Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Security-Policy-Report-Only: frame-ancestors 'self' https://*.travasecurity.com; script-src 'self'; style-src 'self'; img-src 'self' https:; default-src https: report-uri https://report.centralcsp.com/68f8eb863bf8b7a78b67ab9e; report-to csp-endpoint; Reporting-Endpoints: csp-endpoint="https://report.centralcsp.com/68f8eb863bf8b7a78b67ab9e" Google Tag:
blog

Is CMMC Required?

Last updated: October 23, 2025

Table of Contents

It’s the question many businesses and contractors want answered — is CMMC required now?

This is critical information for any entity who works with or is pursuing work for the U.S. Department of Defense (DoD).

Currently, CMMC, or the Cybersecurity Maturity Model Certification program, is indeed required for organizations that do business with the DoD. With compliance for SaaS becoming increasingly important for government entities and businesses of all sizes, the CMMC 2.0 timeline has been advanced in response to industry requests for an updated and enhanced program. The final CMMC Program Rule was released on October 15, 2024, and the final Defense Federal Acquisition Regulation Supplement (DFARS) rule was published on September 10, 2025, with an effective date of November 10, 2025. This verifies that defense contractors comply with protections for federal contract information and controlled unclassified information to bolster ongoing protections for cybersecurity threats.

Ultimately, the CMMC is designed to safeguard sensitive information, thwart ongoing threats, and support public trust while ensuring DoD contractors and subcontractors meet essential cybersecurity requirements.

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) framework for ensuring contractors protect sensitive government data. Besides building on earlier cybersecurity requirements—specifically, DFARS 252.204-7012 and NIST SP 800-171—it also adds an independent verification step to verify that companies meet the standards they claim to follow.

The most current version, CMMC 2.0, streamlines the model from five levels to three. As such, it aligns more closely with NIST guidance and reduces redundant controls. It also introduces a mix of self-assessments and third-party CMMC compliance audits, depending on the data type contractors handle.

Ultimately, the goal of CMMC 2 compliance is to create a trusted defense industrial base (DIB) where every company, regardless of size, maintains a verifiable baseline of cybersecurity. By only handing out contracts to organizations that comply with CMMC, the DoD can better prevent data leaks, ransomware attacks, and supply-chain breaches before they occur.

What are the different CMMC levels?

CMMC requirements span three maturity levels: Level 1, Level 2, and Level 3.

Each level introduces a progressively sophisticated set of cybersecurity practices. CMMC requirements vary depending on the level of certification needed:

Level 1 (Foundational):

  • Implement 15 practices from FAR 52.204-21
  • Annual self-assessment
  • Senior company official affirmation
  • No POA&M allowed; all practices must be fully implemented

Level 2 (Advanced):

  • Implement 110 practices aligned with NIST SP 800-171
  • Annual self-assessment for non-critical CUI
  • Triennial third-party assessment for critical CUI
  • Plan of Action and Milestones (POA&M) allowed for certain practices; must be closed out within 180 days of a conditional CMMC status date

Level 3 (Expert):

  • Implement 134 requirements including full implementation of NIST SP 800-171 plus a subset of NIST SP 800-172 requirements
  • Government-led assessments (DIBCAC)
  • POA&M allowed, must be closed out within 180 days

What Is the Difference Between FCI and CUI?

The type of government data you interact with decides how far up the CMMC ladder you have to climb, and how much it costs to stay there.

FCI (Federal Contract Information) refers to unclassified information that a contractor creates or provides for the federal government to deliver or develop a service or product to the government. It’s not meant for public release and excludes publicly available or purely transactional details, such as payment processing data. Typical examples include proposal responses, emails exchanged with DoD, contract performance reports, and organizational charts. Companies handling only FCI fall under CMMC Level 1.

CUI (Controlled Unclassified Information) is considered more sensitive than FCI. It’s also unclassified, but it requires additional safeguarding and dissemination controls under specific regulations and laws. NIST SP 800-171 establishes the minimum standard for protecting CUI in non-federal organizations and systems. Examples of CUI include data such as technical reports and engineering drawings, legal documents involving investigations and litigation, and details related to system, building, or personnel security.

