Independent research · Non-commercial
CMMC Solicitation Tracker: How CMMC Requirements Show Up in DoD Solicitations
CMMC requirements are now live in Department of Defense solicitations, and this CMMC solicitation trackerfollows the one thing you can actually track in public: the requirement itself. As of July 1, 2026, the program sits in its first implementation phase (November 10, 2025 – November 9, 2026). In this phase a covered solicitation can make a current Level 1 or Level 2 self-assessment a condition of award, and Level 2 third-party (C3PAO) certification becomes required when DoD exercises that discretion— a distinction the regulation draws precisely.
That one distinction changes how you read the whole market. Below is the data, the phase schedule pulled straight from the regulation, the exact clauses to look for, and a method you can run yourself.
At a glance
| Topic | Where it comes from |
|---|---|
| When CMMC became a lawful award condition | November 10, 2025 (DFARS final rule effective date) |
| Current phase (as of July 1, 2026) | Phase 1 — Level 1 (Self) or Level 2 (Self) as a condition of award |
| When Level 2 C3PAO certification becomes required | November 10, 2026 (Phase 2) |
| The provision that states the required level | DFARS 252.204-7025 |
| The clause that binds compliance in the contract | DFARS 252.204-7021 |
| Can the public see who is certified? | No — the Department states there is no public certificate list |
| DoD estimate of medium/large firms needing Level 2 C3PAO | ~8,350 (32 CFR CMMC Program Rule regulatory analysis) |
What a CMMC solicitation tracker actually tracks — and why it’s solicitations, not companies
A CMMC solicitation tracker is a dated record of public DoD opportunities that state a CMMC requirement, sorted by level, assessment path, clause, and the gate the requirement controls. It deliberately does not try to list certified companies, because the Department of Defense states the public has no access to who has completed a CMMC self-assessment or earned a certificate. The requirement in the solicitation is the only piece of this that lives in the open.
There are two different questions people mean when they say “CMMC tracker”:
- Which contractors are CMMC-certified?— Not publicly answerable. In the Department’s own words, “the public will not have access to a listing of defense industrial base companies that have completed their CMMC self-assessments or received CMMC certificates. Such information is available to the Department officers leading procurement activities” (DoD CMMC Program FAQ, C-A4). A company can view its own status in SPRS and voluntarily share it, but no public roster exists.
- Which solicitations require CMMC, at what level?— Publicly answerable. When a solicitation is covered, the contracting officer must state the required CMMC level in the notice or its attachments, using a standardized DFARS provision.
So the only defensible public dataset is built on question 2. That is what this tracker does, and everything downstream — the levels, the clauses, the award gates — flows from language that is, by rule, printed in the solicitation.
Key definitions
FCI (Federal Contract Information): non-public information provided by or generated for the government under a contract to deliver a product or service. Defined in FAR 52.204-21.
CUI (Controlled Unclassified Information): information requiring safeguarding or dissemination controls, defined in 32 CFR Part 2002. CUI generally triggers Level 2 or higher.
C3PAO: a CMMC Third-Party Assessment Organization, authorized by The Cyber AB to run Level 2 certification assessments.
DIBCAC: the Defense Industrial Base Cybersecurity Assessment Center, which runs Level 3 government assessments.
SPRS: the Supplier Performance Risk System, where CMMC statuses and scores are posted and where contracting officers verify them.
CMMC UID: ten alpha-numeric characters assigned to each CMMC assessment and reflected in SPRS for each contractor information system.
POA&M: a Plan of Action and Milestones — the remediation plan behind a “conditional” status.
