Who Needs CMMC Certification?

This article is for educational purposes only and does not constitute professional compliance advice or legal counsel. Regulatory requirements and standards evolve, and you should consult with a qualified compliance professional about your specific situation.

You're not sure if CMMC applies to your company. You know it's a defense contracting thing, and you work with the government in some capacity, but you're not clear whether you're actually required to pursue certification or whether you can skip it. Maybe you're a software vendor to a larger contractor. Maybe you do facilities management for a defense facility. Maybe you're an IT service provider. Maybe your company has one contract with a defense agency but most of your work is in the private sector. The requirement cascades through the supply chain in ways that aren't always obvious from the outside, and you need a clear answer: does this actually apply to you?

The answer is "it depends," but that's not satisfying and it's not helpful. What you need is a systematic way to answer the question yourself so you're not guessing or relying on hearsay from someone at a conference. This article walks you through how to figure it out.

Direct Department of Defense Contractors

If you have a contract directly with the Department of Defense, CMMC certification almost certainly applies to you. The DoD is actively enforcing this requirement on its prime contractors, and it's using certification status as a contract award criterion. You can no longer bid on defense contracts without having CMMC certification at the level your contract specifies. This enforcement is not theoretical. The DoD has removed contractors from eligible bidder lists who don't have current certification. If you have a prime contract with the DoD and you don't know your CMMC certification status, you need to find out today because it's blocking your ability to pursue new work.

The timeline matters here too. If your current contract was awarded before CMMC enforcement timelines, it might not have had explicit CMMC requirements. But any new work, any renewal, any new task orders almost certainly will. The DoD has been clear and consistent: CMMC certification is now a table stakes requirement for defense work. The era of "we're planning to get certified" is over. The DoD wants current certification before you bid.

Subcontractors and the Supply Chain Cascade

Here's where it gets complicated. If you don't have a direct contract with the DoD but you're a subcontractor to an organization that does, you might need CMMC. The requirement cascades down the supply chain, but it doesn't cascade uniformly or to everyone. If your direct customer—the organization you have a contract with—has a DoD contract that requires CMMC, and your work touches that contract's scope, then you inherit an obligation. But that obligation might not be full certification. It might be compliance with certain CMMC practices but not formal certification. It might be ensuring that your customer's compliance isn't undermined by your work.

This is where contract language becomes critical. Some subcontracts explicitly require CMMC certification. Others require compliance with CMMC practices. Others require ensuring that certain security requirements are met. Others might not mention CMMC at all but might reference NIST 800-171, which is the foundation of CMMC Level 2. You need to read your contracts carefully. Don't assume based on what your prime contractor told you. Don't assume based on your industry. Read your actual contracts.

A concrete example: you're a software vendor. You have a contract with a defense contractor to provide specialized software. The contractor has DoD contracts that require CMMC certification. But do you need CMMC certification? That depends on your contract. If your contract language says you must be CMMC certified, then yes. If it says you must meet certain CMMC practices, then you're compliant with practices but not necessarily certified. If it says you must ensure your software doesn't create security vulnerabilities, then you have a responsibility but it might not be CMMC specifically. Only your contract tells you what's actually required.

Timing: When the Requirement Became Effective

CMMC became an effective contract requirement for new Department of Defense work around 2022 to 2023, and the enforcement has only gotten stricter since then. If you're bidding on new defense work after mid-2023 and your work involves touching Controlled Unclassified Information or sensitive systems, CMMC certification is almost certainly required before contract award. This doesn't mean every single defense contract requires it—some older vehicles haven't been updated, and some work is exempt—but the trend is clear and the direction is toward universal enforcement.

Existing contracts might have different rules depending on when they were awarded and what they specify. A contract awarded in 2020 might not have CMMC requirements. A contract awarded in 2024 almost certainly does. If you're working under an existing contract and it's coming up for renewal, the renewed contract will likely include CMMC requirements. This is why understanding your timeline is critical. If you have a contract that requires CMMC certification by a specific date and you're not certified, you have an urgent problem.

Determining Your Scope: The First Question to Answer

Your first step is determining whether you're in scope. Are you handling Controlled Unclassified Information? Are you providing services that touch a DoD system or network? Are you a key contractor in a sensitive program? If the answer is no to all of these, CMMC probably doesn't apply to you. Your work might have other compliance requirements—HIPAA if you're in healthcare, PCI DSS if you process payment cards, SOC 2 if you're a service provider to commercial enterprises. But if you're not handling sensitive government information and not providing services to systems that do, CMMC specifically probably doesn't apply.

