Does Cyber Insurance Require CMMC?
Does cyber insurance require CMMC? No.And here’s the twist most contractors miss: it doesn’t run the other way either — CMMC does not require you to carry cyber insurance. These are two separate obligations, written by two different parties, answering two different questions. We’ll show you where they overlap, where they split, and the one document you’re probably not reading closely enough. Answer first, then the fine print that actually changes it.
The bottom line, up front
CMMC does not require cyber insurance, and there is no market-wide rule that makes CMMC a prerequisite for buying it.
CMMC (the Cybersecurity Maturity Model Certification) is the Department of War’s tiered program for confirming that a contractor has implemented required cybersecurity before it handles defense information. Cyber insurance is a private policy that may respond after a covered incident. Neither one is a legal condition for the other.
Here’s what can change that clean answer in practice — and where to look:
| Where the requirement can actually come from | Does it require CMMC or cyber insurance? |
|---|---|
| The CMMC rule + the DFARS cyber clauses (32 CFR Part 170; DFARS 252.204-7012, -7021) | Set your CMMC and safeguarding duties. None of the CMMC clauses or the CMMC Program Rule require cyber insurance. |
| A specific solicitation or a prime’s subcontract | Can separately requirecyber-liability insurance as a commercial term — that’s contract law, not CMMC. |
| Your insurer’s application + issued policy | Can requirespecific controls (MFA, EDR, backups) and accurate answers to bind coverage. A carrier can even ask about your CMMC status — but that’s the carrier’s call, not a rule baked into CMMC. |
So the real job in front of you isn’t “get CMMC to satisfy my insurer” or “buy insurance to satisfy CMMC.” It’s figuring out which document is actually creating each requirement— because they’re separate, and you answer to each one differently.
One honest caveat before we go further, because it saves people real money: being CMMC-ready does not guarantee an insurer will quote you, discount you, or pay a claim — and your CMMC status does not automatically answer the insurer’s questions, either.That’s not a reason to shortcut CMMC. It’s the reason this page exists — to show you exactly where the two overlap and where they split, so you don’t overpay, double-buy, or put a wrong answer on a form.
CMMC in one breath. Level 1 uses the 15 basic safeguarding requirements for Federal Contract Information (FCI). Level 2 uses all 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 families, for Controlled Unclassified Information (CUI). Level 3 requires Final Level 2 (C3PAO) status plus 24 selected NIST SP 800-172 requirements assessed by DCMA DIBCAC. The level that applies to you comes from your contract clause — not a checklist, not a general rule, and not a provider’s recommendation.
Which document can actually require CMMC or cyber insurance?
Four sources can put a cybersecurity or insurance requirement in front of a defense contractor: the CMMC rule and DFARS clauses, the contract or prime flow-down, the insurance application, and the issued policy.Each answers a different question, and only some can create a cyber-insurance obligation. Read them separately — because a requirement from your prime is not the same thing as a requirement from CMMC, and a question from your insurer is not the same thing as either.
Most of the confusion here comes from treating “CMMC” and “cyber insurance” as one blurry compliance blob. They aren’t. We call the practical version The Three-Document Test: when an obligation lands on your desk, pin it to one of three documents —
- The solicitation, contract, subcontract, or prime flow-down.
- The final insurance application and every supplement.
- The issued policy and its endorsements.
The CMMC rule (32 CFR Part 170) and the DFARS clauses aren’t a fourth document you negotiate — they’re the regulatory baseline that decides what CMMC itself requires. Here’s the full map:
| Source or document | Can it create a CMMC obligation? | Can it create a cyber-insurance obligation? | What to check — and what it can’t create | Who resolves it |
|---|---|---|---|---|
| 32 CFR Part 170 (CMMC Program Rule) | Establishes the program, levels, and assessments; applicability comes from your contract | No cyber-insurance requirement. Can’t make you buy a policy | CMMC level, FCI/CUI, assessment type, scope, affirmation | RP/RPO for scope; federal-contracts attorney for applicability |
| DFARS 252.204-7021 (the CMMC contract clause) | Yes — requires the contract-specified CMMC status | No cyber-insurance requirement | Required status, CMMC UID, annual affirmation, SPRS, flow-down | Contracting officer; contracts counsel |
| DFARS 252.204-7012 (safeguarding + incident reporting) | Requires adequate security, NIST SP 800-171, and rapid cyber-incident reporting — it does not select your CMMC level | No cyber-insurance requirement | Covered defense information, NIST SP 800-171, cyber incident | Contracting officer; RP/RPO for implementation |
| Solicitation or prime subcontract | Yes, through its clauses | Yes — the schedule or special terms can require coverage | Cyber-liability limits, certificate of insurance, additional-insured terms | Contracting officer or contracts counsel |
| Insurance application / supplement | Can ask about CMMC — can’t turn CMMC into a government mandate | Can require answers, evidence, or controls to bind coverage | MFA, EDR, backups, revenue, covered entities, scope | Licensed broker, underwriter, coverage counsel |
| Issued policy + endorsements | Doesn’t replace your CMMC duty | Governs the actual coverage, conditions, warranties, and exclusions | Representations, notice, covered systems, exclusions | Broker and qualified coverage counsel |
The one-sentence takeaway: CMMC does not require cyber insurance. Your contract or prime flow-down might. Your carrier’s application and policy set the underwriting representations and coverage terms. Check those three things independently.
