The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

Does Cyber Insurance Require CMMC?

By The Defense Compliance Report Editorial Team · Published July 17, 2026 · Last reviewed July 2026 ·

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with, endorsed by, or acting on behalf of the Cyber AB, ISACA/CAICO, the Department of War, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

Does cyber insurance require CMMC? No.And here’s the twist most contractors miss: it doesn’t run the other way either — CMMC does not require you to carry cyber insurance. These are two separate obligations, written by two different parties, answering two different questions. We’ll show you where they overlap, where they split, and the one document you’re probably not reading closely enough. Answer first, then the fine print that actually changes it.

The bottom line, up front

CMMC does not require cyber insurance, and there is no market-wide rule that makes CMMC a prerequisite for buying it.

CMMC (the Cybersecurity Maturity Model Certification) is the Department of War’s tiered program for confirming that a contractor has implemented required cybersecurity before it handles defense information. Cyber insurance is a private policy that may respond after a covered incident. Neither one is a legal condition for the other.

Here’s what can change that clean answer in practice — and where to look:

Where the requirement can actually come fromDoes it require CMMC or cyber insurance?
The CMMC rule + the DFARS cyber clauses (32 CFR Part 170; DFARS 252.204-7012, -7021)Set your CMMC and safeguarding duties. None of the CMMC clauses or the CMMC Program Rule require cyber insurance.
A specific solicitation or a prime’s subcontractCan separately requirecyber-liability insurance as a commercial term — that’s contract law, not CMMC.
Your insurer’s application + issued policyCan requirespecific controls (MFA, EDR, backups) and accurate answers to bind coverage. A carrier can even ask about your CMMC status — but that’s the carrier’s call, not a rule baked into CMMC.

So the real job in front of you isn’t “get CMMC to satisfy my insurer” or “buy insurance to satisfy CMMC.” It’s figuring out which document is actually creating each requirement— because they’re separate, and you answer to each one differently.

One honest caveat before we go further, because it saves people real money: being CMMC-ready does not guarantee an insurer will quote you, discount you, or pay a claim — and your CMMC status does not automatically answer the insurer’s questions, either.That’s not a reason to shortcut CMMC. It’s the reason this page exists — to show you exactly where the two overlap and where they split, so you don’t overpay, double-buy, or put a wrong answer on a form.

CMMC in one breath. Level 1 uses the 15 basic safeguarding requirements for Federal Contract Information (FCI). Level 2 uses all 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 families, for Controlled Unclassified Information (CUI). Level 3 requires Final Level 2 (C3PAO) status plus 24 selected NIST SP 800-172 requirements assessed by DCMA DIBCAC. The level that applies to you comes from your contract clause — not a checklist, not a general rule, and not a provider’s recommendation.


Which document can actually require CMMC or cyber insurance?

Four sources can put a cybersecurity or insurance requirement in front of a defense contractor: the CMMC rule and DFARS clauses, the contract or prime flow-down, the insurance application, and the issued policy.Each answers a different question, and only some can create a cyber-insurance obligation. Read them separately — because a requirement from your prime is not the same thing as a requirement from CMMC, and a question from your insurer is not the same thing as either.

Most of the confusion here comes from treating “CMMC” and “cyber insurance” as one blurry compliance blob. They aren’t. We call the practical version The Three-Document Test: when an obligation lands on your desk, pin it to one of three documents —

  1. The solicitation, contract, subcontract, or prime flow-down.
  2. The final insurance application and every supplement.
  3. The issued policy and its endorsements.

The CMMC rule (32 CFR Part 170) and the DFARS clauses aren’t a fourth document you negotiate — they’re the regulatory baseline that decides what CMMC itself requires. Here’s the full map:

Source or documentCan it create a CMMC obligation?Can it create a cyber-insurance obligation?What to check — and what it can’t createWho resolves it
32 CFR Part 170 (CMMC Program Rule)Establishes the program, levels, and assessments; applicability comes from your contractNo cyber-insurance requirement. Can’t make you buy a policyCMMC level, FCI/CUI, assessment type, scope, affirmationRP/RPO for scope; federal-contracts attorney for applicability
DFARS 252.204-7021 (the CMMC contract clause)Yes — requires the contract-specified CMMC statusNo cyber-insurance requirementRequired status, CMMC UID, annual affirmation, SPRS, flow-downContracting officer; contracts counsel
DFARS 252.204-7012 (safeguarding + incident reporting)Requires adequate security, NIST SP 800-171, and rapid cyber-incident reporting — it does not select your CMMC levelNo cyber-insurance requirementCovered defense information, NIST SP 800-171, cyber incidentContracting officer; RP/RPO for implementation
Solicitation or prime subcontractYes, through its clausesYes — the schedule or special terms can require coverageCyber-liability limits, certificate of insurance, additional-insured termsContracting officer or contracts counsel
Insurance application / supplementCan ask about CMMC — can’t turn CMMC into a government mandateCan require answers, evidence, or controls to bind coverageMFA, EDR, backups, revenue, covered entities, scopeLicensed broker, underwriter, coverage counsel
Issued policy + endorsementsDoesn’t replace your CMMC dutyGoverns the actual coverage, conditions, warranties, and exclusionsRepresentations, notice, covered systems, exclusionsBroker and qualified coverage counsel