Where each CMMC term appears in a solicitation
| Term | Where it appears in a solicitation | Tracker field it drives | Common mistake |
|---|---|---|---|
| CMMC level (1/2/3; Self/C3PAO/DIBCAC) | The 252.204-7025 fill-in; the cybersecurity section; often an attachment | normalized_level, assessment_path | Assuming “CMMC” always means Level 2 C3PAO |
| DFARS 252.204-7025 | The solicitation’s provisions/clauses list | required_level, award_gate | Skipping it because it’s short and buried in the clause matrix |
| DFARS 252.204-7021 | The provisions list, then the resulting contract | flowdown_required, maintain_through_life | Reading the clause number as if it were the level |
| SPRS status / affirmation | Eligibility and proposal instructions | sprs_status_required, affirmation_required | Assuming a score alone is enough without a current affirmation |
| CMMC UID | Proposal instructions (“provide CMMC UID(s)”) | uid_required | Treating UID language as the same thing as a stated level |
| FCI / CUI | Statement of work; data-handling section | data_type (drives the level) | Assuming CUI always means C3PAO during Phase 1 |
CMMC solicitation data: what levels are appearing in DoD solicitations right now
Across the public solicitations we sampled, Level 2 (Self) is the most frequently stated requirement, and CMMC often functions as an access gate — controlling entry to technical data packages or protected documents, or required with the proposal itself — not only as a final award condition. This is a source-linked seed sample, not a complete census, so the counts below describe these specific rows rather than a market-wide percentage.
The table is our initial sample of real DoD opportunities that reference CMMC. Every row links to its source notice on SAM.gov so you can read the exact language yourself. We are confirming each row against its notice and attachments; rows whose level lives in an access-controlled attachment are marked “Attachment review,” and rows describing a future requirement are marked “Anticipated.”
| # | Opportunity (issuing component) | Requirement language | Normalized level | Operational gate | Source status | Source |
|---|---|---|---|---|---|---|
| 1 | Anniston Army Depot Power Generation & Microgrid | “CMMC level required is Level 2 Self” | Level 2 (Self) | Award / requirement | Notice text | SAM.gov |
| 2 | RWP High Pressure Air System Expansion | NIST SP 800-171 + CMMC Level 2 Self for protected documents | Level 2 (Self) | Protected-document access | Notice text | SAM.gov |
| 3 | MLG/NLG Cycling Fixture | Proof of CMMC Level 2 Self required for TDP access | Level 2 (Self) | Technical-data-package access | Notice text | SAM.gov |
| 4 | AEWTTR III | “CMMC Level 2 C3PAO” anticipated | Level 2 (C3PAO) | Anticipated / future | Anticipated | SAM.gov |
| 5 | TDA Auxiliary Water Supply Backup Debris Mgmt | “CMMC Level 2 Self or higher” | Level 2 (Self) or higher | Award / requirement | Notice text | SAM.gov |
| 6 | 9mm JHP Special Purpose Cartridge | Minimum CMMC Level 2 Self-Assessment | Level 2 (Self) | Minimum eligibility | Notice text | SAM.gov |
| 7 | HITS-UIII (Industry Day / Presolicitation) | CMMC Level 2 C3PAO after Nov 10, 2026 | Level 2 (C3PAO) | Future / Phase 2 | Anticipated | SAM.gov |
| 8 | FA8250-26-Q-0741 (repair, NSN 6130013693392) | Active conditional/final CMMC Level 2 Self required for award consideration | Level 2 (Self) | Award consideration | Notice text | SAM.gov |
| 9 | Office Management Services | “CMMC Level 2 Self is applicable” | Level 2 (Self) | Requirement | Notice text | SAM.gov |
| 10 | FiBO 250 Interferometer (RFQ) | Required CMMC level is Level 2 Self | Level 2 (Self) | RFQ requirement | Notice text | SAM.gov |
| 11 | Pressure Compensator Mounting Bracket (RFQ) | Required CMMC Level 2 Self | Level 2 (Self) | RFQ requirement | Notice text | SAM.gov |
| 12 | QuinStar Transceivers & Bandpass Filters | “CMMC Level 2 CUI Self” anticipated | Level 2 (Self) | Anticipated / CUI self | Anticipated | SAM.gov |
| 13 | Pressure Vessel and Bulkhead | Required CMMC Level 2 Self | Level 2 (Self) | Requirement | Notice text | SAM.gov |