If the answer is yes to any of these questions, you need to dig deeper. Check your contract for explicit CMMC requirements. Look for language like "must achieve CMMC certification at Level X by date Y" or "must comply with CMMC practices" or "must comply with NIST 800-171." If you don't find explicit CMMC language, look for references to security standards. Look for requirements to protect CUI. Look for references to NIST 800-171. Any of these could trigger CMMC compliance obligations.

When in doubt, ask your customer directly. Don't guess. Don't rely on someone else's interpretation. Have a specific conversation: "Do I need CMMC certification? At what level? By what date? Will you accept interim compliance while I'm working toward certification?" These are straightforward questions with yes or no answers, and your customer can give you those answers clearly.

The Vendor Landscape: Who Gets Caught Off Guard

Many vendors get caught off guard by CMMC requirements because they didn't realize they were in scope. A software vendor thought they were just providing software. A consulting firm thought they were providing advice. A staffing company thought they were just providing personnel. But any of these could be handling or accessing CUI, even if they didn't realize it. A software vendor's software might have access to classified or controlled systems. A consulting firm might have access to technical specifications that are CUI. A staffing company's personnel might work on sensitive contracts.

This is why the conversation with your customer is so important. Don't assume your work doesn't touch anything sensitive. Ask. It's better to find out now that you need CMMC and start planning than to discover it when a contract renewal is at stake.

Timeline: When Compliance Is Due

The DoD has established timelines for enforcement, but these have evolved as the program has matured. For most contractors right now, the timeline is now or very soon. If you have a contract that includes CMMC requirements and you're not certified, you're out of compliance right now. If you're planning to bid on new defense work, certification needs to happen before you bid. If you're a subcontractor to someone who needs CMMC by a specific date, your timeline is driven by their timeline.

The timeline matters enormously for planning. If you need certification in six months, you have a very different problem than if you have 18 months. An aggressive timeline might require paying for expedited audits or bringing in expensive consultant resources. It might require dedicating significant internal staff time. A longer timeline lets you invest in the right infrastructure and build the practices properly without rushing. Most contractors need 6 to 18 months from the start of a serious compliance effort to certification. Some need longer if they're starting from a weak security baseline. If your timeline is tight, you need to know that immediately so you can start planning and allocating resources.

Determining Your Required Level

Once you've determined that CMMC applies, the next question is which level. Your contract specifies this. Most new contracts require Level 2. Some older contracts might require Level 1. Some specialized work requires Level 3. Your contract language will tell you, or your customer can tell you. If your customer says "you need CMMC certification" and doesn't specify a level, ask for clarification. Assuming the wrong level wastes time and money.

Alternatives If CMMC Doesn't Apply

If you've determined that CMMC truly doesn't apply to you, you might still have other compliance requirements. If you work with healthcare data, you need HIPAA. If you process payment cards, you need PCI DSS. If you serve international clients, you might need ISO 27001 or GDPR compliance. If you work with other government agencies besides DoD, you might need SOC 2 or other frameworks. If you work with financial institutions, you might have compliance requirements. The point is: CMMC is one framework among many, and it's specific to defense contractors handling Controlled Unclassified Information.

But even if CMMC doesn't apply, the security principles underlying CMMC are universal. Asset management, access control, encryption, monitoring, incident response—these are good security practices regardless of your industry or customer base. The absence of a CMMC requirement shouldn't be confused with the absence of a security need. If you're handling any sensitive information or providing services to organizations that are, you should have security practices in place. CMMC is just one particular framework for those practices.

Making Your Determination

Here's the process: get your contract, read the security requirements section, look for references to CMMC, NIST 800-171, CUI protection, or third-party assessment requirements. If you find them, CMMC applies. If you don't find them, ask your customer directly. If your customer says CMMC applies, determine the level and deadline from your contract or from them directly. If you're unsure at any point, default to asking your customer rather than guessing. The cost of finding out you need CMMC certification when you're trying to bid on a contract is much higher than the cost of asking the question proactively.

You're now able to answer the fundamental question: does CMMC apply to my organization? If it does, you know your level and your timeline. If it doesn't, you know that and can focus on the compliance frameworks that actually matter for your business. What comes next depends on your answer. If CMMC applies, the next conversation is preparation and implementation planning. If it doesn't, you can move on to other priorities knowing you've made an informed decision based on your actual contracts and customer requirements, not assumptions.

Fully Compliance provides educational content about IT compliance and cybersecurity. This article reflects general information about CMMC as of its publication date. Standards, requirements, and enforcement actions evolve — consult a qualified compliance professional for guidance specific to your organization.