The one-sentence takeaway: CMMC does not require cyber insurance. Your contract or prime flow-down might. Your carrier’s application and policy set the underwriting representations and coverage terms. Check those three things independently.

Hold onto that — rule vs. contract vs. policy is the whole game. Everything below is the detail behind it.



Does cyber insurance require CMMC — or does CMMC require insurance?

Neither direction creates a hard requirement on its own.No CMMC rule, NIST standard, or core DFARS clause requires you to carry cyber insurance, and no market-wide rule requires you to hold CMMC to buy it. A specific contract can require insurance, and a specific carrier can ask about your CMMC status — but those are separate, document-by-document conditions, not a link written into either system.

Does CMMC require you to carry cyber insurance? No.

Nothing in the CMMC Program Rule (32 CFR Part 170, effective December 16, 2024), NIST SP 800-171 Revision 2, or the core DFARS cybersecurity clauses requires a policy. We read the clauses so you don’t have to squint at them.

DFARS 252.204-7012 — the safeguarding and cyber-incident-reporting clause, which set a December 31, 2017 deadline to implement the applicable NIST SP 800-171 requirements — obligates you to:

Insurance appears nowhere in it. Same for DFARS 252.204-7021, the CMMC clause that took effect November 10, 2025: it requires you to obtain and maintain the contract-specified CMMC status and to meet the CMMC UID, annual affirmation, SPRS, and flow-down requirements. Still no insurance.

(One version note worth banking: NIST has since published SP 800-171 Revision 3, but CMMC Level 2 remains tied to Revision 2under 32 CFR Part 170. Don’t let anyone substitute Rev. 3 for the CMMC assessment standard unless the Department changes the controlling rule.)

Do cyber insurers require CMMC or NIST 800-171? Not as a universal rule.

Insurers underwrite to the controls you have and the answers you give on the application — and while a CMMC certificate isn’t a standard prerequisite to buy coverage, a particular carrier can ask about your CMMC status or use it in its own underwriting decision. Some public defense-sector applications now ask whether you’ve implemented NIST SP 800-171 or hold a CMMC self-assessment. We reviewed specified public application and underwriting materials on our verification date; the materials carriers use change over time, and your carrier’s terms govern.

What insurers care most about is whether you have the controls that drive losses: multi-factor authentication, endpoint detection, tested backups, patching, an incident-response capability, training, and encryption. If those sound familiar, it’s because they’re also core to NIST SP 800-171. That overlap is real — and it’s why so many contractors assume the two systems are the same thing.

They’re not. And the gap between them is where the money and the risk live.


Can your contract or prime require cyber insurance anyway?

Yes — separately from CMMC.A solicitation, a contract schedule, or a prime’s flow-down subcontract can require cyber-liability or errors-and-omissions insurance even though CMMC does not. This is ordinary contract law. The exact written term — not a general CMMC checklist — decides whether the obligation is yours.

Federal contracts can specify required insurance. The clearest primary-source example is FAR 52.228-5, “Insurance—Work on a Government Installation,” which requires the contractor to “provide and maintain … at least the kinds and minimum amounts of insurance required in the Schedule or elsewhere in the contract,” inserted when a fixed-price contract over the simplified acquisition threshold involves work on a government installation.

Here’s the tell: the baseline categories that clause points to (at FAR 28.307) are workers’ compensation and employer’s liability, general liability, and automobile liability— with aircraft and vessel liability where relevant, and the contracting officer free to require additional coverage or higher limits. Cyber insurance is not a universal baseline categoryin FAR 28.307, though a specific contract can separately require it. When cyber coverage is required, it’s because a solicitation, subcontract, lender, or customer put it there — and you’ll find it in the contract’s insurance terms, not the CMMC clause.

So when a prime hands you a subcontract demanding a certificate of insurance with specific cyber limits, take it seriously — an executed subcontract term can bind you, though how it’s interpreted and enforced depends on the agreement and applicable law. Just don’t file it under “CMMC.” One is answered by your broker or carrier; the other is answered through the contracting channel, your SPRS record, and your assessment.