Hold onto that — rule vs. contract vs. policy is the whole game. Everything below is the detail behind it.
Does cyber insurance require CMMC — or does CMMC require insurance?
Neither direction creates a hard requirement on its own.No CMMC rule, NIST standard, or core DFARS clause requires you to carry cyber insurance, and no market-wide rule requires you to hold CMMC to buy it. A specific contract can require insurance, and a specific carrier can ask about your CMMC status — but those are separate, document-by-document conditions, not a link written into either system.
Does CMMC require you to carry cyber insurance? No.
Nothing in the CMMC Program Rule (32 CFR Part 170, effective December 16, 2024), NIST SP 800-171 Revision 2, or the core DFARS cybersecurity clauses requires a policy. We read the clauses so you don’t have to squint at them.
DFARS 252.204-7012 — the safeguarding and cyber-incident-reporting clause, which set a December 31, 2017 deadline to implement the applicable NIST SP 800-171 requirements — obligates you to:
- Provide “adequate security” and implement NIST SP 800-171;
- Rapidly report a covered cyber incident within 72 hoursof discovery (note: a “cyber incident,” which is not necessarily the same as a “breach”);
- Preserve and protect images of affected information systems and relevant monitoring or packet-capture data for at least 90 days from the incident report;
- Submit malicious software discovered and isolated in connection with a reported incident, when requested through the DoD process;
- Support the Department’s damage assessment; and
- Include the substance of the clause in subcontracts for operationally critical support or that will involve covered defense information.
Insurance appears nowhere in it. Same for DFARS 252.204-7021, the CMMC clause that took effect November 10, 2025: it requires you to obtain and maintain the contract-specified CMMC status and to meet the CMMC UID, annual affirmation, SPRS, and flow-down requirements. Still no insurance.
(One version note worth banking: NIST has since published SP 800-171 Revision 3, but CMMC Level 2 remains tied to Revision 2under 32 CFR Part 170. Don’t let anyone substitute Rev. 3 for the CMMC assessment standard unless the Department changes the controlling rule.)
Do cyber insurers require CMMC or NIST 800-171? Not as a universal rule.
Insurers underwrite to the controls you have and the answers you give on the application — and while a CMMC certificate isn’t a standard prerequisite to buy coverage, a particular carrier can ask about your CMMC status or use it in its own underwriting decision. Some public defense-sector applications now ask whether you’ve implemented NIST SP 800-171 or hold a CMMC self-assessment. We reviewed specified public application and underwriting materials on our verification date; the materials carriers use change over time, and your carrier’s terms govern.
What insurers care most about is whether you have the controls that drive losses: multi-factor authentication, endpoint detection, tested backups, patching, an incident-response capability, training, and encryption. If those sound familiar, it’s because they’re also core to NIST SP 800-171. That overlap is real — and it’s why so many contractors assume the two systems are the same thing.
They’re not. And the gap between them is where the money and the risk live.
Can your contract or prime require cyber insurance anyway?
Yes — separately from CMMC.A solicitation, a contract schedule, or a prime’s flow-down subcontract can require cyber-liability or errors-and-omissions insurance even though CMMC does not. This is ordinary contract law. The exact written term — not a general CMMC checklist — decides whether the obligation is yours.
Federal contracts can specify required insurance. The clearest primary-source example is FAR 52.228-5, “Insurance—Work on a Government Installation,” which requires the contractor to “provide and maintain … at least the kinds and minimum amounts of insurance required in the Schedule or elsewhere in the contract,” inserted when a fixed-price contract over the simplified acquisition threshold involves work on a government installation.
Here’s the tell: the baseline categories that clause points to (at FAR 28.307) are workers’ compensation and employer’s liability, general liability, and automobile liability— with aircraft and vessel liability where relevant, and the contracting officer free to require additional coverage or higher limits. Cyber insurance is not a universal baseline categoryin FAR 28.307, though a specific contract can separately require it. When cyber coverage is required, it’s because a solicitation, subcontract, lender, or customer put it there — and you’ll find it in the contract’s insurance terms, not the CMMC clause.