Handling CUI triggers CMMC Level 2 or 3, depending on the sensitivity of the data and its management. Most organizations handling CUI only need to meet Level 2, but those managing highly sensitive CUI or critical national security information may need to reach Level 3. Both levels require validation by a Certified Third-Party Assessment Organization (C3PAO) to confirm full CMMC compliance.

Who Needs CMMC Level 1?

Any company that wants to work with the DoD must begin that process by passing CMMC Level 1. This is the easiest to achieve in the DoD’s updated CMMC 2.0 compliance framework.

Once you pass Level 1, your business can start bidding on DoD contracts. It may also be able to work as a subcontractor for another company that has won a DoD contract.

However, the opportunities available to companies certified at this level are relatively small. You’ll need to reach Level 3 to qualify for all of the jobs the DoD makes available to companies in your industry.

What Companies Need CMMC Compliance?

The Cybersecurity Maturity Model Certification program is a strong form of CMMC compliance designed for any company, contractor, or subcontractor that will “process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on unclassified contractor information system.” CMMC compliance is a must for companies working with the DoD while broader SaaS compliance is critical for businesses and organizations across industries.

There are limited exemptions for contracts exclusively for commercially available off-the-shelf items or for those below the DoD’s micro-purchase threshold of $10,000.

Who Needs Cybersecurity Maturity Model Certification?

A company must earn CMMC certification before working with the DoD. It clears the business to handle sensitive government data. Note that CMMC requirements differ from FedRAMP. They feature three levels with increasingly strict security controls. FEDRAMP is a more general government security program focused on operations in the cloud. 

The key takeaway is that you don’t need CMMC to work with other parts of the U.S. government. Each agency sets its own standards for cybersecurity, which dictate the frameworks partner vendors need to follow.

That being said, becoming CMMC compliant is a great way to show your company takes cybersecurity seriously. Even if you don’t need it today, pursuing CMMC compliance could still help you earn valuable government contracts. 

Doing so also prepares you to work with the DoD in the future if the opportunity arises. The process for Level 3 CMMC certification can take several years to complete. So, it’s worth starting early if you can imagine future interest in winning DoD contracts.

Does Your Company Need CMMC Compliance?

Earning CMMC compliance is a must if you ever want to work with the Department of Defense. But even if you’re unsure, it may still be worth pursuing. 

This certification is a great way to show other potential clients that you take their security seriously. You might even market your company on that basis to stand out from the competition. This is likely to become increasingly valuable as the cost of cyberattacks continues to climb. It’s a strategy worth considering as you continue evaluating what companies need CMMC compliance.

The Flow-Down Requirement to Subcontractors

CMMC compliance for contractors doesn’t only apply to the prime contractor, that is, the organization or individual contracting with the federal government. It extends to every subcontractor handling government data.

  • Definition: This process, called flow-down, requires prime contractors to include the DFARS 252.204-7021 clause in all subcontracts involving FCI or CUI. 
  • Mechanism: Companies must have a current CMMC status recorded in the Supplier Performance Risk System (SPRS) to be eligible to bid on a DoD contract.
  • Implication: Prime contractors must confirm that the subcontractor holds a current CMMC certificate at the right level before awarding a subcontract. For example, if the prime requires Level 2 certification to process CUI, any subcontractor receiving that CUI must also be certified at Level 2.

In short, flow-down makes every contractor in the DoD ecosystem uphold the same cybersecurity baseline. 

Is CMMC Only for DoD?

While the CMMC was designed specifically for the U.S. Department of Defense, the model’s champion has said that other federal agencies are also considering CMMC implementation. Regardless of the CMMC timeline, it is clearly a strong set of security standards designed to ensure both accountability and resilience to cyber threats and could be applicable to numerous agencies and businesses.

Has CMMC Been Finalized?

Yes. CMMC is no longer a proposed framework. The CMMC final rule was published in the Federal Register on Oct. 15, 2024. 

On September 10, 2025, the 48 CFR CMMC rule was published in the Federal Register. On November 10, 2025, the rule officially goes into effect. From that day forward, some level of CMMC will be included in all DoD solicitations and contracts as a condition of contract award.

What is the current status of CMMC?

