Independent research · Non-commercial

CMMC Solicitation Tracker: How CMMC Requirements Show Up in DoD Solicitations

By The Defense Compliance Report Editorial Team— an independent trade publication on CMMC 2.0 and defense industrial base compliance.

Last verified: Next scheduled review: on any DFARS or 32 CFR Part 170 change, and monthly otherwise.

CMMC requirements are now live in Department of Defense solicitations, and this CMMC solicitation trackerfollows the one thing you can actually track in public: the requirement itself. As of July 1, 2026, the program sits in its first implementation phase (November 10, 2025 – November 9, 2026). In this phase a covered solicitation can make a current Level 1 or Level 2 self-assessment a condition of award, and Level 2 third-party (C3PAO) certification becomes required when DoD exercises that discretion— a distinction the regulation draws precisely.

That one distinction changes how you read the whole market. Below is the data, the phase schedule pulled straight from the regulation, the exact clauses to look for, and a method you can run yourself.

At a glance

CMMC in solicitations — the essentials
TopicWhere it comes from
When CMMC became a lawful award conditionNovember 10, 2025 (DFARS final rule effective date)
Current phase (as of July 1, 2026)Phase 1 — Level 1 (Self) or Level 2 (Self) as a condition of award
When Level 2 C3PAO certification becomes requiredNovember 10, 2026 (Phase 2)
The provision that states the required levelDFARS 252.204-7025
The clause that binds compliance in the contractDFARS 252.204-7021
Can the public see who is certified?No — the Department states there is no public certificate list
DoD estimate of medium/large firms needing Level 2 C3PAO~8,350 (32 CFR CMMC Program Rule regulatory analysis)

Sources: DFARS Subpart 204.75 and 252.204-7025 (acquisition.gov); 32 CFR 170.3(e) (eCFR); DoD CMMC Program FAQ, Rev. 2.3, May 2026; CMMC Program Rule, 89 FR 83092.

What a CMMC solicitation tracker actually tracks — and why it’s solicitations, not companies

A CMMC solicitation tracker is a dated record of public DoD opportunities that state a CMMC requirement, sorted by level, assessment path, clause, and the gate the requirement controls. It deliberately does not try to list certified companies, because the Department of Defense states the public has no access to who has completed a CMMC self-assessment or earned a certificate. The requirement in the solicitation is the only piece of this that lives in the open.

There are two different questions people mean when they say “CMMC tracker”:

  1. Which contractors are CMMC-certified?— Not publicly answerable. In the Department’s own words, “the public will not have access to a listing of defense industrial base companies that have completed their CMMC self-assessments or received CMMC certificates. Such information is available to the Department officers leading procurement activities” (DoD CMMC Program FAQ, C-A4). A company can view its own status in SPRS and voluntarily share it, but no public roster exists.
  2. Which solicitations require CMMC, at what level?— Publicly answerable. When a solicitation is covered, the contracting officer must state the required CMMC level in the notice or its attachments, using a standardized DFARS provision.

So the only defensible public dataset is built on question 2. That is what this tracker does, and everything downstream — the levels, the clauses, the award gates — flows from language that is, by rule, printed in the solicitation.

Key definitions

FCI (Federal Contract Information): non-public information provided by or generated for the government under a contract to deliver a product or service. Defined in FAR 52.204-21.

CUI (Controlled Unclassified Information): information requiring safeguarding or dissemination controls, defined in 32 CFR Part 2002. CUI generally triggers Level 2 or higher.

C3PAO: a CMMC Third-Party Assessment Organization, authorized by The Cyber AB to run Level 2 certification assessments.

DIBCAC: the Defense Industrial Base Cybersecurity Assessment Center, which runs Level 3 government assessments.

SPRS: the Supplier Performance Risk System, where CMMC statuses and scores are posted and where contracting officers verify them.

CMMC UID: ten alpha-numeric characters assigned to each CMMC assessment and reflected in SPRS for each contractor information system.

POA&M: a Plan of Action and Milestones — the remediation plan behind a “conditional” status.