So when a prime hands you a subcontract demanding a certificate of insurance with specific cyber limits, take it seriously — an executed subcontract term can bind you, though how it’s interpreted and enforced depends on the agreement and applicable law. Just don’t file it under “CMMC.” One is answered by your broker or carrier; the other is answered through the contracting channel, your SPRS record, and your assessment.
A quick script for when a prime says “CMMC requires this”:
| The prime says… | Ask for this |
|---|---|
| “CMMC requires this insurance.” | The exact clause or subcontract term that requires it. |
| “Our customer requires it.” | The incorporated prime-contract requirement, in writing. |
| “Our risk policy requires it.” | Confirmation it’s a subcontract term (fine — just name it). |
| “Send a certificate.” | The required coverage lines, limits, endorsements, and deadline. |
A prime can have a perfectly legitimate reason to require insurance. Accuracy just means calling it what it is.
Decision Resolution Point
You now know the obligation may live in a different document. The fastest way to stop guessing is to run The Three-Document Test on your own paperwork: put the contract or flow-down, the final application, and the issued policy side by side, and mark which one is actually creating each requirement. It takes ten minutes and no upload.
If you’re not certain which CMMC level your contract even sets — Level 1, Level 2 self-assessed, or Level 2 by third-party assessment — map it first.
Map My CMMC Level with Find My Path →Which CMMC controls overlap with cyber-insurance underwriting?
Many overlap — several directly, some partially, and a few insurer asks sit outside the standard entirely.The controls insurers set as conditions of coverage map onto specific NIST SP 800-171 Revision 2 requirements, so the program you build for CMMC Level 2 is largely the program an underwriter rewards. The important exception is backups: insurers want immutable, tested, recoverable backups, and NIST SP 800-171 Revision 2 contains exactly one backup security requirement — and it only covers keeping backups confidential.
NIST SP 800-171 Revision 2 contains 110 security requirements across 14 control families, and CMMC Level 2’s security-requirement set is identical to those 110. (CMMC then layers on its own scoping, assessment, scoring, affirmation, and POA&M rules.) Here’s the crosswalk we built for this page, lining up common underwriting questions against the actual NIST control text.
| What the insurer asks for | NIST SP 800-171 Rev. 2 anchor | Overlap | The gap / what insurers add |
|---|---|---|---|
| MFA for local & network access to privileged accounts, and network access to non-privileged accounts | 3.5.3 | Direct (within scope) | Some forms ask about MFA for email, remote access, or admin access enterprise-wide; compare the application’s defined scope with your CMMC scope. |
| EDR / endpoint monitoring | 3.14.2, 3.14.5, 3.14.6; incident handling where applicable | Partial | NIST requires malicious-code protection, periodic scanning, monitoring, and response outcomes — not a product or service named “EDR” or “MDR.” |
| Immutable, tested, recoverable backups | 3.8.9 — confidentiality only | Outside the explicit control set (except confidentiality) | This is the big one. See below. |
| Vulnerability scanning + timely patching | 3.11.2, 3.11.3, 3.14.1 | Direct/partial | Scan, remediate, fix flaws. A carrier may name a patch deadline NIST doesn’t. |
| Incident-response capability + testing | 3.6.1, 3.6.2, 3.6.3 | Direct or partial | 3.6.1 requires an operational capability; a carrier may expressly require a written plan, named response vendors, or a set tabletop cadence. DFARS 252.204-7012 adds the 72-hour reporting duty. |
| Least privilege / privileged access management | 3.1.5, 3.1.6, 3.1.7 | Direct | Separate admin from daily-use accounts; restrict privileged functions. |
| Security awareness / phishing training | 3.2.1, 3.2.2 | Direct/partial | Carriers may want simulated phishing and completion rates beyond the requirement text. |
| Encryption of CUI | 3.13.11 (FIPS-validated crypto when used to protect CUI confidentiality) | Direct, with a specific bar | NIST requires FIPS-validated cryptography when cryptography is used to protect CUI — a defined standard, not just “any encryption.” |
| Prompt offboarding / termination & transfer | 3.9.2, with related account and access-control procedures | Direct | Disable access on termination; adjust on role change. |
The backup gap, stated plainly
Read the backup row again, because it’s the cleanest proof that CMMC readiness and insurance readiness are not the same thing.
NIST SP 800-171 Revision 2 contains one explicit backup security requirement — 3.8.9: “Protect the confidentiality of backup CUI at storage locations.” It lives in the Media Protection family, and it’s about one thing — protecting the confidentiality of backup CUI, through cryptographic mechanisms or alternative physical safeguards. It says nothing about whether your backups are immutable, stored offline, isolated from a compromised admin account, tested for restoration, or capable of bringing your business back within a target recovery time. And there is no contingency-planning family in the 110 requirements at all.
