Who Needs CMMC Certification?

Reviewed by the Fully Compliance editorial team

Any organization that holds a Department of Defense contract involving Controlled Unclassified Information — or subcontracts to one — almost certainly needs CMMC certification. The requirement cascades through the defense supply chain, and the DoD is actively enforcing it as a contract award criterion. Your specific contract language determines whether certification applies and at what level.

Direct DoD Contractors — Certification Is Table Stakes

If you hold a contract directly with the Department of Defense, CMMC certification almost certainly applies to you. The DoD is using certification status as a contract award criterion on new work, and it has removed contractors from eligible bidder lists who lack current certification. This is not a future enforcement posture — it is happening now.

The timeline dimension matters. If your current contract was awarded before CMMC enforcement kicked in, it may not have included explicit CMMC requirements. But any new work, any renewal, any new task orders almost certainly will. The DoD has been consistent and unambiguous: CMMC certification is now table stakes for defense work. The window for "we are planning to get certified" has closed. The Department expects current certification before you bid.

Subcontractors and the Supply Chain Cascade

The requirement does not stop at prime contractors. If you are a subcontractor to an organization with a DoD contract requiring CMMC, and your work touches that contract's scope, you inherit an obligation. That obligation varies — it might be full certification at a specified level, compliance with certain CMMC practices without formal certification, or ensuring that your work does not undermine your customer's compliance posture.

Contract language is the only reliable guide here. Some subcontracts explicitly require CMMC certification. Others require compliance with CMMC practices. Others reference NIST 800-171, which is the foundation of CMMC Level 2. Still others say nothing about CMMC but contain security requirements that functionally overlap with it. You need to read your actual contracts. Do not assume based on what your prime contractor mentioned at a conference. Do not assume based on your industry segment. Read the language.

A concrete example makes this tangible. You are a software vendor with a contract to provide specialized software to a defense contractor. That contractor holds DoD contracts requiring CMMC certification. Does your company need CMMC? It depends entirely on your contract. If the language says you must be CMMC certified, then yes. If it says you must meet certain CMMC practices, you have a compliance obligation but perhaps not a certification one. If it says you must ensure your software does not create security vulnerabilities in systems processing CUI, you have a responsibility — but the specific mechanism might not be CMMC. Only your contract tells you what is actually required.

Determining Whether You Are In Scope

Your first step is straightforward. Are you handling Controlled Unclassified Information? Are you providing services that touch a DoD system or network? Are you a contractor in a sensitive program? If the answer is no to all of these, CMMC specifically does not apply to your organization. You may have other compliance obligations — HIPAA for healthcare data, PCI DSS for payment cards, SOC 2 for commercial service providers — but CMMC is specific to the defense supply chain.

If the answer is yes to any of those questions, dig deeper. Check your contract for explicit CMMC requirements. Look for language like "must achieve CMMC certification at Level X by date Y" or "must comply with CMMC practices" or "must comply with NIST 800-171." If you find no explicit CMMC language, look for references to CUI protection, security standards, or third-party assessment requirements. Any of these can trigger compliance obligations.

When in doubt, ask your customer directly. Have a specific conversation: do I need CMMC certification, at what level, by what date, and will you accept interim compliance while I work toward certification? These are yes-or-no questions with clear answers. Your customer can provide them. Guessing is more expensive than asking.

The Vendor Blind Spot

Many vendors get caught off guard because they did not realize they were in scope. A software vendor thought they were just providing software. A consulting firm thought they were providing advice, not handling data. A staffing company thought they were providing personnel, not accessing sensitive systems. But any of these could be handling or accessing CUI without recognizing it. A software vendor's product might have access to controlled systems. A consulting firm might review technical specifications classified as CUI. A staffing company's personnel might work on contracts that process sensitive information.

According to the Ponemon Institute's 2023 Cost of a Data Breach Report, the average cost of a data breach reached $4.45 million globally, with supply chain compromises among the most expensive breach vectors. The DoD's enforcement posture reflects this reality — the cost of unsecured supply chain links is too high to leave compliance voluntary.