A quick script for when a prime says “CMMC requires this”:

The prime says…Ask for this
“CMMC requires this insurance.”The exact clause or subcontract term that requires it.
“Our customer requires it.”The incorporated prime-contract requirement, in writing.
“Our risk policy requires it.”Confirmation it’s a subcontract term (fine — just name it).
“Send a certificate.”The required coverage lines, limits, endorsements, and deadline.

A prime can have a perfectly legitimate reason to require insurance. Accuracy just means calling it what it is.

Decision Resolution Point

You now know the obligation may live in a different document. The fastest way to stop guessing is to run The Three-Document Test on your own paperwork: put the contract or flow-down, the final application, and the issued policy side by side, and mark which one is actually creating each requirement. It takes ten minutes and no upload.

If you’re not certain which CMMC level your contract even sets — Level 1, Level 2 self-assessed, or Level 2 by third-party assessment — map it first.

Map My CMMC Level with Find My Path →

Do not submit CUI, drawings, contract files, applications, or policy documents.


Which CMMC controls overlap with cyber-insurance underwriting?

Many overlap — several directly, some partially, and a few insurer asks sit outside the standard entirely.The controls insurers set as conditions of coverage map onto specific NIST SP 800-171 Revision 2 requirements, so the program you build for CMMC Level 2 is largely the program an underwriter rewards. The important exception is backups: insurers want immutable, tested, recoverable backups, and NIST SP 800-171 Revision 2 contains exactly one backup security requirement — and it only covers keeping backups confidential.

NIST SP 800-171 Revision 2 contains 110 security requirements across 14 control families, and CMMC Level 2’s security-requirement set is identical to those 110. (CMMC then layers on its own scoping, assessment, scoring, affirmation, and POA&M rules.) Here’s the crosswalk we built for this page, lining up common underwriting questions against the actual NIST control text.

Direct overlap, partial overlap, and outside explicit CMMC below are The Defense Compliance Report’s editorial classifications based on the cited NIST requirements and the public underwriting materials we reviewed. They are not DoD, NIST, Cyber AB, or carrier designations.

What the insurer asks forNIST SP 800-171 Rev. 2 anchorOverlapThe gap / what insurers add
MFA for local & network access to privileged accounts, and network access to non-privileged accounts3.5.3Direct (within scope)Some forms ask about MFA for email, remote access, or admin access enterprise-wide; compare the application’s defined scope with your CMMC scope.
EDR / endpoint monitoring3.14.2, 3.14.5, 3.14.6; incident handling where applicablePartialNIST requires malicious-code protection, periodic scanning, monitoring, and response outcomes — not a product or service named “EDR” or “MDR.”
Immutable, tested, recoverable backups3.8.9 — confidentiality onlyOutside the explicit control set (except confidentiality)This is the big one. See below.
Vulnerability scanning + timely patching3.11.2, 3.11.3, 3.14.1Direct/partialScan, remediate, fix flaws. A carrier may name a patch deadline NIST doesn’t.
Incident-response capability + testing3.6.1, 3.6.2, 3.6.3Direct or partial3.6.1 requires an operational capability; a carrier may expressly require a written plan, named response vendors, or a set tabletop cadence. DFARS 252.204-7012 adds the 72-hour reporting duty.
Least privilege / privileged access management3.1.5, 3.1.6, 3.1.7DirectSeparate admin from daily-use accounts; restrict privileged functions.
Security awareness / phishing training3.2.1, 3.2.2Direct/partialCarriers may want simulated phishing and completion rates beyond the requirement text.
Encryption of CUI3.13.11 (FIPS-validated crypto when used to protect CUI confidentiality)Direct, with a specific barNIST requires FIPS-validated cryptography when cryptography is used to protect CUI — a defined standard, not just “any encryption.”
Prompt offboarding / termination & transfer3.9.2, with related account and access-control proceduresDirectDisable access on termination; adjust on role change.

The backup gap, stated plainly

Read the backup row again, because it’s the cleanest proof that CMMC readiness and insurance readiness are not the same thing.

NIST SP 800-171 Revision 2 contains one explicit backup security requirement — 3.8.9: “Protect the confidentiality of backup CUI at storage locations.” It lives in the Media Protection family, and it’s about one thing — protecting the confidentiality of backup CUI, through cryptographic mechanisms or alternative physical safeguards. It says nothing about whether your backups are immutable, stored offline, isolated from a compromised admin account, tested for restoration, or capable of bringing your business back within a target recovery time. And there is no contingency-planning family in the 110 requirements at all.