CMMC is no longer a future concept. It is now a binding requirement for the defense industrial base. The U.S. Department of Defense has finalized its rule making, making CMMC a legal and contractual reality.

The CMMC Clock Starts on November 10, 2025

The CMMC Program Rule started in late 2024. But for contractors, the key action is the CMMC Acquisition Rule, published on September 10, 2025. This rule becomes effective on November 10, 2025, and it’s the most important date on your calendar.

This rule gives the DoD the authority to include CMMC requirements in contracts, making compliance a condition.

CMMC Phased Rollout is Beginning Now

While CMMC is now a legal requirement, the DoD is implementing it gradually over a three-year period.

  • Starting November 10, 2025: CMMC requirements will begin to appear in select new DoD solicitations and contracts. This initial phase will focus on Level 1 and some Level 2 self-assessments.
  • Gradual Expansion: Over the next three years, the DoD will expand the number of contracts that include CMMC. Contracting officers can ask for third-party assessments for certain contracts immediately. So, don’t assume you have extra time.
  • Full Implementation by Late 2028: By then, all DoD contracts that handle sensitive unclassified information will need to comply with CMMC.

CMMC as a Condition for Contract Award

Under DFAS 252.204-7021, companies must have a current CMMC status recorded in the SPRS to be eligible to bid on a DoD contract. In other words, no active certification in SPRS means no contract opportunity.

DoD Contracting Officers must verify each company’s CMMC level in SPRS before awarding work. This ensures every contractor entering the defense supply chain meets the cybersecurity standards tied to the sensitivity of the data they’ll handle.

What should DoD contracts do now about CMMC?

Contractors can no longer afford to wait. The clock is ticking, and the following actions are critical to remain eligible for DoD work:

  • Assess Your Status: You must document your CMMC status in the DoD’s Supplier Performance Risk System (SPRS). Without an up-to-date entry, you will be ineligible for new contracts that require CMMC.
  • Address Compliance Gaps: For Levels 2 and 3, the final rule permits a conditional certification. You can use a Plan of Action & Milestones (POA&M) to fix any deficiencies. This is just a temporary solution. To achieve full certification, you must complete the necessary security practices.
  • Check Your Supply Chain: Prime contractors must make sure all subcontractors dealing with sensitive data meet the needed CMMC level. The CMMC clause must be “flowed down” to every tier of the supply chain.

Understanding Conditional Certification and the 180-day POA&M

Temporary non-compliance with CMMC is possible, but only under tightly controlled conditions.

Contractors seeking Level 2 and 3 certification can receive Conditional CMMC Status by documenting any remaining gaps through a Plan of Action and Milestones (POA&M). This document details each deficiency, the corrective steps, and the timeline for completion, allowing work to proceed while those final items are addressed.

All open items must be closed within 180 days of the conditional certification date. Missing that window causes the certification to lapse and the contractor to lose eligibility for new DoD work.

Keep in mind that critical or high-weighted controls like incident response capabilities, multi-factor authentication, and system access controls can’t be deferred under a POA&M. You must fully implement them before receiving a conditional status.

Keeping up with CMMC requirements can feel overwhelming, particularly when you’re focused on day-to-day operations. Trava Security simplifies the process for contractors who want a “CMMC for Dummies” approach. See how we can get your organization audit-ready.

What is an RPO?

RPO stands for Registered Practitioner Organization. This organization offers cybersecurity consulting and advisory services to defense contractors. They help these contractors get ready for CMMC. The Cyber Accreditation Body (Cyber-AB) authorizes RPOs to provide these services.

The key thing to understand is that RPOs cannot perform a CMMC assessment or issue a certification. Their role is to help an organization get ready for the assessment, not to conduct it.

What Is a CMMC Registered Provider Organization?

Achieving CMMC compliance can be a difficult, lengthy process. That’s why CMMC-registered provider organizations exist. They guide companies through the certification journey by helping them find and fix security problem areas.

 

For example, you might run a small business with just a few employees. That would leave you little time to pursue advanced security designations like CMMC. A registered provider can help you get there without disrupting your schedule.

If you’re interested in CMMC for small businesses, the next step is comparing options. You can research providers online and book consultation meetings to see which registered provider is the right fit for your goals and preferences.

What is the difference between an RPO and C3PAO?

An RPO and a C3PAO serve very distinct roles in the CMMC ecosystem.

  • RPO (Registered Practitioner Organization): Provides advisory and preparation services. They help a company conduct a gap analysis, develop a System Security Plan (SSP), and put in place the security practices needed for a CMMC assessment.
  • C3PAO (Certified Third-Party Assessment Organization): Performs the official, independent CMMC assessment. A C3PAO is the only entity that can verify that a company meets the CMMC requirements and issues a certification.

The separation of these roles is intentional to prevent conflicts of interest. An organization that helps a company improve its security posture (RPO) can’t be the same one that assesses its compliance (C3PAO).

What Are the Penalties for CMMC Non-Compliance?

Failing to meet CMMC requirements can jeopardize current and future business with the DoD. There are two types of penalties for CMMC non-compliance: contractual and legal.

Contractual Exclusion and Termination

Companies that fail to obtain or maintain the required CMMC certification could lose current and future DoD contracts. They would also become ineligible to bid on solicitations requiring a specific CMMC level.

The Role of the False Claims Act (FCA) in CMMC Enforcement

CMMC non-compliance involving fraud, such as falsely claiming certification, can have serious consequences. 

The Department of Justice (DOJ) enforces the False Claims Act (FCA) against contractors who misrepresent their CMMC status, even in self-assessments. FCA penalties can reach millions of dollars per violation and are often triggered by whistleblowers, who may share in resulting settlements. Besides eating into your bottom line, these cases can severely damage your company’s reputation and future eligibility for federal contracts.

How can a Registered Practitioner Organization (RPO) help with CMMC?

While an RPO can’t issue CMMC certification, it can prepare your organization for certification by:

  • Identifying compliance gaps
  • Building a security plan
  • Guiding you through audit readiness

These CMMC compliance services can significantly increase your chances of passing the official CMMC assessment.

Why is an RPO needed for CMMC?

Defense contractors face significant challenges in navigating the complexities of CMMC compliance. While a do-it-yourself approach might seem appealing, partnering with a RPO offers distinct advantages in preparing for a CMMC audit with a C3PAO.

Challenges of DIY CMMC

Undertaking CMMC preparation internally often leads to:

  • Lack of Expertise: CMMC requirements are extensive and nuanced. Internal teams may lack the specialized knowledge and experience to accurately interpret and implement all controls.
  • Resource Strain: The time and effort required for CMMC readiness can divert valuable internal resources from core business operations.
  • Risk of Non-Compliance: Misinterpretations or incomplete implementations can result in audit failures, leading to delays in contract awards and potential loss of business.
  • Limited Objectivity: An internal perspective may miss critical gaps or areas of non-compliance due to familiarity bias.

    Benefits of an RPO Partnership

    An RPO brings a wealth of expertise and a structured approach to CMMC preparation, ensuring a smoother audit process and higher likelihood of success. Key benefits include:

    • Specialized Expertise: RPOs employ cybersecurity professionals with deep knowledge of CMMC, enabling them to provide accurate guidance and implement the necessary controls.
    • Streamlined Processes: RPOs have established methodologies and tools to efficiently assess an organization’s current cybersecurity posture, identify gaps, and implement corrective actions.
    • Reduced Burden on Internal Teams: By outsourcing CMMC preparation, defense contractors can free up their internal teams to focus on their primary responsibilities.
    • Objective Assessment: An RPO provides an unbiased evaluation of an organization’s readiness, identifying weaknesses that might be overlooked internally.
    • Audit Confidence: With an RPO’s guidance, organizations can approach their CMMC audit with a C3PAO with greater confidence, knowing they have met the stringent requirements.
    • Cost-Effectiveness: While there’s an upfront investment, partnering with an RPO can prevent costly audit failures, delays, and potential loss of contracts in the long run.
    • Continuous Improvement: Many RPOs offer ongoing support, helping organizations maintain compliance and adapt to evolving CMMC requirements.

    How to choose the right RPO?

    Selecting the right RPO is crucial for successful CMMC preparation. Consider the following factors:

    • Accreditation and Certification: Ensure the RPO is officially recognized and accredited by the Cyber AB.
    • Experience and Expertise: Look for RPOs with a proven track record in CMMC compliance and a deep understanding of the DIB’s unique cybersecurity challenges.
    • Methodology and Tools: Evaluate their approach to CMMC readiness, including their assessment processes, implementation strategies, and the tools they utilize.
    • Client Testimonials and References: Seek feedback from other companies who have worked with the RPO to gauge their effectiveness and client satisfaction.
    • Communication and Collaboration: Choose an RPO that prioritizes clear communication, transparency, and a collaborative working relationship.
    • Cost and Value: While cost is a factor, prioritize value over the lowest price. A reputable RPO can prevent costly compliance failures in the long run.

    Why Choose Trava Security as Your RPO

    Trava Security stands out as an ideal RPO partner for CMMC compliance due to several key differentiators:

    • Deep CMMC Expertise: Trava’s team comprises seasoned cybersecurity professionals with extensive knowledge of CMMC requirements and the intricacies of the DoD ecosystem.
    • Proven Methodology: Trava utilizes a structured and efficient methodology for CMMC readiness, from initial assessment to control implementation and audit preparation.
    • Proactive Approach: Trava goes beyond just meeting compliance checkboxes. They focus on building a sustainable cybersecurity posture that protects your organization long-term.
    • Dedicated Support: Trava provides personalized support and guidance throughout the entire CMMC journey, ensuring you’re always informed and confident in your compliance efforts.
    • Cost-Effective Solutions: Trava offers competitive pricing models that provide significant value, helping you achieve CMMC compliance without compromising your budget.
    • Focus on the DIB: Trava understands the specific needs and challenges of defense contractors, offering tailored solutions that address the unique requirements of the DIB.

    Learn more about Trava’s CMMC Compliance service.

    Upgrade Your Cybersecurity Posture With Trava Security

    CMMC compliance and SaaS compliance are hot topics for a reason: Data privacy matters now more than ever. Cybersecurity attacks and challenges are more prevalent than ever. Cybersecurity and compliance are needed now more than ever. Fortunately, there are also more resources for small- and medium-sized businesses looking to enhance or manage both new and existing cybersecurity programs and initiatives.

    Trava Security offers elite compliance and cybersecurity services designed for growth companies, including compliance as a service, compliance readiness, penetration testing, cybersecurity due diligence, vulnerability assessments, and more. Whether you are looking to contract with the U.S. Department of Defense or simply want to upgrade your cybersecurity and compliance programs and services, we can help you achieve compliance and certification.

    schedule my CMMC readiness consultation

    CMMC Compliance FAQ

    Is CMMC required now?
     Yes. As of November 10, 2025, CMMC (Cybersecurity Maturity Model Certification) will be a contractual requirement in new Department of Defense (DoD) solicitations and contracts. Full rollout will continue through 2028.

    Who needs CMMC certification?
     Any contractor or subcontractor that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) for the DoD must be CMMC compliant. The only exceptions are contracts for commercially available off-the-shelf (COTS) items and purchases under $10,000.

    What are the CMMC levels?
     CMMC has three levels:

    • Level 1 (Foundational): Basic cybersecurity practices, annual self-assessment.
    • Level 2 (Advanced): 110 NIST SP 800-171 practices, mix of self-assessments and third-party assessments.
    • Level 3 (Expert): Highest level, government-led assessments, includes NIST SP 800-172 practices.

    What happens if my company is not CMMC compliant?
    Without the required CMMC certification, your company will be ineligible for new DoD contracts that include cybersecurity requirements. Compliance is also required throughout the supply chain.

    How can a Registered Practitioner Organization (RPO) help with CMMC?
    An RPO can’t issue certification but can prepare your organization by identifying compliance gaps, building a security plan, and guiding you through audit readiness — increasing your chances of passing the official CMMC assessment.

    Is there a resource available for CMMC updates?

    For more information on CMMC, including a list of RPO and C3PAO providers, visit the Cyber AB website at https://cyberab.org/.

    Questions?

    We can help! Talk to the Trava Team and see how we can assist you with your cybersecurity needs.

    talk to trava