Description
All new DoD contracts will require CMMC certification at the appropriate level (1, 2, or 3). Level 1 covers basic Federal Contract Information (FCI) with 17 practices and self-assessment. Level 2 covers Controlled Unclassified Information (CUI) with all 110 NIST SP 800-171 practices and third-party C3PAO assessment. Level 3 covers Advanced Persistent Threats with government-led assessment.
Requirements
- Determine required CMMC level based on data handled
- Complete CMMC self-assessment or engage C3PAO
- Implement all required practices for target level
- Document System Security Plan and POA&M
- Achieve certification before contract bid deadlines
Applicable To
DoD ContractorsDoD SubcontractorsDefense Industrial Base organizations handling FCI or CUI
Penalty Information
âš Non-certified contractors will be ineligible for DoD contract awards. Potential False Claims Act liability for misrepresenting certification status.