The public underwriting materials we reviewed ask about several of those things — offline or immutable backups, restoration testing, and continuity or recovery practices — because ransomware recovery is where their claims are won or lost. Here’s the split:

The backup claimWhat NIST SP 800-171 Rev. 2 actually establishesWhat the insurer may still ask
Backup CUI is confidential3.8.9 (cryptographic or physical safeguards)
Backups complete successfullyNot established by 3.8.9Job logs, failure alerts
Backups survive a compromised adminNot established by 3.8.9Immutability, separate credentials
Data can actually be restoredNot established by 3.8.9A dated restoration test
The business can resumeOutside the 110 requirementsRTO/RPO, a continuity exercise

The takeaway: you can be fully squared away on CMMC and still get a backup question on an insurance form that your SPRS record simply doesn’t answer — and the reverse is just as true. That mismatch is a predictable source of confusion, because the two systems test overlapping but not identical outcomes.

The scope trap that can create a wrong answer

There’s a second, quieter gap — and this one can put a false statement on your application without you noticing.

Your CMMC evidence covers your defined CMMC Assessment Scope, which may be a CUI enclave or a broader environment. Your insurance application may cover the applicant, named subsidiaries, the whole insured organization, or another defined set of systems. Those are not automatically the same, so compare the two definitions rather than assuming they match.

CMMC asksYour insurer asks
Does the assessed scope meet the CMMC requirements?What controls exist across the systems and entities the policy covers?
How is FCI/CUI protected?How is all the covered organization’s material data protected?
What evidence supports the assessment?What are you representing at binding and renewal?

Picture it: you have MFA locked down across your CUI enclave. The application asks, “Is MFA enabled on all remote access and all administrative accounts?” The corporate network outsidethe enclave has exceptions. Answering “yes, our CMMC environment has MFA” may not answer the question the carrier asked — and now there’s a scope mismatch baked into a document you signed. Resolve those definitions with your broker in writing, and keep the answer.

Decision Resolution Point

If the crosswalk surfaced a control you haven’t fully deployed — or a backup and recovery story you can’t yet prove — work the full control set before you attest to anything.

Get the 32-Point CMMC Readiness Checklist →

Mapped to the 14 NIST SP 800-171 Revision 2 families. Do not submit CUI, drawings, or sensitive system details.


Is an SPRS record the same as an insurance self-attestation?

Not always — and the difference matters.Some records in SPRS (the Supplier Performance Risk System) are contractor self-assessment results or affirmations; others come from a C3PAO or a DCMA DIBCAC assessment. An insurance application is a separate applicant representation, governed by its own definitions, entities, scope, date, and policy wording. So don’t assume every SPRS entry is a contractor self-score — and don’t assume your SPRS record and your insurance answers are interchangeable.

Here’s the taxonomy, because no competing page bothers to lay it out and it’s the fastest way to stop confusing these records:

SPRS recordWho performs itWhat it producesHow it reaches SPRSCadence
Level 1 (Self)The contractorA compliance resultContractor enters itAnnual self-assessment + affirmation
Level 2 (Self)The contractorA numerical scoreContractor enters it3-year final cycle + annual affirmation
Level 2 (C3PAO)A C3PAO assessorAn assessment resultSubmitted via CMMC eMASS, transmitted to SPRS3-year final cycle + annual affirmation
Level 3 (DIBCAC)DCMA DIBCAC (Government)An assessment resultTransmitted via eMASS to SPRS3-year final cycle + annual affirmation
NIST SP 800-171 DoD assessment (Basic / Medium / High)Contractor (Basic) or Government (Medium/High)A score at a stated confidence levelPer the DoD assessment methodologyPer the assessment

Conditional statuses carry separate 180-day POA&M closeout rules. An annual affirmation by your affirming official doesn’t turn a C3PAO or DIBCAC result into a self-assessment. (32 CFR Part 170)

Now the part that actually links CMMC and insurance.For most of the contractors reading this — and for everyone during the current Phase I self-assessment period — the score you post to SPRS is your own self-assessment, and your cyber-insurance application is your own representation. You’re standing behind your security posture in two places at once, and inaccurate material representations create risk in both. The legal standards, evidence, and consequences differ — but neither system takes a false statement lightly.

On the government side, the tool is the False Claims Act.The Department of Justice’s Civil Cyber-Fraud Initiative has used the False Claims Act — which carries treble (triple) damages plus per-claim penalties — to pursue contractors that misrepresented cybersecurity compliance. The FCA’s “knowing” standard reaches actual knowledge, deliberate ignorance, or reckless disregard; it does notrequire proof of a specific intent to defraud. In plain terms: the government’s cyber-fraud cases turn on knowing misrepresentation, not on whether you happened to get breached.

These are real, and it’s worth being precise about what they are: the civil matters below resolved allegations, and DOJ stated there was no determination of liability.