Where each CMMC term appears in a solicitation

CMMC solicitation term map — field by field
TermWhere it appears in a solicitationTracker field it drivesCommon mistake
CMMC level (1/2/3; Self/C3PAO/DIBCAC)The 252.204-7025 fill-in; the cybersecurity section; often an attachmentnormalized_level, assessment_pathAssuming “CMMC” always means Level 2 C3PAO
DFARS 252.204-7025The solicitation’s provisions/clauses listrequired_level, award_gateSkipping it because it’s short and buried in the clause matrix
DFARS 252.204-7021The provisions list, then the resulting contractflowdown_required, maintain_through_lifeReading the clause number as if it were the level
SPRS status / affirmationEligibility and proposal instructionssprs_status_required, affirmation_requiredAssuming a score alone is enough without a current affirmation
CMMC UIDProposal instructions (“provide CMMC UID(s)”)uid_requiredTreating UID language as the same thing as a stated level
FCI / CUIStatement of work; data-handling sectiondata_type (drives the level)Assuming CUI always means C3PAO during Phase 1

Source: The Defense Compliance Report, based on DFARS 252.204-7025/7021 (acquisition.gov) and 32 CFR Part 170.

CMMC solicitation data: what levels are appearing in DoD solicitations right now

Across the public solicitations we sampled, Level 2 (Self) is the most frequently stated requirement, and CMMC often functions as an access gate — controlling entry to technical data packages or protected documents, or required with the proposal itself — not only as a final award condition. This is a source-linked seed sample, not a complete census, so the counts below describe these specific rows rather than a market-wide percentage.

The table is our initial sample of real DoD opportunities that reference CMMC. Every row links to its source notice on SAM.gov so you can read the exact language yourself. We are confirming each row against its notice and attachments; rows whose level lives in an access-controlled attachment are marked “Attachment review,” and rows describing a future requirement are marked “Anticipated.”

CMMC solicitation seed sample (n = 20, source-linked, row-level SAM.gov verification in progress) — compiled July 1, 2026
#Opportunity (issuing component)Requirement languageNormalized levelOperational gateSource statusSource
1Anniston Army Depot Power Generation & Microgrid“CMMC level required is Level 2 Self”Level 2 (Self)Award / requirementNotice textSAM.gov
2RWP High Pressure Air System ExpansionNIST SP 800-171 + CMMC Level 2 Self for protected documentsLevel 2 (Self)Protected-document accessNotice textSAM.gov
3MLG/NLG Cycling FixtureProof of CMMC Level 2 Self required for TDP accessLevel 2 (Self)Technical-data-package accessNotice textSAM.gov
4AEWTTR III“CMMC Level 2 C3PAO” anticipatedLevel 2 (C3PAO)Anticipated / futureAnticipatedSAM.gov
5TDA Auxiliary Water Supply Backup Debris Mgmt“CMMC Level 2 Self or higher”Level 2 (Self) or higherAward / requirementNotice textSAM.gov
69mm JHP Special Purpose CartridgeMinimum CMMC Level 2 Self-AssessmentLevel 2 (Self)Minimum eligibilityNotice textSAM.gov
7HITS-UIII (Industry Day / Presolicitation)CMMC Level 2 C3PAO after Nov 10, 2026Level 2 (C3PAO)Future / Phase 2AnticipatedSAM.gov
8FA8250-26-Q-0741 (repair, NSN 6130013693392)Active conditional/final CMMC Level 2 Self required for award considerationLevel 2 (Self)Award considerationNotice textSAM.gov
9Office Management Services“CMMC Level 2 Self is applicable”Level 2 (Self)RequirementNotice textSAM.gov
10FiBO 250 Interferometer (RFQ)Required CMMC level is Level 2 SelfLevel 2 (Self)RFQ requirementNotice textSAM.gov
11Pressure Compensator Mounting Bracket (RFQ)Required CMMC Level 2 SelfLevel 2 (Self)RFQ requirementNotice textSAM.gov
12QuinStar Transceivers & Bandpass Filters“CMMC Level 2 CUI Self” anticipatedLevel 2 (Self)Anticipated / CUI selfAnticipatedSAM.gov
13Pressure Vessel and BulkheadRequired CMMC Level 2 SelfLevel 2 (Self)RequirementNotice textSAM.gov
14UH-60 Mechanical TransmissionCMMC Level 2 assessment from an authorized C3PAOLevel 2 (C3PAO)Source approval / assessmentNotice textSAM.gov
15PKB LCC Cleaning IDIQ (service)NIST score / POA&M language + CMMC evaluationAmbiguous — needs reviewEvaluation / complianceAttachment reviewSAM.gov
16Kentucky National Guard Aviation Services (RAPSC)CMMC Level 2 certification as material conditionLevel 2 — path to classifyAward / performanceNotice text; path TBDSAM.gov
17VEWMEC (construction)CMMC UID(s) issued by SPRS for contractor systemsUID required — level to verifyProposal / UIDAttachment reviewSAM.gov
18FA825026Q0615 (repair, NSN 5999-01-064-6612)Send CMMC assessment UID with the proposal emailUID required — level to verifyProposal submissionAttachment reviewSAM.gov
19UH-60 Gearbox Assembly Upgrade & OverhaulAt least Level 2 self-assessmentLevel 2 (Self)RequirementNotice textSAM.gov
20F20676 HAW2 ErgoCurrent CMMC Level 1 or higher self-assessment in SPRS at awardLevel 1 (Self) or higherAwardNotice textSAM.gov