| 14 | UH-60 Mechanical Transmission | CMMC Level 2 assessment from an authorized C3PAO | Level 2 (C3PAO) | Source approval / assessment | Notice text | SAM.gov |
| 15 | PKB LCC Cleaning IDIQ (service) | NIST score / POA&M language + CMMC evaluation | Ambiguous — needs review | Evaluation / compliance | Attachment review | SAM.gov |
| 16 | Kentucky National Guard Aviation Services (RAPSC) | CMMC Level 2 certification as material condition | Level 2 — path to classify | Award / performance | Notice text; path TBD | SAM.gov |
| 17 | VEWMEC (construction) | CMMC UID(s) issued by SPRS for contractor systems | UID required — level to verify | Proposal / UID | Attachment review | SAM.gov |
| 18 | FA825026Q0615 (repair, NSN 5999-01-064-6612) | Send CMMC assessment UID with the proposal email | UID required — level to verify | Proposal submission | Attachment review | SAM.gov |
| 19 | UH-60 Gearbox Assembly Upgrade & Overhaul | At least Level 2 self-assessment | Level 2 (Self) | Requirement | Notice text | SAM.gov |
| 20 | F20676 HAW2 Ergo | Current CMMC Level 1 or higher self-assessment in SPRS at award | Level 1 (Self) or higher | Award | Notice text | SAM.gov |
CMMC solicitation statistics from this seed sample (n = 20)
- Level 2 (Self), including “or higher” and “CUI Self” phrasing: 12 rows
- Level 2 (C3PAO): 3 rows (2 stated as anticipated/future, tied to the Phase 2 date)
- Level 1 (Self) or higher: 1 row
- CMMC UID requested, level not stated in the visible notice text: 2 rows
- Level 2 with the assessment path not stated: 1 row
- Ambiguous, references CMMC but needs attachment review to classify: 1 row
Two patterns are worth naming. First, in this sample the self-assessment path dominates — consistent with a Phase 1 window in which self-assessment is the baseline award gate. Second, CMMC frequently gates access to the technical data you need in order to bid at all — the technical data package, the plans and specs — not just the award. That is a deadline behind the deadline, and it is invisible if you only skim the summary notice.
We are not publishing a figure like “X% of DoD solicitations require CMMC.” That claim requires a complete SAM.gov run; this is a starting sample. When the full run is done, the counts will move. The per-row source links will not.
What this shows — and what it doesn’t
This tracker shows how CMMC requirements are actually written into public solicitations: the stated level, the clause invoked, whether a CMMC UID is requested, and whether CMMC gates award, proposal submission, or document access. It does not show who is certified, it does not capture non-public or access-controlled attachments we could not open, and it is not legal advice about your specific bid.
- It is not a certificate list. Per the Department, no public roster of certified companies exists.
- It is a sample in motion. Solicitations get amended, cancelled, and re-posted, and a CMMC level can change between an early notice and the final RFP. That is why we track a source status per row and a verification date for the page.
- Attachments can be gated.CMMC language is frequently inside an attachment, and some attachments require access approval. Where we couldn’t see inside, we mark the row “Attachment review” rather than guess.
- “CMMC” in a notice is not automatically Level 2 C3PAO.The provision allows four different level/status selections. Reading “CMMC” and assuming third-party certification is a common and expensive error.
How we built and verified this tracker
We assembled the sample from public DoD opportunity records on SAM.gov, then normalized each row against the governing rules. We searched for CMMC-specific terms, captured the exact requirement language, classified the level and gate with fixed rules, and cross-checked every regulatory field — clause numbers, level definitions, and phase dates — against the DFARS, 32 CFR Part 170, and the Department’s CMMC FAQ.
Rows are not marked verified until the SAM.gov notice or attachment has been opened, the exact phrase copied, and the source status recorded; every row links to its source so anyone can confirm the language independently.
