If you work with the U.S. Department of Defense (DoD), CMMC is no longer optional.
The big question most contractors are asking is:
“What CMMC level do we actually need?”
Let’s break it down simply.
What Is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification.
It is the DoD’s program to make sure contractors protect sensitive government data like:
- Federal Contract Information (FCI)
- Controlled Unclassified Information (CUI)
Before CMMC, companies mostly self-attested. Now, cybersecurity is verified and enforced through contracts.
When Was CMMC Fully Implemented?
November 10, 2025
From that date forward:
- New DoD contracts began including CMMC requirements
- Compliance became a condition of contract award
- Requirements flow down to subcontractors
CMMC is rolling out in phases, but primes can require compliance immediately.
What Level of CMMC Do You Need?
Your level depends on what data you handle and what your contract requires.
The 3 CMMC Levels
- Level 1 – You handle FCI only
- Level 2 – You handle CUI
- Level 3 – You support critical national security programs
Most companies fall into Level 1 or Level 2.
What Happened to NIST SP 800-171?
Short answer: It didn’t go away.
What changed:
- NIST SP 800-171 is now enforced through CMMC Level 2
- New contracts usually say “CMMC Level 2 required,” not just “800-171”
What didn’t change:
- The 110 NIST controls still apply
- They are now validated, not just promised
CMMC didn’t replace NIST 800-171 — it made it enforceable.
How Many Companies Are Affected?
DoD estimates (released September 2025):
| CMMC Level | Assessment Type | % of DIB | Est. Companies |
| Level 1 | Self-Assessment | 62% | ~209,500 |
| Level 2 | Self-Assessment | 2% | ~6,700 |
| Level 2 | Third-Party Certified | 35% | ~118,000 |
| Level 3 | Government Assessed | 1% | ~3,400 |
- Most contractors will be Level 1 or Level 2
- Many Level 2 contractors will need third-party certification
How to Tell Your CMMC Level From Your Contract
Here is a quick mapping of common contract clauses to likely CMMC levels:
| Clause in Contract | What It Means | Likely Level |
| FAR 52.204-21 | FCI only | Level 1 |
| DFARS 252.204-7012 | CUI involved | Level 2 |
| DFARS 7019 / 7020 | NIST 800-171 validation | Level 2 (Self) |
| DFARS 7021 | CMMC required | Level stated |
| DFARS 7025 | Level specified | Level stated |
If these clauses apply to your prime, they usually flow down to you.
Key Things Every Contractor Should Know
Flow-down requirements are real
If your prime needs CMMC, you probably do too.
Certification takes longer than expected
Most companies underestimate:
- Documentation
- Evidence
- Technical cleanup
Waiting until CMMC is in the contract is often too late.
“Self-assessment” does not mean “easy”
Self-assessments still:
- Require full control implementation
- Must be posted in SPRS
- Can be audited by the DoD
- Carry legal risk if misrepresented
Final Thoughts
CMMC is now a gatekeeper to DoD revenue.
The contractors who win will:
- Know their level early
- Prepare before it’s required
- Treat cybersecurity as a business requirement, not a checkbox
Want the Short Version?
I’ve published a condensed version of this breakdown on my LinkedIn.
And for practical updates and compliance guidance, read our featured articles in AdRem’s The Cyberside Brief, where we regularly cover CMMC and other compliance-related topics.
Need Help Figuring This Out?
Sherpa helps defense contractors understand their CMMC level, prepare the right way, and avoid costly mistakes.
If you’re unsure where you fall, or how to get there, contact us to schedule your free Compliance Assessment.
We’ll help you navigate the CMMC journey with clarity and confidence.