Source: Compiled by The Defense Compliance Report from public opportunity records on SAM.gov (sam.gov). Source-linked seed sample of 20 records, compiled July 1, 2026; each row links to its notice for independent verification. Regulatory fields cross-checked against DFARS 252.204-7025/7021 and 32 CFR Part 170.

CMMC solicitation statistics from this seed sample (n = 20)

  • Level 2 (Self), including “or higher” and “CUI Self” phrasing: 12 rows
  • Level 2 (C3PAO): 3 rows (2 stated as anticipated/future, tied to the Phase 2 date)
  • Level 1 (Self) or higher: 1 row
  • CMMC UID requested, level not stated in the visible notice text: 2 rows
  • Level 2 with the assessment path not stated: 1 row
  • Ambiguous, references CMMC but needs attachment review to classify: 1 row

Source: The Defense Compliance Report seed sample (n = 20), compiled July 1, 2026. Sample counts, not a market-wide total.

Two patterns are worth naming. First, in this sample the self-assessment path dominates — consistent with a Phase 1 window in which self-assessment is the baseline award gate. Second, CMMC frequently gates access to the technical data you need in order to bid at all — the technical data package, the plans and specs — not just the award. That is a deadline behind the deadline, and it is invisible if you only skim the summary notice.

We are not publishing a figure like “X% of DoD solicitations require CMMC.” That claim requires a complete SAM.gov run; this is a starting sample. When the full run is done, the counts will move. The per-row source links will not.

What this shows — and what it doesn’t

This tracker shows how CMMC requirements are actually written into public solicitations: the stated level, the clause invoked, whether a CMMC UID is requested, and whether CMMC gates award, proposal submission, or document access. It does not show who is certified, it does not capture non-public or access-controlled attachments we could not open, and it is not legal advice about your specific bid.

  • It is not a certificate list. Per the Department, no public roster of certified companies exists.
  • It is a sample in motion. Solicitations get amended, cancelled, and re-posted, and a CMMC level can change between an early notice and the final RFP. That is why we track a source status per row and a verification date for the page.
  • Attachments can be gated.CMMC language is frequently inside an attachment, and some attachments require access approval. Where we couldn’t see inside, we mark the row “Attachment review” rather than guess.
  • “CMMC” in a notice is not automatically Level 2 C3PAO.The provision allows four different level/status selections. Reading “CMMC” and assuming third-party certification is a common and expensive error.

