractor obligations can arrive through your prime without a DoD solicitation ever reaching your desk.
Federal acquisition follows a consistent pattern: a provision puts you on notice during the solicitation; a clausecarries the obligation in the awarded contract. DFARS 252.204-7025 is the provision. DFARS 252.204-7021 is the clause. (If you’ve seen DFARS 252.204-7008 paired with 252.204-7012 before, it’s the same logic.)
Here’s the clause decoder we use internally:
| Clause / authority | What it means in plain English | What to do |
|---|---|---|
| DFARS 252.204-7025 | Solicitation provision: “Notice of CMMC Level Requirements.” Names the required level/status before award. | Find the inserted level, confirm your SPRS readiness, and provide your CMMC UID(s) in the proposal. |
| DFARS 252.204-7021 | Contract clause: maintain your CMMC status during performance and flow it down to subs. | Confirm status, UID, affirmation, and subcontractor obligations. |
| DFARS 252.204-7012 | Safeguarding Covered Defense Information and 72-hour cyber-incident reporting. A long-standing clause; its NIST SP 800-171 implementation deadline was December 31, 2017. | Determine whether CUI/CDI is involved and which systems are in scope. CMMC adds to this; it doesn’t replace it. |
| DFARS 252.204-7019 / -7020 | The existing NIST SP 800-171 DoD assessment + SPRS score regime. | Check whether a current NIST 800-171 summary score is required in SPRS. |
| FAR 52.204-21 | Basic safeguarding baseline for FCI — the 15 requirements behind CMMC Level 1. | Confirm Level 1 if you handle FCI only. |
| 32 CFR Part 170 | The CMMC Program Rule itself — levels, assessments, scoring, POA&M, and applicability. | Use it for level, assessment type, and POA&M rules. |
Where to physically look in your document, and what it tells you:
- Solicitation, clause/provision list: search the PDF for “7025,” “7021,” “CMMC,” “FCI,” “CUI,” and “SPRS.” The presence of 7025 is your clearest signal.
- The 7025 fill-in line: “The CMMC level required by this solicitation is: ____.” That blank is your required level and whether you can self-assess or need a third party.
- Sections L and M (instructions and evaluation): these tell you how to prove eligibility — typically by providing your CMMC UID(s) and current status. Miss those instructions and a strong technical proposal can still be found non-responsive.
- The awarded contract or subcontract: 252.204-7021 is the binding obligation and the flow-down hook.
A 2026 clause-transition note, because we’d rather be accurate than tidy:some 2026 solicitations may reference class-deviation language or reorganized DFARS cybersecurity provisions. Before you rely on the exact citation, confirm the current text on Acquisition.gov. Don’t let anyone tell you 7019/7020 are simply “gone” — the codified DFARS text and deviation-path solicitations are two different things, and the safe move is to read the clause in front of you.
If you’ve found the clause but you’re not sure what it means for your company, that’s exactly what our free tool is built for. Find My CMMC Pathis a contract-award eligibility check that turns your level, FCI/CUI scope, environment, and timeline into the provider category to talk to next — not a sales list, and no CUI required.
What should a subcontractor ask when the solicitation is unclear?
If you’re a subcontractor and you haven’t received clear CMMC requirements from your prime or the contracting officer, ask directly before you commit. The information you need: the exact CMMC clause and required level/status, whether FCI or CUI will be flowed to you, the SPRS documentation path, and the award timeline. Get it in writing before you start a readiness effort or hire a provider.
Use the template below. Edit the bracketed fields. Do not send CUI, SSPs, or security documentation in the same message.
Subject: CMMC Level / Status Clarification — [Contract / Solicitation Number] To: [Prime PM, Contracts Lead, or Contracting Officer] We are reviewing the CMMC requirements for [contract or solicitation number]. Before we finalize our teaming or subcontract commitment, we need to confirm the following: 1. The exact CMMC level and assessment type required for our scope (Level 1 Self / Level 2 Self / Level 2 C3PAO / Level 3 DIBCAC). 2. Whether FCI or CUI will be provided to or generated by us in performing this work, and through which systems or delivery mechanisms. 3. The SPRS documentation, CMMC Unique Identifier (UID), and affirmation path required under the subcontract. 4. The expected contract award date and any CMMC status deadline tied to award or option exercise. Could you share the relevant clause text (DFARS 252.204-7025 / 252.204-7021) and the above details so we can confirm our eligibility and timeline before proceeding? Thank you. [Your name, title, company]
Do I need CMMC before I bid, before source selection, or before award?