The public underwriting materials we reviewed ask about several of those things — offline or immutable backups, restoration testing, and continuity or recovery practices — because ransomware recovery is where their claims are won or lost. Here’s the split:
| The backup claim | What NIST SP 800-171 Rev. 2 actually establishes | What the insurer may still ask |
|---|---|---|
| Backup CUI is confidential | 3.8.9 (cryptographic or physical safeguards) | — |
| Backups complete successfully | Not established by 3.8.9 | Job logs, failure alerts |
| Backups survive a compromised admin | Not established by 3.8.9 | Immutability, separate credentials |
| Data can actually be restored | Not established by 3.8.9 | A dated restoration test |
| The business can resume | Outside the 110 requirements | RTO/RPO, a continuity exercise |
The takeaway: you can be fully squared away on CMMC and still get a backup question on an insurance form that your SPRS record simply doesn’t answer — and the reverse is just as true. That mismatch is a predictable source of confusion, because the two systems test overlapping but not identical outcomes.
The scope trap that can create a wrong answer
There’s a second, quieter gap — and this one can put a false statement on your application without you noticing.
Your CMMC evidence covers your defined CMMC Assessment Scope, which may be a CUI enclave or a broader environment. Your insurance application may cover the applicant, named subsidiaries, the whole insured organization, or another defined set of systems. Those are not automatically the same, so compare the two definitions rather than assuming they match.
| CMMC asks | Your insurer asks |
|---|---|
| Does the assessed scope meet the CMMC requirements? | What controls exist across the systems and entities the policy covers? |
| How is FCI/CUI protected? | How is all the covered organization’s material data protected? |
| What evidence supports the assessment? | What are you representing at binding and renewal? |
Picture it: you have MFA locked down across your CUI enclave. The application asks, “Is MFA enabled on all remote access and all administrative accounts?” The corporate network outsidethe enclave has exceptions. Answering “yes, our CMMC environment has MFA” may not answer the question the carrier asked — and now there’s a scope mismatch baked into a document you signed. Resolve those definitions with your broker in writing, and keep the answer.
Decision Resolution Point
If the crosswalk surfaced a control you haven’t fully deployed — or a backup and recovery story you can’t yet prove — work the full control set before you attest to anything.
Get the 32-Point CMMC Readiness Checklist →Is an SPRS record the same as an insurance self-attestation?
Not always — and the difference matters.Some records in SPRS (the Supplier Performance Risk System) are contractor self-assessment results or affirmations; others come from a C3PAO or a DCMA DIBCAC assessment. An insurance application is a separate applicant representation, governed by its own definitions, entities, scope, date, and policy wording. So don’t assume every SPRS entry is a contractor self-score — and don’t assume your SPRS record and your insurance answers are interchangeable.
Here’s the taxonomy, because no competing page bothers to lay it out and it’s the fastest way to stop confusing these records:
| SPRS record | Who performs it | What it produces | How it reaches SPRS | Cadence |
|---|---|---|---|---|
| Level 1 (Self) | The contractor | A compliance result | Contractor enters it | Annual self-assessment + affirmation |
| Level 2 (Self) | The contractor | A numerical score | Contractor enters it | 3-year final cycle + annual affirmation |
| Level 2 (C3PAO) | A C3PAO assessor | An assessment result | Submitted via CMMC eMASS, transmitted to SPRS | 3-year final cycle + annual affirmation |
| Level 3 (DIBCAC) | DCMA DIBCAC (Government) | An assessment result | Transmitted via eMASS to SPRS | 3-year final cycle + annual affirmation |
| NIST SP 800-171 DoD assessment (Basic / Medium / High) | Contractor (Basic) or Government (Medium/High) | A score at a stated confidence level | Per the DoD assessment methodology | Per the assessment |
Now the part that actually links CMMC and insurance.For most of the contractors reading this — and for everyone during the current Phase I self-assessment period — the score you post to SPRS is your own self-assessment, and your cyber-insurance application is your own representation. You’re standing behind your security posture in two places at once, and inaccurate material representations create risk in both. The legal standards, evidence, and consequences differ — but neither system takes a false statement lightly.
On the government side, the tool is the False Claims Act.The Department of Justice’s Civil Cyber-Fraud Initiative has used the False Claims Act — which carries treble (triple) damages plus per-claim penalties — to pursue contractors that misrepresented cybersecurity compliance. The FCA’s “knowing” standard reaches actual knowledge, deliberate ignorance, or reckless disregard; it does notrequire proof of a specific intent to defraud. In plain terms: the government’s cyber-fraud cases turn on knowing misrepresentation, not on whether you happened to get breached.