How we built and verified this tracker

We assembled the sample from public DoD opportunity records on SAM.gov, then normalized each row against the governing rules. We searched for CMMC-specific terms, captured the exact requirement language, classified the level and gate with fixed rules, and cross-checked every regulatory field — clause numbers, level definitions, and phase dates — against the DFARS, 32 CFR Part 170, and the Department’s CMMC FAQ.

Rows are not marked verified until the SAM.gov notice or attachment has been opened, the exact phrase copied, and the source status recorded; every row links to its source so anyone can confirm the language independently.

Search terms. We queried SAM.gov opportunity records for: CMMC, Cybersecurity Maturity Model Certification, DFARS 252.204-7021, DFARS 252.204-7025, CMMC Level 1, CMMC Level 2, CMMC Level 3, C3PAO, DIBCAC, SPRS, and CMMC UID.

Search run — July 1, 2026.Filter: Department of Defense contract opportunities. For each candidate we recorded the notice ID, opened the notice, checked attachments where accessible, copied the exact CMMC phrase, and classified the level, assessment path, and gate. Candidates that referenced “CMMI,” generic cybersecurity language with no CMMC term, or that were superseded by a later amendment were excluded.

Classification rules

Tracker classification rules — applied consistently to every row
ClassificationRule
Level 1 (Self)References Level 1 self-assessment, “Level 1 or higher,” or FAR 52.204-21 / FCI-only handling tied to CMMC Level 1
Level 2 (Self)References Level 2 self-assessment, “Level 2 Self,” or CUI self-assessment
Level 2 (C3PAO)References a Level 2 third-party assessment, a C3PAO, or certification by an authorized C3PAO
Level 3 (DIBCAC)References Level 3 or a DIBCAC assessment
UID requiredAsks for a CMMC UID / SPRS UID / assessment UID
AmbiguousReferences CMMC but the visible text doesn’t identify level or path; attachments reviewed before final classification
AnticipatedSays a CMMC requirement is expected or will apply after a future date
ExcludedFalse positives (“CMMI”), generic cybersecurity references, and superseded or duplicate records

Source: The Defense Compliance Report, July 2026.

Data dictionary

The full dataset records, per row: SAM.gov notice ID; opportunity title; agency/component; notice type; posted date; response date; exact CMMC phrase found; normalized CMMC level; assessment path; clause/provision present (7025, 7021, 7012, 7019, 7020, FAR 52.204-21); operational gate; CMMC UID required (yes/no); SPRS status or affirmation referenced; CUI/FCI stated; access-control note (JCP / DD Form 2345 / export-controlled); source status; verification date; and source link.

The CMMC solicitation phase schedule (2025–2028)

The Department is phasing CMMC into solicitations over four one-year stages, and the schedule is fixed in regulation. Phase 1 (self-assessment as the award gate) began November 10, 2025. Phase 2 adds mandatory Level 2 C3PAO certification on November 10, 2026. Phase 3 adds Level 3 (DIBCAC) on November 10, 2027. Phase 4 — full implementation — begins November 10, 2028.

We pulled this directly from the regulation. The four phases and their dates are set by 32 CFR 170.3(e), tied to the DFARS rule’s effective date of November 10, 2025.

CMMC four-phase implementation schedule (32 CFR 170.3(e))
PhaseDatesIncluded as a condition of awardAt DoD’s discretionWhat the tracker watches for
Phase 1 (current)Nov 10, 2025 – Nov 9, 2026Level 1 (Self) or Level 2 (Self)Level 2 (C3PAO) in place of Level 2 (Self); applying L1/L2 (Self) to option exercises on earlier contractsSelf-assessment award gates; flag any discretionary C3PAO
Phase 2Nov 10, 2026 – Nov 9, 2027Adds Level 2 (C3PAO)May delay L2 (C3PAO) to an option period; may add Level 3 (DIBCAC)Mandatory C3PAO language; flag discretionary Level 3
Phase 3Nov 10, 2027 – Nov 9, 2028Adds Level 2 (C3PAO) for all applicable solicitations and as an option-exercise condition; adds Level 3 (DIBCAC)May delay L3 (DIBCAC) to an option periodLevel 3 DIBCAC gates; option-period gates on 2025+ awards
Phase 4 (full implementation)Nov 10, 2028 onwardAll CMMC Program requirements in all applicable solicitations and contracts, including option periods on earlier contractsTreat CMMC as present in essentially all covered solicitations and options

Source: 32 CFR 170.3(e), CMMC Program Rule (89 FR 83092, Oct. 15, 2024), via eCFR, current as of June 25, 2026; phase dates tied to the DFARS final rule effective November 10, 2025.