The timing question trips more contractors than the level question. Here’s the clean answer: CMMC is required before award, not before you submit a proposal. DFARS 252.204-7025 requires the offeror to have the required current CMMC status in SPRS prior to award— not prior to bid submission, not prior to source selection. You can bid (submit an offer) without having your CMMC status in place. You cannot win (receive award) without it.
That said, this is not a reason to delay. The time from solicitation release to award is often shorter than the time required to complete a CMMC assessment — particularly for Level 2 (C3PAO) or Level 3 (DIBCAC). A contractor who bids confidently but hasn’t started the readiness process may win the evaluation and then lose the award. That outcome is worse than not bidding.
Don’t open with a tool demo or a C3PAO call. Open by collecting the clause package, identifying the required status, confirming your FCI/CUI flow, checking SPRS, and listing the systems that will touch contract information. Then decide whether your blocker is contractual, technical, evidence-related, or assessment-related — because the blocker determines who you call. Speed here comes from sequence, not panic.
Your 24-hour triage checklist:
- Save the solicitation, amendments, flow-downs, and every cybersecurity attachment
- Search the documents for: 7025, 7021, 7012, 7019, 7020, CMMC, FCI, CUI, CDI, SPRS, CMMC UID, affirmation
- Identify the inserted level/status (Level 1 Self / Level 2 Self / Level 2 C3PAO / Level 3 DIBCAC)
- Ask: will CUI be provided, created, stored, processed, or transmitted by us?
- List your systems: email, file storage, CAD, ERP, cloud, endpoints, backups, SIEM, ticketing, SaaS
- Check your SPRS status, score, and affirmation
- Ask the prime or CO for any missing level or data-flow detail (use the template above)
- Decide whether you need an attorney, RPO, MSSP, enclave, GRC platform, or C3PAO
| Timeline to award | Practical next move |
|---|---|
| Under 30 days | Confirm eligibility immediately; do not assume remediation can finish in time |
| 30–90 days | Run scope, SPRS, and evidence triage; narrow your provider category fast |
| 90–180 days | Build a readiness plan; make enclave/GRC decisions; schedule an assessment if needed |
| 6+ months | Build a sustainable Level 1/2 program — not a last-minute paper binder |
Bid due this week? Run your situation through the tool in a couple of minutes and walk into the prime conversation already knowing your answer.
What we verified for this page
We built this page from primary sources, not vendor summaries — and we date our verification because phases and rules change. Below is exactly what we checked and where, so you can spot-check us.
What we verified — last checked :
- CMMC applicability, levels, scoring, and POA&M rules — read directly in 32 CFR Part 170 on the eCFR, including §§ 170.14 (the 15/110/24 model), 170.15–170.18 (level definitions), 170.21 (POA&M and the prohibited-item list), 170.23 (flow-down), and 170.24 (scoring). The eCFR showed Title 32 current as of 6/12/2026.
- The award-eligibility mechanics — read the live text of DFARS 252.204-7025 and DFARS 252.204-7021 on Acquisition.gov, including the four fill-in options and the “ineligible without current status in SPRS” language.
- The phase schedule — confirmed Phase 1 (Nov 10, 2025), Phase 2 (Nov 10, 2026), Phase 3 (Nov 10, 2027), and Phase 4 (Nov 10, 2028) against 32 CFR § 170.3(e) and the DFARS rule’s effective date.
- The FCI/CUI-to-level logic — cross-checked against DoD’s published CMMC Level Determination guidance (the National Archives “Defense” CUI grouping and the three limited Level 3 circumstances).
- The enforcement example — read the DOJ Office of Public Affairs release on the Georgia Tech Research Corporation settlement (Sept. 30, 2025).
- Effective dates — 32 CFR Part 170 effective December 16, 2024 (published October 15, 2024); the DFARS acquisition rule effective November 10, 2025 (published September 10, 2025).
Frequently asked questions about needing CMMC to win a contract
Can I win a DoD contract without CMMC?
Sometimes — but not if the solicitation or contract makes a current CMMC status a condition of award for the systems you’ll use to handle FCI or CUI. If DFARS 252.204-7025 applies and your required status and affirmation aren’t current in SPRS, the provision says you’re ineligible for award (DFARS 252.204-7025, Acquisition.gov).