These are real, and it’s worth being precise about what they are: the civil matters below resolved allegations, and DOJ stated there was no determination of liability.
| Contractor | Reported amount | Status | What it involved |
|---|---|---|---|
| Aerojet Rocketdyne (2022) | $9 million | Resolved allegations; no determination of liability | Alleged misrepresentation of compliance with cybersecurity requirements |
| Raytheon / Nightwing (2025) | $8.4 million | Resolved allegations; no determination of liability | Alleged cybersecurity noncompliance on an internal system used in performance of 29 DoD contracts and subcontracts |
| Georgia Tech Research Corp. | $875,000 | Resolved allegations; no determination of liability | Alleged cybersecurity noncompliance connected to specified Air Force and DARPA contracts |
| Swiss Automation Inc. (2025) | $421,234 | Resolved allegations; no determination of liability | Alleged inadequate cybersecurity for specified defense drawings; initiated by a former employee (qui tam) |
| LOGZONE Inc. (June 18, 2026) | $507,144 | Settlement of FCA liability | DOJ described it as resolving liability for knowingly failing to comply with cybersecurity requirements on two Navy contracts |
DOJ reported more than $52 million recovered in nine cybersecurity-fraud settlements in fiscal year 2025 (FY2025 FCA fact sheet). Two things this ledger does not prove: that any specific company was found liable (most matters settled without a liability determination), and that the enforcement is aimed specifically at self-assessment scores— the public releases describe cybersecurity-requirement failures, not SPRS self-scores in particular.
On the insurance side, the tool is rescission.Put a material misstatement on the application, and the carrier can move to rescind the policy or deny the claim — the exact outcome depends on the governing law, the application, the issued policy, and the facts, but the risk is real, and it surfaces at the worst possible moment: right after you file.
| The attestation | Where it lives | Potential consequence (depending on materiality, knowledge, governing law, and contract/policy language) |
|---|---|---|
| Your NIST SP 800-171 self-assessment score | SPRS | False Claims Act liability — treble damages plus per-claim penalties, often surfaced by a whistleblower |
| Your cyber-insurance application answers | The insurer’s underwriting file | Rescinded policy or denied claim for material misrepresentation |
The move that protects you is simple to say and easy to skip: make each submission accurate for its own scope, entities, date, and evidence. Legitimate differences can exist — they may cover different systems and periods. But if your SPRS record and your insurance application tell materially different stories about the samesystems, find out why before someone else does. A difference isn’t automatically false; a material inconsistency is a problem waiting to surface — usually at renewal or after a claim.
Decision Resolution Point
This is the one worth acting on. Before you attest to anything — on SPRS or an insurance application — know exactly what your contract requires and what you can honestly claim.
What to verify before you sign the cyber-insurance application
Verify every material answer against current evidence, the application’s exact wording, and the systems and entities the question actually covers. Carrier applications typically require accurate and complete answers, so the form should describe the environment you have running today — not a future-state CMMC roadmap and not an assumption. These nine steps are the verification checklist we built for this page.
- Get the final application and every supplement. Don’t review last year’s version while signing this year’s.
- Identify the applicant and every covered entity. Do the answers cover one company, all subsidiaries, or a defined group?
- Mark every scope word. Highlight “all,” “any,” “network,” “remote access,” “administrative access,” and “sensitive data.” Those words decide whether your answer is true.
- Assign an evidence owner to each material control. Someone should be able to produce current proof for every “yes.”
- Compare the insurance scope to your CMMC Assessment Scope. Write down where they match and where they don’t.
- Pressure-test the high-friction controls. MFA, backups, restoration tests, EDR/MDR, unsupported software, patching, remote access, incident response, email security, and monitoring.
- Handle partial implementations honestly. “Most users,” “in rollout,” or “only in the enclave” is not an unqualified “yes.”
- Ask ambiguous questions in writing. Keep the broker’s or carrier’s clarification with the submitted application.
- Retain the whole file. Application, supplements, evidence snapshot, written clarifications, quote, binder, policy, and endorsements.
Use this ungated worksheet to keep it defensible. It’s the same structure a good broker and a good assessor will both respect:
| Requirement / representation | Source document | Exact wording | Scope & entities | Current status | Evidence owner | Evidence date | Written clarification received | Who resolves it |
|---|---|---|---|---|---|---|---|---|
| e.g., MFA on all admin accounts | application, Q# | quote it | enclave? enterprise? | implemented / partial / planned | name | date | y/n | broker / RP / counsel |
Fill one row per material answer before you sign. It’s the cheapest insurance you’ll buy all year.
Does CMMC lower your premium or guarantee coverage?
Sometimes it helps — but nothing is guaranteed.A documented NIST SP 800-171 program gives you reusable evidence for controls carriers ask about, which can make an application smoother. We did not find a universal “CMMC discount,” and no market-wide pricing benefit is established. Premiums, limits, retentions, exclusions, and coverage decisions stay account-specific, and a CMMC status does not guarantee a quote, better terms, coverage for a future event, or payment of a claim.