Two scope facts belong with this table. CMMC applies to solicitations and contracts above the micro-purchase threshold where a contractor will process, store, or transmit FCI or CUI on non-federal systems — but not to contracts solely for commercially available off-the-shelf (COTS) items, and DoD may waive it in advance (32 CFR 170.3(c)). The Department’s own FAQ frames the near term simply: implementation “began… on November 10, 2025,” and “the first 12 months… will primarily focus on self-assessments,” with Level 2 third-party assessments beginning November 10, 2026 (DoD CMMC Program FAQ, A-A1 and B-A2).

What DFARS 252.204-7025 and 252.204-7021 require in a solicitation

Two DFARS pieces do the work. The solicitation provision, DFARS 252.204-7025, is the gate: it states the required CMMC level, makes an offeror ineligible for award without the required current status and affirmation in SPRS, and requires CMMC UIDs in the proposal. The contract clause, DFARS 252.204-7021, is the ongoing obligation: it requires the contractor to hold and maintain that status for the life of the contract and to flow the requirement down to relevant subcontractors.

If you read one line of clause text, read the fill-in a contracting officer completes:

“The CMMC level required by this solicitation is: ____ — Contracting Officer insert: CMMC Level 1 (Self); CMMC Level 2 (Self); CMMC Level 2 (C3PAO); or CMMC Level 3 (DIBCAC).” — DFARS 252.204-7025

That single blank is why the level— not “CMMC, yes/no” — is the field that matters.

CMMC clause set in a solicitation — what each does and what to extract
Clause / provisionTitleRoleWhat to extract for the tracker
DFARS 252.204-7025Notice of Cybersecurity Maturity Model Certification Level RequirementsSolicitation provision: states the required level; award-eligibility gate; requires CMMC UIDs in the proposalrequired_level, award_gate, uid_required
DFARS 252.204-7021Contractor Compliance With the Cybersecurity Maturity Model Certification Level RequirementsContract clause: achieve the level at award, maintain it for the contract’s life, flow down to subcontractors, affirm annuallyflowdown_required, maintain_through_life
DFARS 252.204-7012Safeguarding Covered Defense Information and Cyber Incident ReportingPre-existing: NIST SP 800-171 safeguarding; 72-hour incident reporting; unchanged by CMMC800-171_baseline_present
DFARS 252.204-7019 / -7020(Notice of) NIST SP 800-171 DoD Assessment RequirementsPre-existing: 800-171 assessment scoring in SPRSsprs_800-171_score_required
FAR 52.204-21Basic Safeguarding of Covered Contractor Information SystemsThe 15 basic safeguarding requirements underpinning CMMC Level 1 (FCI)fci_level1_basis

Source: DFARS Subpart 204.75 and the clause/provision texts at acquisition.gov; FAR 52.204-21.

One correction worth stating plainly:DFARS 252.204-7021 does not mean “Level 2 C3PAO.” The level is whatever the 7025 provision states — it can be Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC). Read the fill-in, not the clause number.

How CMMC affects award eligibility

When the CMMC provision applies, an offeror must have a current CMMC status at the required level (or higher) and a current annual affirmation posted in SPRS before award, plus the CMMC UID for every in-scope system in the proposal. Miss any of those and the offer is ineligible. CMMC is not an evaluation factor or a set-aside — it is a pass/fail eligibility condition when it’s included.