ContractorReported amountStatusWhat it involved
Aerojet Rocketdyne (2022)$9 millionResolved allegations; no determination of liabilityAlleged misrepresentation of compliance with cybersecurity requirements
Raytheon / Nightwing (2025)$8.4 millionResolved allegations; no determination of liabilityAlleged cybersecurity noncompliance on an internal system used in performance of 29 DoD contracts and subcontracts
Georgia Tech Research Corp.$875,000Resolved allegations; no determination of liabilityAlleged cybersecurity noncompliance connected to specified Air Force and DARPA contracts
Swiss Automation Inc. (2025)$421,234Resolved allegations; no determination of liabilityAlleged inadequate cybersecurity for specified defense drawings; initiated by a former employee (qui tam)
LOGZONE Inc. (June 18, 2026)$507,144Settlement of FCA liabilityDOJ described it as resolving liability for knowingly failing to comply with cybersecurity requirements on two Navy contracts

DOJ reported more than $52 million recovered in nine cybersecurity-fraud settlements in fiscal year 2025 (FY2025 FCA fact sheet). Two things this ledger does not prove: that any specific company was found liable (most matters settled without a liability determination), and that the enforcement is aimed specifically at self-assessment scores— the public releases describe cybersecurity-requirement failures, not SPRS self-scores in particular.

On the insurance side, the tool is rescission.Put a material misstatement on the application, and the carrier can move to rescind the policy or deny the claim — the exact outcome depends on the governing law, the application, the issued policy, and the facts, but the risk is real, and it surfaces at the worst possible moment: right after you file.

The attestationWhere it livesPotential consequence (depending on materiality, knowledge, governing law, and contract/policy language)
Your NIST SP 800-171 self-assessment scoreSPRSFalse Claims Act liability — treble damages plus per-claim penalties, often surfaced by a whistleblower
Your cyber-insurance application answersThe insurer’s underwriting fileRescinded policy or denied claim for material misrepresentation

The move that protects you is simple to say and easy to skip: make each submission accurate for its own scope, entities, date, and evidence. Legitimate differences can exist — they may cover different systems and periods. But if your SPRS record and your insurance application tell materially different stories about the samesystems, find out why before someone else does. A difference isn’t automatically false; a material inconsistency is a problem waiting to surface — usually at renewal or after a claim.

Decision Resolution Point

This is the one worth acting on. Before you attest to anything — on SPRS or an insurance application — know exactly what your contract requires and what you can honestly claim.

Do not submit CUI, drawings, or sensitive contract details.


What to verify before you sign the cyber-insurance application

Verify every material answer against current evidence, the application’s exact wording, and the systems and entities the question actually covers. Carrier applications typically require accurate and complete answers, so the form should describe the environment you have running today — not a future-state CMMC roadmap and not an assumption. These nine steps are the verification checklist we built for this page.

  1. Get the final application and every supplement. Don’t review last year’s version while signing this year’s.
  2. Identify the applicant and every covered entity. Do the answers cover one company, all subsidiaries, or a defined group?
  3. Mark every scope word. Highlight “all,” “any,” “network,” “remote access,” “administrative access,” and “sensitive data.” Those words decide whether your answer is true.
  4. Assign an evidence owner to each material control. Someone should be able to produce current proof for every “yes.”
  5. Compare the insurance scope to your CMMC Assessment Scope. Write down where they match and where they don’t.
  6. Pressure-test the high-friction controls. MFA, backups, restoration tests, EDR/MDR, unsupported software, patching, remote access, incident response, email security, and monitoring.
  7. Handle partial implementations honestly. “Most users,” “in rollout,” or “only in the enclave” is not an unqualified “yes.”
  8. Ask ambiguous questions in writing. Keep the broker’s or carrier’s clarification with the submitted application.
  9. Retain the whole file. Application, supplements, evidence snapshot, written clarifications, quote, binder, policy, and endorsements.

Use this ungated worksheet to keep it defensible. It’s the same structure a good broker and a good assessor will both respect:

Requirement / representationSource documentExact wordingScope & entitiesCurrent statusEvidence ownerEvidence dateWritten clarification receivedWho resolves it
e.g., MFA on all admin accountsapplication, Q#quote itenclave? enterprise?implemented / partial / plannednamedatey/nbroker / RP / counsel

Fill one row per material answer before you sign. It’s the cheapest insurance you’ll buy all year.


Does CMMC lower your premium or guarantee coverage?

Sometimes it helps — but nothing is guaranteed.A documented NIST SP 800-171 program gives you reusable evidence for controls carriers ask about, which can make an application smoother. We did not find a universal “CMMC discount,” and no market-wide pricing benefit is established. Premiums, limits, retentions, exclusions, and coverage decisions stay account-specific, and a CMMC status does not guarantee a quote, better terms, coverage for a future event, or payment of a claim.