The conversation with your customer is the cheapest insurance policy available. Do not assume your work is out of scope. Ask. It is better to learn you need CMMC now and start planning than to discover it when a contract renewal is on the line.

Enforcement Timeline — "Soon" Has Arrived

CMMC became an effective contract requirement for new DoD work around 2022 to 2023, and enforcement has tightened steadily since. If you are bidding on new defense work after mid-2023 that involves touching CUI or sensitive systems, CMMC certification is almost certainly required before contract award. Not every single legacy defense contract has been updated, and some work is exempt, but the direction is unmistakable and the pace of enforcement is accelerating.

If you have a contract that requires CMMC certification by a specific date and you are not certified, you have an urgent problem. Most contractors need 6 to 18 months from the start of a serious compliance effort to certification. Some need longer if they are starting from a weak security baseline. If your timeline is tight, you need to know that immediately so you can begin allocating resources.

Determining Your Required Level

Once you have established that CMMC applies, the next question is which level. Your contract specifies this. Most new contracts require Level 2. Some older contracts may require Level 1. Some specialized work requires Level 3. Your contract language will state the level, or your contracting officer can tell you directly. If your customer says "you need CMMC certification" without specifying a level, ask for clarification. Assuming the wrong level wastes time and money in either direction — over-investing in Level 3 when Level 2 is sufficient, or under-preparing at Level 1 when Level 2 is required.

When CMMC Does Not Apply — What Else Might

If you have determined that CMMC truly does not apply to your organization, you are not necessarily free of compliance obligations. Healthcare data triggers HIPAA. Payment card processing triggers PCI DSS. International clients may require ISO 27001 or GDPR compliance. Other government agencies besides DoD may require SOC 2 or FedRAMP. Financial institution clients carry their own compliance requirements. CMMC is one framework among many, specific to defense contractors handling CUI.

That said, even without a CMMC requirement, the security principles underlying it — asset management, access control, encryption, monitoring, incident response — are universal. The absence of a CMMC obligation should not be confused with the absence of a security need. If you handle any sensitive information, you should have security practices in place regardless of which framework governs them.

Frequently Asked Questions

Does CMMC apply if I only have one small DoD subcontract?
The size of the subcontract does not determine whether CMMC applies. What matters is whether your work touches CUI or systems in scope for CMMC under your contract. A small subcontract that involves handling controlled information carries the same compliance obligation as a large one. Check your contract language and ask your prime contractor.

Can I get an exemption from CMMC requirements?
CMMC requirements are set by the DoD and flow through contracts. There is no general exemption process. If your contract specifies CMMC, you must comply. If you believe a requirement was included in error, raise it with your contracting officer — but do not assume you are exempt without written confirmation.

What if my prime contractor says I do not need CMMC but my contract language suggests otherwise?
The contract language governs. If there is a discrepancy between what your prime contractor tells you verbally and what the contract says, get written clarification. Verbal assurances do not protect you if a contracting officer later enforces the written requirement.

How do I know if I am handling CUI?
CUI includes technical data related to defense systems, federal acquisition information, research data, and other sensitive but unclassified government information. If you are unsure whether information you handle qualifies as CUI, ask your contracting officer or the government program office. CUI markings should be applied to documents, but in practice, many contractors handle CUI without it being formally marked.

What happens if I lose CMMC certification mid-contract?
Losing certification — whether through failure to maintain controls or expiration without reassessment — puts your contract at risk. The DoD can suspend or terminate contracts for non-compliance with stated security requirements. Maintaining certification is an ongoing obligation, not a one-time achievement.

Fully Compliance provides educational content about IT compliance and cybersecurity. This article reflects general information about CMMC as of its publication date. Standards, requirements, and enforcement actions evolve — consult a qualified compliance professional for guidance specific to your organization.