The mechanics, in the order they bite:

  • The proposal. You list the CMMC UID(s) for each system that will handle FCI or CUI. Systems not represented by a listed UID cannot be used for FCI or CUI during performance (DoD CMMC Program FAQ, C-A5).
  • Verification at award. The contracting officer checks SPRS against your UIDs and cannot award to an offeror lacking the required status (DFARS 204.7503).
  • Conditional status and the 180-day clock. A Level 2 or Level 3 assessment that isn’t fully met can yield a conditional status — awarded on a score of at least 80% of the maximum, with unmet items on a POA&M. That POA&M must be closed within 180 days or the conditional status expires, and certain “critical” requirements identified in 32 CFR 170.21 cannot go on a POA&M at all.
  • Affirmations. Every level requires an affirmation of continuous compliance at assessment and annually thereafter.
  • Subcontractor flow-down. The required level follows the data, not the prime’s level. Subcontractors handling FCI or CUI are subject to the requirement, and when a prime contract requires Level 3, the minimum flow-down is a Level 2 independent assessment absent specific guidance (DoD CMMC Program FAQ, B-A6; 32 CFR 170.23).
CMMC Level requirements — what each level covers and how it’s verified
LevelDataStandardAssessmentCadence
Level 1 (Self)FCI onlyFAR 52.204-21 (15 basic safeguarding requirements)Annual self-assessment in SPRS + affirmationAnnual
Level 2 (Self)CUI (specified cases)NIST SP 800-171 Rev. 2 (110 requirements)Self-assessment in SPRS + affirmation3-yr validity; annual affirmation
Level 2 (C3PAO)CUINIST SP 800-171 Rev. 2 (110 requirements)Third-party assessment by a C3PAO3-yr validity; annual affirmation
Level 3 (DIBCAC)High-sensitivity CUI110 (NIST SP 800-171 Rev. 2) + 24 selected from NIST SP 800-172Government assessment by DIBCAC3-yr validity; annual affirmation

Source: 32 CFR Part 170; DoD CMMC Program FAQ, Rev. 2.3, May 2026.

A note on NIST versions.NIST has published SP 800-171 Revision 3, which supersedes Revision 2 on NIST’s site and cuts the control count from 110 to 97, and NIST SP 800-172 was superseded by a Revision 3 on May 13, 2026. CMMC assessments, however, remain tied to NIST SP 800-171 Revision 2 (110 requirements)under a DoD class deviation until future rulemaking — the CMMC final rule states Revision 3 “is not currently applicable” — and 32 CFR Part 170 uses 24 selected requirements from the 2021 NIST SP 800-172 for Level 3 (DoD CMMC Program FAQ, B-A3).

The demand behind these requirements

The reason these solicitation requirements have teeth is a readiness gap: the number of contractors that have actually earned Level 2 certification is small against the population the government expects to need it.

On the demand side, the 32 CFR CMMC Program Rule’s regulatory analysis estimates that roughly 8,350 medium and large entities will need to meet Level 2 C3PAO assessment requirements as a condition of award (89 FR 83092). That is a deliberately narrow slice — medium and large firms on the third-party path. DoD’s broader program estimate puts the total Level 2 population in the tens of thousands, commonly reported around 80,000, with roughly 1,500 expected to need Level 3; treat those broad figures as DoD estimates repeated across the industry rather than a precise census.

On the supply side, the most recent public figures come from The Cyber AB, the accreditation body. As reported at the March 2026 Cyber AB Town Hall (and compiled publicly from the Cyber AB marketplace), there were roughly 103 authorized C3PAOs and about 759 certified assessors, with on the order of 1,000 organizationshaving achieved Level 2 certification. Counts of “authorized” versus merely “listed” C3PAOs vary — other 2026 tallies land from the high 60s to about 97 — which is exactly why they need a date attached. These are secondary aggregations of town-hall reporting and should be refreshed against the latest Cyber AB town hall before anyone leans on the precise number. What is not in dispute is the direction: roughly 1,000 certifications against a Level 2 population many times larger.

The enforcement backdrop is what makes an unsupported affirmation dangerous rather than a paperwork problem. The Department of Justice’s Civil Cyber-Fraud Initiative, launched in October 2021, uses the False Claims Act to pursue contractors and grant recipients that knowingly misrepresent their cybersecurity compliance. In January 2026, DOJ reported that cyber-related matters accounted for $52 million across nine settlements within a record $6.8 billion in total False Claims Act recoveries for fiscal year 2025 (U.S. Department of Justice). When you affirm a CMMC status in SPRS, you are making a representation the government can and does litigate.