Here’s the honest two-sided view:

What a documented CMMC program may demonstrate to an insurerWhat that same evidence can’t prove
Governance, a defined system boundary, MFA, scanning and remediation, incident-response capability, encryption — all documentedThat your entire insured network has those controls
That you’ve done disciplined, third-party-informed security workThat every application answer is correct for its scope
A credible security narrative for underwritingThat a carrier will quote, discount, or remove an exclusion
Evidence you can hand a brokerThat a future claim will be paid

And one more thing worth knowing while we’re being straight with you: a cyber policy does not guarantee coverage for a lost contract, a regulatory penalty, or False Claims Act liability. Cyber policies are built for incident and breach costs — forensics, notification, business interruption, ransomware, liability. Whether any given penalty or loss is covered depends on the issued policy, its endorsements, the governing law, and the facts; confirm the specifics with qualified coverage counsel. Insurance is a safety net for a covered incident — not a substitute for compliance.


Did the July 2026 CMMC suspension change the answer?

No.On July 13, 2026, the Department of War (DoW) — as the Department of Defense is now known — suspended the upcoming November 2026 Phase II transition and pending or future CMMC implementation milestones, and directed program managers and requiring activities to designate only Level 1 (Self) or Level 2 (Self) in procurement documents during a review period. It did notrepeal the Level 2 C3PAO assessment path from 32 CFR Part 170. DFARS 252.204-7012 obligations remain in effect, all Phase I CMMC self-assessment requirements remain in place, and False Claims Act exposure for misrepresenting compliance is unaffected. The rollout timeline changed. The division of authority — and the insurance answer — did not.

Phase 1 began November 10, 2025 and was scheduled to run through November 9, 2026; the July 13 directive kept those self-assessment requirements in place while pausing the November 2026 Phase II transition. Here’s what changed and what didn’t:

Before July 13, 2026During the suspension
November 2026 Phase II transitionScheduledSuspended
New procurement designationsTrending toward Level 2 (C3PAO) where CUI appliedLevel 1 (Self) or Level 2 (Self) during the review
The Level 2 C3PAO path in 32 CFR Part 170In forceStill in the rule — not repealed
Phase I self-assessment requirementsIn forceStill in force
DFARS 252.204-7012 safeguarding & reportingIn forceStill in force
False Claims Act exposureIn forceStill in force

Two things follow for the insurance question. First, if a broker or insurer tells you CMMC status is required for a particular placement, ask for the carrier’swritten underwriting requirement — that’s a carrier’s call, not a government-wide rule created by CMMC. Second, with more contracts resting on a self-assessment during the review window, the accuracy of what you attest to is squarely in the spotlight — and it’s the same posture your insurer’s application asks you to stand behind. A CMMC Reform Task Force is due to report within the review period; we re-verify this page’s regulatory facts monthly until it resolves.


Who should you call — broker, attorney, RPO, MSSP, or C3PAO?

Call the professional tied to the document or gap in front of you. Brokers and coverage counsel handle insurance language; the contracting channel and federal-contracts attorneys handle contract duties; an RP/RPO supports CMMC scoping and readiness; an MSSP implements and runs the controls; and a C3PAO performs the formal Level 2 certification assessment when one is required. Matching the question to the right role is how you stop paying the wrong specialist to answer the wrong question.

Your unresolved questionThe right category to callWhat this role should not decide
What does the solicitation or contract actually require?Contracting officer, prime’s contracts team, or a federal-contracts attorneyYour insurance coverage
What does this application question mean, and am I covered?Licensed broker; where warranted, qualified coverage counselYour CMMC assessment result
Does CMMC apply to this FCI/CUI environment, and at what scope?RP/RPO for scoping and readiness; counsel for contractual applicabilityA carrier’s final coverage decision
How do we implement MFA, EDR, logging, patching, or backups?MSSP or a qualified internal teamThe formal, independent CMMC assessment result
How do we document evidence and maintain the SSP and POA&M?RPO or a GRC platform, depending on the gapYour policy interpretation
Are we ready for — and required to have — a formal Level 2 assessment?A readiness advisor first; a C3PAO once ready and requiredRemediation and assessment by the same team in the same engagement

Which of these is your question?If your next step is readiness, scoping, an SSP, or a POA&M, that’s the RPO/MSSP lane. Microsoft GCC High, a secure cloud, or a CUI enclave points to the MSSP/enclave lane. Evidence management and continuous-compliance workflow is a GRC platformas a supporting layer — it manages evidence, SSPs, POA&Ms, and workflow, but on its own it doesn’t establish that all applicable requirements are met. A formal certification assessment is a C3PAO— with one guardrail worth knowing before you sign.