Search terms. We queried SAM.gov opportunity records for: CMMC, Cybersecurity Maturity Model Certification, DFARS 252.204-7021, DFARS 252.204-7025, CMMC Level 1, CMMC Level 2, CMMC Level 3, C3PAO, DIBCAC, SPRS, and CMMC UID.
Search run — July 1, 2026.Filter: Department of Defense contract opportunities. For each candidate we recorded the notice ID, opened the notice, checked attachments where accessible, copied the exact CMMC phrase, and classified the level, assessment path, and gate. Candidates that referenced “CMMI,” generic cybersecurity language with no CMMC term, or that were superseded by a later amendment were excluded.
Classification rules
| Classification | Rule |
|---|---|
| Level 1 (Self) | References Level 1 self-assessment, “Level 1 or higher,” or FAR 52.204-21 / FCI-only handling tied to CMMC Level 1 |
| Level 2 (Self) | References Level 2 self-assessment, “Level 2 Self,” or CUI self-assessment |
| Level 2 (C3PAO) | References a Level 2 third-party assessment, a C3PAO, or certification by an authorized C3PAO |
| Level 3 (DIBCAC) | References Level 3 or a DIBCAC assessment |
| UID required | Asks for a CMMC UID / SPRS UID / assessment UID |
| Ambiguous | References CMMC but the visible text doesn’t identify level or path; attachments reviewed before final classification |
| Anticipated | Says a CMMC requirement is expected or will apply after a future date |
| Excluded | False positives (“CMMI”), generic cybersecurity references, and superseded or duplicate records |
Data dictionary
The full dataset records, per row: SAM.gov notice ID; opportunity title; agency/component; notice type; posted date; response date; exact CMMC phrase found; normalized CMMC level; assessment path; clause/provision present (7025, 7021, 7012, 7019, 7020, FAR 52.204-21); operational gate; CMMC UID required (yes/no); SPRS status or affirmation referenced; CUI/FCI stated; access-control note (JCP / DD Form 2345 / export-controlled); source status; verification date; and source link.
The CMMC solicitation phase schedule (2025–2028)
The Department is phasing CMMC into solicitations over four one-year stages, and the schedule is fixed in regulation. Phase 1 (self-assessment as the award gate) began November 10, 2025. Phase 2 adds mandatory Level 2 C3PAO certification on November 10, 2026. Phase 3 adds Level 3 (DIBCAC) on November 10, 2027. Phase 4 — full implementation — begins November 10, 2028.
We pulled this directly from the regulation. The four phases and their dates are set by 32 CFR 170.3(e), tied to the DFARS rule’s effective date of November 10, 2025.
| Phase | Dates | Included as a condition of award | At DoD’s discretion | What the tracker watches for |
|---|---|---|---|---|
| Phase 1 (current) | Nov 10, 2025 – Nov 9, 2026 | Level 1 (Self) or Level 2 (Self) | Level 2 (C3PAO) in place of Level 2 (Self); applying L1/L2 (Self) to option exercises on earlier contracts | Self-assessment award gates; flag any discretionary C3PAO |
| Phase 2 | Nov 10, 2026 – Nov 9, 2027 | Adds Level 2 (C3PAO) | May delay L2 (C3PAO) to an option period; may add Level 3 (DIBCAC) | Mandatory C3PAO language; flag discretionary Level 3 |
| Phase 3 | Nov 10, 2027 – Nov 9, 2028 | Adds Level 2 (C3PAO) for all applicable solicitations and as an option-exercise condition; adds Level 3 (DIBCAC) | May delay L3 (DIBCAC) to an option period | Level 3 DIBCAC gates; option-period gates on 2025+ awards |
| Phase 4 (full implementation) | Nov 10, 2028 onward | All CMMC Program requirements in all applicable solicitations and contracts, including option periods on earlier contracts | — | Treat CMMC as present in essentially all covered solicitations and options |
Two scope facts belong with this table. CMMC applies to solicitations and contracts above the micro-purchase threshold where a contractor will process, store, or transmit FCI or CUI on non-federal systems — but not to contracts solely for commercially available off-the-shelf (COTS) items, and DoD may waive it in advance (32 CFR 170.3(c)). The Department’s own FAQ frames the near term simply: implementation “began… on November 10, 2025,” and “the first 12 months… will primarily focus on self-assessments,” with Level 2 third-party assessments beginning November 10, 2026 (DoD CMMC Program FAQ, A-A1 and B-A2).