How to find and verify CMMC solicitations yourself

You can reproduce this tracker’s core in an afternoon: search SAM.gov for CMMC terms, open the attachments (not just the notice), confirm the requirement is real by checking for the 252.204-7025 provision and a stated level, and then confirm your own eligibility in SPRS.

  1. On SAM.gov, search Contract Opportunities for CMMC or 252.204-7025, filter to the Department of Defense, and set your posted-date window.
  2. Open the attachments. CMMC level language is frequently in the solicitation package, not the summary. This is the step most people skip.
  3. Separate a requirement from a mention. A real requirement invokes provision 252.204-7025 and states a level (“CMMC Level 2 (Self)”). A narrative “CMMC is coming” note is not yet an award gate.
  4. Confirm your own status in SPRS: a current status at the required level anda current annual affirmation, for every in-scope system’s CMMC UID.

What this tracker should not be used to claim

Use this as evidence of how CMMC is entering solicitations — not as a certified-company list, a complete census, or legal advice. Specifically, this page should not be read to say:

  • That it lists who is CMMC-certified (it can’t).
  • That “CMMC” always means Level 2 C3PAO (the provision offers four selections).
  • That the sample counts are market-wide totals (they are sample counts pending a full run).
  • That it substitutes for reading your actual solicitation.

This is a research resource on a regulatory topic that affects contract eligibility and legal exposure — treat it as educational, verify against your specific solicitation, and consult qualified counsel or your contracting officer for decisions about your bid.

How to cite this page

Suggested citation:

The Defense Compliance Report Editorial Team. “CMMC Solicitation Tracker: How CMMC Requirements Show Up in DoD Solicitations.” The Defense Compliance Report. Last updated . https://thedefensecompliancereport.com/research/cmmc-solicitation-tracker/

Frequently asked questions

Is CMMC required for DoD contracts now?

Yes, on a phased basis. CMMC became a lawful award condition when the DFARS final rule took effect on November 10, 2025, but whether a specific solicitation requires it — and at what level — depends on the procurement and the phase. In Phase 1, a covered solicitation can require a Level 1 or Level 2 self-assessment as a condition of award (DFARS final rule; 32 CFR 170.3(e)).

Does DFARS 252.204-7021 always mean Level 2 C3PAO?

No. The required level is stated in the solicitation provision, DFARS 252.204-7025, which can specify Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC). The 7021 clause binds you to whatever level the solicitation states.

Where do I find the required CMMC level in a solicitation?

Look for the DFARS 252.204-7025 provision and the 252.204-7021 clause, the cybersecurity and proposal-instruction sections, any CUI or FCI handling requirements, and SPRS/CMMC UID language. Check the attachments — the level is often stated there rather than in the summary notice.

Are CMMC certificates public?

No. The Department states that “the public will not have access to a listing of defense industrial base companies that have completed their CMMC self-assessments or received CMMC certificates.” That information is available to procurement officials, and a company can view and voluntarily share its own status (DoD CMMC Program FAQ, C-A4).

Is CMMC an evaluation factor or a set-aside?

No. The DFARS rule specifies that CMMC is not an evaluation factor or a set-aside; when included, it is an award and contract eligibility requirement — a pass/fail gate, not a scored criterion.

When does Level 2 third-party (C3PAO) certification become mandatory?

November 10, 2026, the start of Phase 2. During Phase 1, DoD may require Level 2 C3PAO at its discretion, which is why some current notices flag an anticipated C3PAO requirement (32 CFR 170.3(e); DoD CMMC Program FAQ, B-A2).

Primary sources

The Defense Compliance Report is an independent trade publication covering CMMC 2.0 and defense industrial base compliance. Last verified: Next scheduled review: on any DFARS or 32 CFR Part 170 change, and monthly otherwise.

← Back to Research & Data