Keep readiness and assessment separate. 32 CFR § 170.8 requires the Accreditation Body’s rules to prohibit a CMMC ecosystem member from participating in a Level 2 certification assessment for an organization it served as a consultant to prepare for a CMMC assessment within the preceding three years. Practical version: document who did your readiness work, and get the C3PAO’s conflict determination in writing before you engage them to assess you.

Decision Resolution Point

If you’re still not sure which lane is yours, that’s exactly what the framework is for. Find My CMMC Path maps your required level, FCI/CUI scope, assessment type, environment, and timeline to the right provider category— not a ranked or “best” provider, and not a score, coverage opinion, or compliance determination.

Find My CMMC Path →

Do not submit CUI, drawings, contract documents, insurance applications, or sensitive system details.


Disclosure

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.


What we verified

We’re a primary-source shop, so here’s the receipt. For this page, The Defense Compliance Report Editorial Team read the CMMC Program Rule at 32 CFR Part 170 and NIST SP 800-171 Revision 2 directly, and confirmed neither imposes an insurance requirement. We reviewed DFARS 252.204-7012 and -7021 on Acquisition.gov and confirmed the same. We checked FAR 52.228-5 and FAR 28.306 to show how a contract can separately specify insurance — and that its baseline categories are workers’ comp, general liability, and auto, not cyber. We confirmed the July 13, 2026 suspension and exactly what survives it. We cross-checked the NIST control IDs in the crosswalk, including that requirement 3.8.9 covers only the confidentiality of backup CUI and that the 110 requirements include no contingency-planning family. And we pulled the False Claims Act enforcement record from Department of Justice matters, including the FY2025 fact sheet. Every item was verified , the date stamped at the top.

What we did not establish, and won’t pretend to: no universal carrier requirement to hold CMMC; no universal premium discount; no representative market-wide percentage of carriers requiring each control; no guarantee that CMMC status changes a specific quote; and no legal conclusion about any future claim. This is educational research, not legal, contractual, insurance, or compliance advice. Confirm CMMC applicability and scope with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney, and confirm application and policy questions with a licensed broker or qualified coverage counsel.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of War (Department of Defense), DCMA DIBCAC, NIST, SPRS, or any U.S. government agency. See an error or a newer rule, clause, or notice? Send it to our corrections desk— material corrections trigger re-verification and a fresh date.