What DFARS 252.204-7025 and 252.204-7021 require in a solicitation
Two DFARS pieces do the work. The solicitation provision, DFARS 252.204-7025, is the gate: it states the required CMMC level, makes an offeror ineligible for award without the required current status and affirmation in SPRS, and requires CMMC UIDs in the proposal. The contract clause, DFARS 252.204-7021, is the ongoing obligation: it requires the contractor to hold and maintain that status for the life of the contract and to flow the requirement down to relevant subcontractors.
If you read one line of clause text, read the fill-in a contracting officer completes:
“The CMMC level required by this solicitation is: ____ — Contracting Officer insert: CMMC Level 1 (Self); CMMC Level 2 (Self); CMMC Level 2 (C3PAO); or CMMC Level 3 (DIBCAC).” — DFARS 252.204-7025
That single blank is why the level— not “CMMC, yes/no” — is the field that matters.
| Clause / provision | Title | Role | What to extract for the tracker |
|---|---|---|---|
| DFARS 252.204-7025 | Notice of Cybersecurity Maturity Model Certification Level Requirements | Solicitation provision: states the required level; award-eligibility gate; requires CMMC UIDs in the proposal | required_level, award_gate, uid_required |
| DFARS 252.204-7021 | Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements | Contract clause: achieve the level at award, maintain it for the contract’s life, flow down to subcontractors, affirm annually | flowdown_required, maintain_through_life |
| DFARS 252.204-7012 | Safeguarding Covered Defense Information and Cyber Incident Reporting | Pre-existing: NIST SP 800-171 safeguarding; 72-hour incident reporting; unchanged by CMMC | 800-171_baseline_present |
| DFARS 252.204-7019 / -7020 | (Notice of) NIST SP 800-171 DoD Assessment Requirements | Pre-existing: 800-171 assessment scoring in SPRS | sprs_800-171_score_required |
| FAR 52.204-21 | Basic Safeguarding of Covered Contractor Information Systems | The 15 basic safeguarding requirements underpinning CMMC Level 1 (FCI) | fci_level1_basis |
One correction worth stating plainly:DFARS 252.204-7021 does not mean “Level 2 C3PAO.” The level is whatever the 7025 provision states — it can be Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC). Read the fill-in, not the clause number.
How CMMC affects award eligibility
When the CMMC provision applies, an offeror must have a current CMMC status at the required level (or higher) and a current annual affirmation posted in SPRS before award, plus the CMMC UID for every in-scope system in the proposal. Miss any of those and the offer is ineligible. CMMC is not an evaluation factor or a set-aside — it is a pass/fail eligibility condition when it’s included.
The mechanics, in the order they bite:
- The proposal. You list the CMMC UID(s) for each system that will handle FCI or CUI. Systems not represented by a listed UID cannot be used for FCI or CUI during performance (DoD CMMC Program FAQ, C-A5).
- Verification at award. The contracting officer checks SPRS against your UIDs and cannot award to an offeror lacking the required status (DFARS 204.7503).
- Conditional status and the 180-day clock. A Level 2 or Level 3 assessment that isn’t fully met can yield a conditional status — awarded on a score of at least 80% of the maximum, with unmet items on a POA&M. That POA&M must be closed within 180 days or the conditional status expires, and certain “critical” requirements identified in 32 CFR 170.21 cannot go on a POA&M at all.