Here’s the honest two-sided view:
| What a documented CMMC program may demonstrate to an insurer | What that same evidence can’t prove |
|---|---|
| Governance, a defined system boundary, MFA, scanning and remediation, incident-response capability, encryption — all documented | That your entire insured network has those controls |
| That you’ve done disciplined, third-party-informed security work | That every application answer is correct for its scope |
| A credible security narrative for underwriting | That a carrier will quote, discount, or remove an exclusion |
| Evidence you can hand a broker | That a future claim will be paid |
And one more thing worth knowing while we’re being straight with you: a cyber policy does not guarantee coverage for a lost contract, a regulatory penalty, or False Claims Act liability. Cyber policies are built for incident and breach costs — forensics, notification, business interruption, ransomware, liability. Whether any given penalty or loss is covered depends on the issued policy, its endorsements, the governing law, and the facts; confirm the specifics with qualified coverage counsel. Insurance is a safety net for a covered incident — not a substitute for compliance.
Did the July 2026 CMMC suspension change the answer?
No.On July 13, 2026, the Department of War (DoW) — as the Department of Defense is now known — suspended the upcoming November 2026 Phase II transition and pending or future CMMC implementation milestones, and directed program managers and requiring activities to designate only Level 1 (Self) or Level 2 (Self) in procurement documents during a review period. It did notrepeal the Level 2 C3PAO assessment path from 32 CFR Part 170. DFARS 252.204-7012 obligations remain in effect, all Phase I CMMC self-assessment requirements remain in place, and False Claims Act exposure for misrepresenting compliance is unaffected. The rollout timeline changed. The division of authority — and the insurance answer — did not.
Phase 1 began November 10, 2025 and was scheduled to run through November 9, 2026; the July 13 directive kept those self-assessment requirements in place while pausing the November 2026 Phase II transition. Here’s what changed and what didn’t:
| Before July 13, 2026 | During the suspension | |
|---|---|---|
| November 2026 Phase II transition | Scheduled | Suspended |
| New procurement designations | Trending toward Level 2 (C3PAO) where CUI applied | Level 1 (Self) or Level 2 (Self) during the review |
| The Level 2 C3PAO path in 32 CFR Part 170 | In force | Still in the rule — not repealed |
| Phase I self-assessment requirements | In force | Still in force |
| DFARS 252.204-7012 safeguarding & reporting | In force | Still in force |
| False Claims Act exposure | In force | Still in force |
Two things follow for the insurance question. First, if a broker or insurer tells you CMMC status is required for a particular placement, ask for the carrier’swritten underwriting requirement — that’s a carrier’s call, not a government-wide rule created by CMMC. Second, with more contracts resting on a self-assessment during the review window, the accuracy of what you attest to is squarely in the spotlight — and it’s the same posture your insurer’s application asks you to stand behind. A CMMC Reform Task Force is due to report within the review period; we re-verify this page’s regulatory facts monthly until it resolves.
Who should you call — broker, attorney, RPO, MSSP, or C3PAO?
Call the professional tied to the document or gap in front of you. Brokers and coverage counsel handle insurance language; the contracting channel and federal-contracts attorneys handle contract duties; an RP/RPO supports CMMC scoping and readiness; an MSSP implements and runs the controls; and a C3PAO performs the formal Level 2 certification assessment when one is required. Matching the question to the right role is how you stop paying the wrong specialist to answer the wrong question.
| Your unresolved question | The right category to call | What this role should not decide |
|---|---|---|
| What does the solicitation or contract actually require? | Contracting officer, prime’s contracts team, or a federal-contracts attorney | Your insurance coverage |
| What does this application question mean, and am I covered? | Licensed broker; where warranted, qualified coverage counsel | Your CMMC assessment result |
| Does CMMC apply to this FCI/CUI environment, and at what scope? | RP/RPO for scoping and readiness; counsel for contractual applicability | A carrier’s final coverage decision |
| How do we implement MFA, EDR, logging, patching, or backups? | MSSP or a qualified internal team | The formal, independent CMMC assessment result |
| How do we document evidence and maintain the SSP and POA&M? | RPO or a GRC platform, depending on the gap | Your policy interpretation |
| Are we ready for — and required to have — a formal Level 2 assessment? | A readiness advisor first; a C3PAO once ready and required | Remediation and assessment by the same team in the same engagement |
Which of these is your question?If your next step is readiness, scoping, an SSP, or a POA&M, that’s the RPO/MSSP lane. Microsoft GCC High, a secure cloud, or a CUI enclave points to the MSSP/enclave lane. Evidence management and continuous-compliance workflow is a GRC platformas a supporting layer — it manages evidence, SSPs, POA&Ms, and workflow, but on its own it doesn’t establish that all applicable requirements are met. A formal certification assessment is a C3PAO— with one guardrail worth knowing before you sign.