Frequently asked questions

Does CMMC Level 1 require cyber insurance?
No. CMMC Level 1 covers the 15 basic safeguarding requirements for Federal Contract Information (FCI) and does not require cyber insurance. A specific contract or subcontract can separately require it.
Does CMMC Level 2 require cyber insurance?
No. CMMC Level 2 maps to the 110 requirements in NIST SP 800-171 Revision 2 and to the assessment type your contract sets, but neither those controls nor the CMMC rule requires you to buy cyber insurance.
Does CMMC Level 3 require cyber insurance?
No. Level 3 requires Final Level 2 (C3PAO) status plus 24 selected NIST SP 800-172 requirements assessed by DCMA DIBCAC. It raises the security bar; it does not create an insurance-purchase requirement.
Does DFARS 252.204-7012 require cyber insurance?
No. The clause requires adequate security, implementation of NIST SP 800-171, rapid cyber-incident reporting within 72 hours, media preservation, and flow-down where applicable — but contains no cyber-insurance requirement.
Does DFARS 252.204-7021 require cyber insurance?
No. It requires the contractor to obtain and maintain the contract-specified CMMC status and meet the related CMMC UID, affirmation, SPRS, and flow-down requirements. Insurance isn’t in it.
Can a prime contractor require cyber insurance?
Yes. A prime can include a separate insurance requirement in the subcontract or other written terms. Ask for the exact provision rather than assuming CMMC is the source.
Can a government contract require cyber insurance?
A contract can specify required insurance, but whether it applies depends on the actual terms. FAR insurance provisions do not create a universal cyber-insurance mandate for defense contractors.
Do cyber insurers require NIST SP 800-171?
There’s no universal rule established by the materials we reviewed. Public applications ask about controls that overlap with NIST SP 800-171, but the required answers and terms are carrier- and account-specific.
Can an insurer require a CMMC certificate?
A particular insurer could ask about CMMC status or use it as an underwriting factor. That would be a carrier-specific requirement — not a requirement created by CMMC itself.
Does CMMC certification guarantee cyber-insurance coverage?
No. CMMC status does not guarantee a quote, particular terms, coverage for a future event, or payment of a claim.
Can cyber insurance satisfy my CMMC requirement?
No. Buying a policy does not implement or prove the CMMC safeguards, self-assessment, affirmation, or contract-status requirements.
Is every SPRS record a contractor self-assessment score?
No. Level 1 (Self) and Level 2 (Self) records are contractor-performed; Level 2 (C3PAO) results come from an assessor, and Level 3 results come from DCMA DIBCAC. An annual affirmation doesn’t convert an assessor’s result into a self-assessment.
Does CMMC use NIST SP 800-171 Rev. 2 or Rev. 3?
CMMC Level 2 is tied to Revision 2 under 32 CFR Part 170. NIST has published Revision 3, but do not substitute it for the CMMC assessment standard unless the Department changes the controlling rule.
Are CMMC backup requirements the same as an insurer’s backup requirements?
No. NIST SP 800-171 Rev. 2 requirement 3.8.9 addresses only the confidentiality of backup CUI. An insurer may also ask about immutability, offline copies, restoration testing, and recovery capability — none of which 3.8.9 requires.
Does CMMC require EDR, MDR, or a 24/7 SOC?
Not by name. CMMC requires malicious-code protection, scanning, and monitoring outcomes, but does not universally mandate a product or service called EDR, MDR, or a commercial 24/7 SOC. An insurer may ask about those specifically.
What happened to DFARS 252.204-7019 and -7020 in 2026?
Under Class Deviation 2026-O0025, contracting officers use DFARS 252.240-7997 (NIST SP 800-171 DoD Assessment Requirements) in covered new solicitations and contracts in place of the former -7019/-7020 implementation structure. Existing instruments may still contain -7019 or -7020. The deviation does not replace DFARS 252.204-7012 or the CMMC clause at 252.204-7021.
Did the July 2026 directive suspend all C3PAO assessments?
No. It suspended the November 2026 Phase II procurement transition and later implementation milestones and restricted procurement designations to Level 1 (Self) or Level 2 (Self) during the review. The Level 2 C3PAO path remains in 32 CFR Part 170.
Did the July 2026 CMMC suspension remove my cybersecurity obligations?
No. DFARS 252.204-7012, the Phase I self-assessment requirements, and False Claims Act exposure all remain in force.
Should I submit my contract or insurance application through Find My CMMC Path?
No. Do not submit CUI, engineering drawings, contract documents, insurance applications, policy files, network diagrams, or sensitive system details through any form.

Still deciding your next move?

Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Find My CMMC Path

Map your level, scope, and timeline to the right provider category.

Find My CMMC Path →

Do not submit CUI, drawings, contract documents, insurance applications, policy documents, or sensitive system details. Provider matching may generate referral or lead-routing compensation, disclosed at the point of recommendation.


Sources

  1. CMMC Program Rule — 32 CFR Part 170(levels, assessments, affirmations, ecosystem conflict rule at § 170.8). eCFR, Title 32, Subtitle A, Chapter I, Subchapter G, Part 170. ecfr.gov
  2. NIST SP 800-171 Revision 2— 110 security requirements, 14 families; MFA (3.5.3); backup confidentiality (3.8.9); FIPS-validated cryptography (3.13.11). csrc.nist.gov
  3. DFARS 252.204-7012— Safeguarding Covered Defense Information and Cyber Incident Reporting. acquisition.gov
  4. DFARS 252.204-7021 — Contractor Compliance with the CMMC Level Requirement. acquisition.gov
  5. FAR 52.228-5 and FAR 28.306 / 28.307— Insurance—Work on a Government Installation, and baseline coverage categories. acquisition.gov · ecfr.gov
  6. Department of War— release suspending the November 2026 CMMC Phase II transition and later milestones (July 13, 2026). war.gov
  7. Federal Register— DFARS rule establishing the CMMC phased implementation (Phase 1 began November 10, 2025). federalregister.gov
  8. DoD Class Deviation 2026-O0025— DFARS 252.240-7997 in covered new solicitations in place of -7019/-7020. acquisition.gov
  9. False Claims Act — 31 U.S.C. § 3729 (knowing standard: actual knowledge, deliberate ignorance, or reckless disregard). uscode.house.gov
  10. U.S. Department of Justice— Civil Cyber-Fraud Initiative settlements (Aerojet Rocketdyne, Raytheon/Nightwing, Georgia Tech Research Corp., Swiss Automation, LOGZONE) and the FY2025 False Claims Act fact sheet. DOJ: Aerojet Rocketdyne · FY2025 FCA fact sheet

Related reading

Editorial standards and corrections: see our Methodology, Editorial & Advertising Policy, and Corrections Policy.

Last reviewed: · Last verified: