Table of Contents
When a Cybersecurity Maturity Model Certification (CMMC) clause shows up in a Department of Defense (DoD) solicitation, cybersecurity stops being background policy and becomes a condition of award.
The first question a contractor has to answer is no longer about security posture in general, but about which CMMC status the contract demands and whether the proof exists today.
That pressure is already reshaping how the defense industrial base handles solicitations, flow-down, and annual affirmation.
This guide breaks down the regulatory framework, what each CMMC level requires, and how those obligations are triggered on a specific contract.
TL;DR
- DoD CMMC requirements are codified in 32 CFR Part 170 and made contractually enforceable through the 48 CFR acquisition rule, with DFARS 252.204-7012 and 252.204-7021 doing most of the contract-side work.
- The right CMMC level is driven by data rather than company size, so Level 1 applies to FCI, Level 2 covers systems that handle CUI, and Level 3 fits the most sensitive defense programs.
- Every contractor needs a current CMMC status in SPRS and an annual affirmation by an affirming official, with a 180-day POA&M closeout window when conditional status applies.
What Are DoD CMMC Requirements?
DoD CMMC requirements are the cybersecurity requirements imposed on contractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on contractor information systems.
They define the required CMMC status, the assessment path, and the flow-down duties that protect data as it moves through the supply chain.
This distinction makes them narrower than the broad question of what CMMC is. CMMC is the program, while the requirement is what a solicitation or contract tells an organization to achieve before award or during performance.
A team can understand the framework and still miss the contractual obligation if no one tracks clause language.
The obligations usually show up through four pieces:
- A specified CMMC level tied to the information system used for the work.
- An assessment record in the Supplier Performance Risk System (SPRS) or the relevant assessment environment.
- Annual affirmation by an affirming official, which the final Defense Federal Acquisition Regulation Supplement (DFARS) rule formally substituted for the earlier “senior company official” term.
- Flow-down language for prime contractors and subcontractors with relevant data access.
For a deeper field view of audit-proof, the CMMC compliance guide covers what assessors look for after the contract language is in place.
The Regulatory Framework Behind CMMC
The regulatory stack matters because CMMC moved in two steps. One rule built the program, and another made the program usable in acquisition, which explains why some teams were preparing for CMMC before clauses could appear widely in contracts.
32 CFR Part 170 (The CMMC Program Rule)
32 CFR Part 170 is the CMMC program final rule. It took effect on December 16, 2024, and defined the three-level model, the conditional and final CMMC status path, and the annual affirmation rules.
The rule also explains how the limited Plan of Action and Milestones (POA&M) works for Level 2 and Level 3. Level 1 does not permit POA&Ms, which is an easy detail to miss because the lower level feels lighter.
The trade-off is that Level 1 asks for fewer safeguards but leaves no room for open gaps.
48 CFR (The CMMC Acquisition Rule)
While 32 CFR built the program, the 48 CFR acquisition rule makes it contractually enforceable.
It was published on September 10, 2025, became effective on November 10, 2025, and gives contracting officers the path to include CMMC language in solicitations, awards, task orders, and delivery orders.
That is the bridge from “CMMC exists” to “this contract requires CMMC.”
The phased rollout starts with selected requirements and widens through the implementation period, with full enforcement of every CMMC phase planned for November 10, 2028. The CMMC implementation timeline goes deeper into those dates.
DFARS Clauses That Drive Compliance
The DFARS clauses create the contract mechanics behind CMMC compliance. Read together, they show why old self-assessment habits are not enough once CMMC status becomes a contractual requirement for award.
Two clauses now do most of the work after the Revolutionary FAR Overhaul (RFO) class deviations that took effect on February 1, 2026:
- DFARS 252.204-7012 requires safeguarding covered defense information and cyber incident reporting for contracts involving that data.
- DFARS 252.204-7021 is the CMMC clause itself, requiring current status, annual affirmation, correct flow-down, and POA&M closeout when conditional status applies.
Contractors should also note that the older DFARS 252.204-7019 provision has been removed and DFARS 252.204-7020 has been renumbered to DFARS 252.240-7997, with the “basic” self-assessment concept previously used here folded into CMMC.
Medium and High government-led assessments still apply under the new clause. Until formal rulemaking catches up, contracts may still reference the legacy numbers, so check the actual clause language on every solicitation.
Requirements by CMMC Level
CMMC level is driven by data, not company size or revenue, so a small supplier can face Level 2 if it handles CUI, while a larger provider can stay at Level 1 when only FCI is involved. The scope drives the obligation.
Level 1 Requirements
CMMC Level 1 applies when the contract involves FCI but not CUI.