- Affirmations. Every level requires an affirmation of continuous compliance at assessment and annually thereafter.
- Subcontractor flow-down. The required level follows the data, not the prime’s level. Subcontractors handling FCI or CUI are subject to the requirement, and when a prime contract requires Level 3, the minimum flow-down is a Level 2 independent assessment absent specific guidance (DoD CMMC Program FAQ, B-A6; 32 CFR 170.23).
| Level | Data | Standard | Assessment | Cadence |
|---|---|---|---|---|
| Level 1 (Self) | FCI only | FAR 52.204-21 (15 basic safeguarding requirements) | Annual self-assessment in SPRS + affirmation | Annual |
| Level 2 (Self) | CUI (specified cases) | NIST SP 800-171 Rev. 2 (110 requirements) | Self-assessment in SPRS + affirmation | 3-yr validity; annual affirmation |
| Level 2 (C3PAO) | CUI | NIST SP 800-171 Rev. 2 (110 requirements) | Third-party assessment by a C3PAO | 3-yr validity; annual affirmation |
| Level 3 (DIBCAC) | High-sensitivity CUI | 110 (NIST SP 800-171 Rev. 2) + 24 selected from NIST SP 800-172 | Government assessment by DIBCAC | 3-yr validity; annual affirmation |
A note on NIST versions.NIST has published SP 800-171 Revision 3, which supersedes Revision 2 on NIST’s site and cuts the control count from 110 to 97, and NIST SP 800-172 was superseded by a Revision 3 on May 13, 2026. CMMC assessments, however, remain tied to NIST SP 800-171 Revision 2 (110 requirements)under a DoD class deviation until future rulemaking — the CMMC final rule states Revision 3 “is not currently applicable” — and 32 CFR Part 170 uses 24 selected requirements from the 2021 NIST SP 800-172 for Level 3 (DoD CMMC Program FAQ, B-A3).
The demand behind these requirements
The reason these solicitation requirements have teeth is a readiness gap: the number of contractors that have actually earned Level 2 certification is small against the population the government expects to need it.
On the demand side, the 32 CFR CMMC Program Rule’s regulatory analysis estimates that roughly 8,350 medium and large entities will need to meet Level 2 C3PAO assessment requirements as a condition of award (89 FR 83092). That is a deliberately narrow slice — medium and large firms on the third-party path. DoD’s broader program estimate puts the total Level 2 population in the tens of thousands, commonly reported around 80,000, with roughly 1,500 expected to need Level 3; treat those broad figures as DoD estimates repeated across the industry rather than a precise census.
On the supply side, the most recent public figures come from The Cyber AB, the accreditation body. As reported at the March 2026 Cyber AB Town Hall (and compiled publicly from the Cyber AB marketplace), there were roughly 103 authorized C3PAOs and about 759 certified assessors, with on the order of 1,000 organizationshaving achieved Level 2 certification. Counts of “authorized” versus merely “listed” C3PAOs vary — other 2026 tallies land from the high 60s to about 97 — which is exactly why they need a date attached. These are secondary aggregations of town-hall reporting and should be refreshed against the latest Cyber AB town hall before anyone leans on the precise number. What is not in dispute is the direction: roughly 1,000 certifications against a Level 2 population many times larger.
The enforcement backdrop is what makes an unsupported affirmation dangerous rather than a paperwork problem. The Department of Justice’s Civil Cyber-Fraud Initiative, launched in October 2021, uses the False Claims Act to pursue contractors and grant recipients that knowingly misrepresent their cybersecurity compliance. In January 2026, DOJ reported that cyber-related matters accounted for $52 million across nine settlements within a record $6.8 billion in total False Claims Act recoveries for fiscal year 2025 (U.S. Department of Justice). When you affirm a CMMC status in SPRS, you are making a representation the government can and does litigate.