Is CMMC required for all DoD contracts?
No. CMMC applies through covered DoD solicitations and contracts, is tied to FCI/CUI handling, and is phasing in over time. The rule also exempts acquisitions that are solely for commercially available off-the-shelf (COTS) items (32 CFR Part 170; DFARS 204.7501).
Is CMMC required right now, in 2026?
Yes. Phase 1 began November 10, 2025, so many DoD solicitations now require a Level 1 or Level 2 self-assessment posted in SPRS before award, and DoD may require a Level 2 (C3PAO) assessment on selected contracts. Phase 2 — when DoD intends to include Level 2 (C3PAO) on applicable contracts — begins November 10, 2026 (32 CFR § 170.3(e)). See: CMMC phase schedule.
Do subcontractors need CMMC?
Often, yes — when the requirement is flowed down and the subcontractor handles FCI or CUI. The required level matches the information flowed and the contract-specific flow-down, not simply the prime’s corporate level. If the prime is Level 3 and the sub handles CUI, the minimum for the sub is Level 2 (C3PAO) (32 CFR § 170.23; DFARS 252.204-7021).
Does CMMC Level 2 always require a C3PAO?
No. Level 2 can be Level 2 (Self) or Level 2 (C3PAO), depending on the contract. Don’t hire for a third-party assessment until you’ve confirmed the inserted status and assessment type (32 CFR §§ 170.16–170.17). See: CMMC Level 2 checklist.
Is my SPRS score the same as CMMC?
No. SPRS can hold a NIST SP 800-171 self-assessment score, a CMMC status, and your affirmations — but a NIST 800-171 score is not automatically the CMMC status a contract requires for award. Check for the specific CMMC status named (SPRS documentation; DFARS 252.204-7019/-7021).
Does CMMC Level 2 use NIST SP 800-171 Revision 2 or Revision 3?
Revision 2. Under the current CMMC rule, Level 2 maps to NIST SP 800-171 Rev. 2; NIST has published Rev. 3, but CMMC Level 2 stays on Rev. 2 unless and until DoD changes the rule (32 CFR Part 170; NIST CSRC). See: NIST 800-171 requirements checklist.
Can my readiness consultant also be my C3PAO?
For the same engagement, don’t assume it’s allowed. The CMMC rule and the Cyber AB Assessment Process include conflict-of-interest restrictions, and a firm that provides remediation can compromise its ability to assess the same environment (32 CFR Part 170; CMMC Assessment Process v2.0). See: gap assessment vs C3PAO assessment.
What if I only sell COTS products?
If the acquisition is exclusively for commercially available off-the-shelf items, CMMC may not apply under the COTS exception. But mixed contracts, services, technical support, and non-COTS deliverables can change the answer — confirm against the clause (32 CFR Part 170; DFARS 204.7501; FAR 2.101).
What if a prime asks for “CMMC proof” but the solicitation is unclear?
Ask for the exact clause, the required level/status, the assessment type, and whether FCI or CUI will be flowed to you. Provide targeted evidence only after you confirm what’s being requested — and never casually send SSPs, CUI, drawings, or credentials. Use the clarification email template above.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →Primary sources (expand)
- CMMC Program Rule — 32 CFR Part 170 (eCFR)
- CMMC Model, levels, scoring, and POA&M — 32 CFR §§ 170.14, 170.21, 170.24 (eCFR)
- CMMC Program Rule — Federal Register (Oct. 15, 2024)
- DFARS 252.204-7025 (solicitation provision) — Acquisition.gov
- DFARS 252.204-7021 (contract clause) — Acquisition.gov
- DFARS 252.204-7012 (safeguarding CDI / incident reporting) — Acquisition.gov
- DFARS 252.204-7019 (NIST SP 800-171 DoD assessment / SPRS) — Acquisition.gov
- DFARS Subpart 204.75 (applicability, COTS, award) — Acquisition.gov
- FAR 2.101 (definition of COTS) — Acquisition.gov
- CUI program — 32 CFR Part 2002 (NARA)
- NIST SP 800-171 Rev. 2 (NIST CSRC)
- NIST SP 800-172 (NIST CSRC)
- Cyber AB — CMMC Assessment Process (CAP) v2.0
- DoD CIO — About CMMC (program + level determination)
- Supplier Performance Risk System (SPRS)
- U.S. DOJ — Georgia Tech Research Corporation civil cyber-fraud settlement (Sept. 30, 2025)