GovPath logoGovPath
← My JourneyChapter 4: Win Contracts
GovPath guides are informational only, not legal or procurement advice. Verify all requirements directly with the relevant agency.

CMMC: Cybersecurity Requirements for DoD Contractors

If you want to work on Department of Defense contracts, you may be required to meet CMMC, the Cybersecurity Maturity Model Certification.

What is CMMC?

CMMC stands for Cybersecurity Maturity Model Certification. It is a DoD framework that requires contractors handling sensitive government information to meet specific cybersecurity standards. Starting in 2025, contracts that involve Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) require contractors to demonstrate compliance before they can be awarded.

Who needs it?

Who this applies to

CMMC requirements apply to ALL companies in the DoD supply chain, including subcontractors. If you are pursuing DoD prime contracts or subcontracts, check the contract's solicitation for CMMC requirements before bidding.

The three levels

CMMC has three levels. Which one applies to you depends on how sensitive the information is that you handle on the contract.

Level 1: Foundational

Who: Any contractor handling Federal Contract Information (FCI)

  • What: 15 basic cybersecurity practices (e.g., use antivirus, control who has access to systems)
  • How: Annual self-assessment: no third-party required
  • Bottom line: Most small businesses can achieve this with standard IT practices

Level 2: Advanced

Who: Contractors handling Controlled Unclassified Information (CUI), the more sensitive category

  • What: 110 practices from NIST SP 800-171 (a detailed federal cybersecurity standard)
  • How: Third-party assessment by a C3PAO (certified assessor) every 3 years for critical contracts; self-assessment for non-critical
  • Bottom line: This is the main compliance hurdle for small IT, tech, and engineering DoD contractors

Level 3: Expert

Who: Highest-sensitivity DoD programs only

  • What: Government-led assessment
  • Bottom line: Rare. Out of scope for most small businesses.

Why it matters for small businesses

The opportunity

CMMC is creating a major opportunity. Many large prime contractors are actively looking for CMMC-compliant small business subcontractors. Getting certified ahead of your competitors means you can pursue subcontracts that others can't bid on yet.

Where to start

If you are pursuing DoD work:

  • Check the contract solicitation for CMMC requirements (search for “CMMC” or “CUI” in the document)
  • If Level 1 is required, start by reviewing the 15 basic practices at dodcio.defense.gov/CMMC
  • If Level 2 is required, begin a gap assessment against NIST SP 800-171 before investing further
GovPath Pro (coming soon) will include a plain-English CMMC Level 1 compliance checklist, a Level 2 gap assessment tool, and a step-by-step guide to finding a C3PAO assessor.