How to find and verify CMMC solicitations yourself
You can reproduce this tracker’s core in an afternoon: search SAM.gov for CMMC terms, open the attachments (not just the notice), confirm the requirement is real by checking for the 252.204-7025 provision and a stated level, and then confirm your own eligibility in SPRS.
- On SAM.gov, search Contract Opportunities for
CMMCor252.204-7025, filter to the Department of Defense, and set your posted-date window. - Open the attachments. CMMC level language is frequently in the solicitation package, not the summary. This is the step most people skip.
- Separate a requirement from a mention. A real requirement invokes provision 252.204-7025 and states a level (“CMMC Level 2 (Self)”). A narrative “CMMC is coming” note is not yet an award gate.
- Confirm your own status in SPRS: a current status at the required level anda current annual affirmation, for every in-scope system’s CMMC UID.
What this tracker should not be used to claim
Use this as evidence of how CMMC is entering solicitations — not as a certified-company list, a complete census, or legal advice. Specifically, this page should not be read to say:
- That it lists who is CMMC-certified (it can’t).
- That “CMMC” always means Level 2 C3PAO (the provision offers four selections).
- That the sample counts are market-wide totals (they are sample counts pending a full run).
- That it substitutes for reading your actual solicitation.
This is a research resource on a regulatory topic that affects contract eligibility and legal exposure — treat it as educational, verify against your specific solicitation, and consult qualified counsel or your contracting officer for decisions about your bid.
How to cite this page
Suggested citation:
The Defense Compliance Report Editorial Team. “CMMC Solicitation Tracker: How CMMC Requirements Show Up in DoD Solicitations.” The Defense Compliance Report. Last updated . https://thedefensecompliancereport.com/research/cmmc-solicitation-tracker/
Frequently asked questions
Is CMMC required for DoD contracts now?
Yes, on a phased basis. CMMC became a lawful award condition when the DFARS final rule took effect on November 10, 2025, but whether a specific solicitation requires it — and at what level — depends on the procurement and the phase. In Phase 1, a covered solicitation can require a Level 1 or Level 2 self-assessment as a condition of award (DFARS final rule; 32 CFR 170.3(e)).
Does DFARS 252.204-7021 always mean Level 2 C3PAO?
No. The required level is stated in the solicitation provision, DFARS 252.204-7025, which can specify Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC). The 7021 clause binds you to whatever level the solicitation states.
Where do I find the required CMMC level in a solicitation?
Look for the DFARS 252.204-7025 provision and the 252.204-7021 clause, the cybersecurity and proposal-instruction sections, any CUI or FCI handling requirements, and SPRS/CMMC UID language. Check the attachments — the level is often stated there rather than in the summary notice.
Are CMMC certificates public?
No. The Department states that “the public will not have access to a listing of defense industrial base companies that have completed their CMMC self-assessments or received CMMC certificates.” That information is available to procurement officials, and a company can view and voluntarily share its own status (DoD CMMC Program FAQ, C-A4).
Is CMMC an evaluation factor or a set-aside?
No. The DFARS rule specifies that CMMC is not an evaluation factor or a set-aside; when included, it is an award and contract eligibility requirement — a pass/fail gate, not a scored criterion.
When does Level 2 third-party (C3PAO) certification become mandatory?
November 10, 2026, the start of Phase 2. During Phase 1, DoD may require Level 2 C3PAO at its discretion, which is why some current notices flag an anticipated C3PAO requirement (32 CFR 170.3(e); DoD CMMC Program FAQ, B-A2).
Primary sources
- 32 CFR 170.3(e) — CMMC phased implementation (eCFR)
- CMMC Program Rule, 89 FR 83092 (Federal Register, Oct. 15, 2024)
- DFARS CMMC Acquisition Rule (Federal Register, effective Nov. 10, 2025)
- DFARS Subpart 204.75 and 252.204-7025 (acquisition.gov)
- DoD CMMC Program FAQ (Rev. 2.3, May 2026)
- The Cyber AB marketplace (assessor / C3PAO data)
- SAM.gov (opportunity records)