It maps to 15 basic safeguarding requirements from Federal Acquisition Regulation (FAR) 52.204-21 (renumbered to FAR 52.240-93 under the RFO class deviations), centered on access, media handling, physical protection, and basic system hygiene.
The organization handles the completion of an annual self-assessment and submits an annual affirmation in SPRS.
The practical risk is treating Level 1 as informal because no CMMC Third-Party Assessment Organization (C3PAO) is involved. It still needs evidence, ownership, and a current status date that supports the contract.
Level 2 Requirements
CMMC Level 2 applies when contractor systems process, store, or transmit CUI.
Built in accordance with the cybersecurity standards in the National Institute of Standards and Technology (NIST) 800-171, this level covers 110 requirements and may require either a self-assessment or a C3PAO assessment, depending on the acquisition.
The certification cycle generally runs every three years, with annual affirmation in between.
Conditional status is permitted only for limited gaps, and the POA&M closeout window is 180 days from the conditional status date, which gives teams a narrow recovery path rather than a reason to defer hard controls.
Level 3 Requirements
CMMC Level 3 applies to the most sensitive defense contracts and is intended to provide increased assurance against foreign adversaries seeking access to sensitive information.
An organization must first achieve a final Level 2 (C3PAO) status for the same assessment scope before moving up.
Level 3 adds selected NIST 800-172 requirements and uses a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment every three years.
Companies working on high-priority programs are the right fit, but most defense contractors should not chase it without a contract driver, since Level 2 usually carries the real near-term pressure.
How CMMC Requirements Apply to Your Contracts
The rules above matter only when they attach to a contract, subcontract, task order, or option. This is where teams have to track requirements operationally rather than as a reference exercise, because one clause can change the evidence burden across systems and suppliers.
Instead of treating each clause as a legal footnote, connect it to the information system, data type, assessment path, and affirmation owner. Requirements tracking is the operating layer that keeps those pieces visible after the bid team moves on.
The COTS Exclusion and Other Carve-Outs
Contracts solely for Commercially Available Off-the-Shelf (COTS) items are excluded from CMMC requirements under the acquisition rule.
That carve-out is narrow, so it does not automatically cover every commercial product, service contract, or mixed purchase that touches FCI or CUI.
This is a common scoping mistake because “commercial” and “COTS” sound close in normal business language, but in procurement terms, they are not the same.
If a contract includes services, support, configuration work, or data handling beyond a pure COTS purchase, the team should check the clause set before assuming CMMC is out of scope.
Flow-Down to Subcontractors
Prime contractors are required to pass down CMMC obligations to any subcontractors that handle, store, or transmit FCI or CUI. The flow-down level should match the subcontractor’s role and the data involved, rather than blindly copying the prime’s final level.
For example, a subcontractor handling only FCI may need Level 1 even when the prime contract carries higher obligations elsewhere, while a subcontractor handling CUI may need Level 2.
The prime still has to verify the subcontractor can comply with the right level before contract award, which makes flow-down a supply chain control rather than a paperwork step.
Keep CMMC Compliance Contract-Ready With MotherBear
DoD CMMC requirements are not a one-time hurdle. They are contractual obligations that compound across every defense contract a contractor takes on, since clauses change, evidence ages, status dates move, and affirmations come due again.
MotherBear is a CMMC compliance management hub built for defense contractors and the consultants who support them.
Control status, System Security Plan (SSP) records, and annual affirmations live in one workspace, so contract obligations do not disappear into spreadsheets and inboxes.
When a clause can decide award eligibility, scattered records create unnecessary risk. Book a demo to see how MotherBear can keep CMMC controls, evidence, and affirmations connected across every contract.
FAQs About DoD CMMC Requirements
What is needed for CMMC compliance?
Cybersecurity Maturity Model Certification (CMMC) compliance requires the right level, implemented controls, and an assessment backed by evidence and annual affirmation.
For Department of Defense (DoD) contractors, the exact path depends on whether the contract involves Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or Level 3 data.
Is CMMC required for DoD contracts?
CMMC can be required for DoD contracts when the solicitation or contract includes the applicable clause. The requirement applies to systems that process, store, or transmit FCI or CUI, though awards solely for Commercially Available Off-the-Shelf (COTS) items are excluded.
Is CMMC 2.0 mandatory?
CMMC 2.0 is mandatory when the applicable DoD solicitation or contract requires a current CMMC status. The program is codified in 32 CFR Part 170, and the 48 CFR acquisition rule lets contracting officers place those requirements into contracts.
What are CMMC Level 1 requirements?
CMMC Level 1 covers 15 basic safeguards for FCI. It uses an annual self-assessment and annual affirmation in the Supplier Performance Risk System (SPRS). These DoD CMMC requirements are lighter than Level 2, but contractors still need proof that safeguards are implemented.