Keep readiness and assessment separate. 32 CFR § 170.8 requires the Accreditation Body’s rules to prohibit a CMMC ecosystem member from participating in a Level 2 certification assessment for an organization it served as a consultant to prepare for a CMMC assessment within the preceding three years. Practical version: document who did your readiness work, and get the C3PAO’s conflict determination in writing before you engage them to assess you.
Decision Resolution Point
If you’re still not sure which lane is yours, that’s exactly what the framework is for. Find My CMMC Path maps your required level, FCI/CUI scope, assessment type, environment, and timeline to the right provider category— not a ranked or “best” provider, and not a score, coverage opinion, or compliance determination.
Find My CMMC Path →Disclosure
What we verified
We’re a primary-source shop, so here’s the receipt. For this page, The Defense Compliance Report Editorial Team read the CMMC Program Rule at 32 CFR Part 170 and NIST SP 800-171 Revision 2 directly, and confirmed neither imposes an insurance requirement. We reviewed DFARS 252.204-7012 and -7021 on Acquisition.gov and confirmed the same. We checked FAR 52.228-5 and FAR 28.306 to show how a contract can separately specify insurance — and that its baseline categories are workers’ comp, general liability, and auto, not cyber. We confirmed the July 13, 2026 suspension and exactly what survives it. We cross-checked the NIST control IDs in the crosswalk, including that requirement 3.8.9 covers only the confidentiality of backup CUI and that the 110 requirements include no contingency-planning family. And we pulled the False Claims Act enforcement record from Department of Justice matters, including the FY2025 fact sheet. Every item was verified , the date stamped at the top.
What we did not establish, and won’t pretend to: no universal carrier requirement to hold CMMC; no universal premium discount; no representative market-wide percentage of carriers requiring each control; no guarantee that CMMC status changes a specific quote; and no legal conclusion about any future claim. This is educational research, not legal, contractual, insurance, or compliance advice. Confirm CMMC applicability and scope with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney, and confirm application and policy questions with a licensed broker or qualified coverage counsel.
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of War (Department of Defense), DCMA DIBCAC, NIST, SPRS, or any U.S. government agency. See an error or a newer rule, clause, or notice? Send it to our corrections desk— material corrections trigger re-verification and a fresh date.
Frequently asked questions
- Does CMMC Level 1 require cyber insurance?
- No. CMMC Level 1 covers the 15 basic safeguarding requirements for Federal Contract Information (FCI) and does not require cyber insurance. A specific contract or subcontract can separately require it.
- Does CMMC Level 2 require cyber insurance?
- No. CMMC Level 2 maps to the 110 requirements in NIST SP 800-171 Revision 2 and to the assessment type your contract sets, but neither those controls nor the CMMC rule requires you to buy cyber insurance.
- Does CMMC Level 3 require cyber insurance?
- No. Level 3 requires Final Level 2 (C3PAO) status plus 24 selected NIST SP 800-172 requirements assessed by DCMA DIBCAC. It raises the security bar; it does not create an insurance-purchase requirement.
- Does DFARS 252.204-7012 require cyber insurance?
- No. The clause requires adequate security, implementation of NIST SP 800-171, rapid cyber-incident reporting within 72 hours, media preservation, and flow-down where applicable — but contains no cyber-insurance requirement.
- Does DFARS 252.204-7021 require cyber insurance?
- No. It requires the contractor to obtain and maintain the contract-specified CMMC status and meet the related CMMC UID, affirmation, SPRS, and flow-down requirements. Insurance isn’t in it.
- Can a prime contractor require cyber insurance?
- Yes. A prime can include a separate insurance requirement in the subcontract or other written terms. Ask for the exact provision rather than assuming CMMC is the source.
- Can a government contract require cyber insurance?
- A contract can specify required insurance, but whether it applies depends on the actual terms. FAR insurance provisions do not create a universal cyber-insurance mandate for defense contractors.
- Do cyber insurers require NIST SP 800-171?
- There’s no universal rule established by the materials we reviewed. Public applications ask about controls that overlap with NIST SP 800-171, but the required answers and terms are carrier- and account-specific.
- Can an insurer require a CMMC certificate?
- A particular insurer could ask about CMMC status or use it as an underwriting factor. That would be a carrier-specific requirement — not a requirement created by CMMC itself.
- Does CMMC certification guarantee cyber-insurance coverage?
- No. CMMC status does not guarantee a quote, particular terms, coverage for a future event, or payment of a claim.
- Can cyber insurance satisfy my CMMC requirement?
