About CMMC
CMMC details
Level 1
Foundational
Basic safeguarding of Federal Contract Information (FCI).
Level 2
Advanced
Aligns with NIST SP 800-171 requirements for protecting CUI.
Level 3
Expert
Focuses on more complex security measures for critical programs, including NIST SP 800-172 requirements.
Who is Required to Certify?
- Prime contractors.
- Subcontractors at all tiers, regardless of the size of the company.
- Organizations providing IT services or software to the DoD.
Certication requirements depend on the level of information the contractor accesses:
- Level 1: For contractors handling FCI.
- Level 2: For contractors managing CUI.
- Level 3: For contractors supporting critical national security programs
Certication requirements depend on the level of information the contractor accesses:
Deadlines for Compliance
Pilot Programs (2024)
DoD began incorporating CMMC requirements into select contracts in 2024.
Broader Rollout (2025)
By 2025, CMMC compliance is mandated for all applicable DoD contracts. Contractors must be certified before bidding on or renewing contracts containing CMMC clauses.
Risks of Non-Compliance
01
Loss of DoD Contracts
Companies failing to certify by required deadlines will be disqualied from bidding on or renewing DoD contracts.
02
Financial Risk
Non-compliance may result in nes, reputational damage, or the loss of business relationships.
03
Data Breaches and Cybersecurity Threats
Failure to meet cybersecurity standards increases vulnerability to cyberattacks, potentially leading to theft of sensitive information and operational disruptions.
04
Flow-Down Risk to Subcontractors
Non-compliance by subcontractors can jeopardize the entire supply chain. (CTA at end to schedule CMMC discussion).