- No. Buying a policy does not implement or prove the CMMC safeguards, self-assessment, affirmation, or contract-status requirements.
- Is every SPRS record a contractor self-assessment score?
- No. Level 1 (Self) and Level 2 (Self) records are contractor-performed; Level 2 (C3PAO) results come from an assessor, and Level 3 results come from DCMA DIBCAC. An annual affirmation doesn’t convert an assessor’s result into a self-assessment.
- Does CMMC use NIST SP 800-171 Rev. 2 or Rev. 3?
- CMMC Level 2 is tied to Revision 2 under 32 CFR Part 170. NIST has published Revision 3, but do not substitute it for the CMMC assessment standard unless the Department changes the controlling rule.
- Are CMMC backup requirements the same as an insurer’s backup requirements?
- No. NIST SP 800-171 Rev. 2 requirement 3.8.9 addresses only the confidentiality of backup CUI. An insurer may also ask about immutability, offline copies, restoration testing, and recovery capability — none of which 3.8.9 requires.
- Does CMMC require EDR, MDR, or a 24/7 SOC?
- Not by name. CMMC requires malicious-code protection, scanning, and monitoring outcomes, but does not universally mandate a product or service called EDR, MDR, or a commercial 24/7 SOC. An insurer may ask about those specifically.
- What happened to DFARS 252.204-7019 and -7020 in 2026?
- Under Class Deviation 2026-O0025, contracting officers use DFARS 252.240-7997 (NIST SP 800-171 DoD Assessment Requirements) in covered new solicitations and contracts in place of the former -7019/-7020 implementation structure. Existing instruments may still contain -7019 or -7020. The deviation does not replace DFARS 252.204-7012 or the CMMC clause at 252.204-7021.
- Did the July 2026 directive suspend all C3PAO assessments?
- No. It suspended the November 2026 Phase II procurement transition and later implementation milestones and restricted procurement designations to Level 1 (Self) or Level 2 (Self) during the review. The Level 2 C3PAO path remains in 32 CFR Part 170.
- Did the July 2026 CMMC suspension remove my cybersecurity obligations?
- No. DFARS 252.204-7012, the Phase I self-assessment requirements, and False Claims Act exposure all remain in force.
- Should I submit my contract or insurance application through Find My CMMC Path?
- No. Do not submit CUI, engineering drawings, contract documents, insurance applications, policy files, network diagrams, or sensitive system details through any form.
Still deciding your next move?
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path
Map your level, scope, and timeline to the right provider category.
Find My CMMC Path →Sources
- CMMC Program Rule — 32 CFR Part 170(levels, assessments, affirmations, ecosystem conflict rule at § 170.8). eCFR, Title 32, Subtitle A, Chapter I, Subchapter G, Part 170. ecfr.gov
- NIST SP 800-171 Revision 2— 110 security requirements, 14 families; MFA (3.5.3); backup confidentiality (3.8.9); FIPS-validated cryptography (3.13.11). csrc.nist.gov
- DFARS 252.204-7012— Safeguarding Covered Defense Information and Cyber Incident Reporting. acquisition.gov
- DFARS 252.204-7021 — Contractor Compliance with the CMMC Level Requirement. acquisition.gov
- FAR 52.228-5 and FAR 28.306 / 28.307— Insurance—Work on a Government Installation, and baseline coverage categories. acquisition.gov · ecfr.gov
- Department of War— release suspending the November 2026 CMMC Phase II transition and later milestones (July 13, 2026). war.gov
- Federal Register— DFARS rule establishing the CMMC phased implementation (Phase 1 began November 10, 2025). federalregister.gov
- DoD Class Deviation 2026-O0025— DFARS 252.240-7997 in covered new solicitations in place of -7019/-7020. acquisition.gov
- False Claims Act — 31 U.S.C. § 3729 (knowing standard: actual knowledge, deliberate ignorance, or reckless disregard). uscode.house.gov
- U.S. Department of Justice— Civil Cyber-Fraud Initiative settlements (Aerojet Rocketdyne, Raytheon/Nightwing, Georgia Tech Research Corp., Swiss Automation, LOGZONE) and the FY2025 False Claims Act fact sheet. DOJ: Aerojet Rocketdyne · FY2025 FCA fact sheet
Related reading
- Cyber Insurance for Defense Contractors: Cost & DFARS Gaps
- False Claims Act & CMMC Risk— the enforcement detail behind the attestation table above
- CMMC Level 2 Assessment Guide
- SPRS Score Explained
- CMMC Levels Explained
- CMMC Readiness Checklist— 14 NIST 800-171 families, self-serve
- CMMC Self-Assessment vs. C3PAO
- CMMC Final Rule Summary
- Find My CMMC Path— map your level, scope, and timeline