CMMC Compliance Overview

UPCOMING WEBINAR

Countdown to Compliance: Completing Your CMMC Level 1 Self-Assessment

November 19, 2025 @ 2 PM EST

Join NSTXL for an essential webinar on the latest membership requirements related to Cybersecurity Maturity Model Certification (CMMC). This webinar is a must-attend for members looking to confidently navigate the evolving compliance landscape.

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a standard issued directly by the Department of War (DoW). It establishes mandatory cybersecurity requirements for all contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Depending on the sensitivity of the data you manage, your organization will need to certify at the appropriate level.

While NSTXL members are not required to have CMMC Level 1 certification until March 31, 2026, some upcoming NSTXL opportunities may require it sooner. If a solicitation requires at least CMMC Level 1, you will not be eligible to bid until your organization achieves that certification.

When to Be Certified

CMMC requirements will be added to DoW contracts in phases beginning with Level 1 on November 10th, 2025.

To remain eligible for future opportunities, NSTXL members should complete their Level 1 Self-Assessment by Tuesday, March 31st, 2026, and must be Level 2 Certified by November 10th, 2026. NSTXL will continue to provide certification resources as more information becomes available.

Membership policies are subject to change due to Government policy updates and requirements. For the latest information on CMMC compliance, visit dodcio.defense.gov/CMMC.

Certification Levels and Requirements

Certification requirements vary by level, but all come directly from the Department of War and will be phased into contracts over the next several years.

Level 1 Requirements (Foundational)

Requires organizations to implement 17 basic cyber hygiene practices derived from FAR 52.204-21. Certification can be achieved through a self-assessment submitted annually through the Supplier Performance Risk System (SPRS).

Level 2 Requirements (Advanced)

Aligned with the 110 security controls within NIST SP 800-171 Revision 2. Some contracts will allow for Level 2 self-assessments, but most will require an independent evaluation conducted by a Certified Third-Party Assessment Organization (C3PAO).

Level 3 Requirements (Expert)

Aligned with the 110 security controls in NIST SP 800-171 Revision 2, along with an additional 24 controls outlined in NIST SP 800-172. Requires a government-led assessment every three years by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Members: How to Update Your CMMC Status

If you are the designated Point of Contact (POC) for your organization, you can update your company’s CMMC status by following these steps:
  1. Log in at nstxl.org
  2. From the left-hand menu, select “My Account“.
  3. Click “Company Info“.
  4. Select “Edit Info“.
  5. Locate the “Compliance Status” field and update your selection.
    • Note: You must upload your CMMC certification file (accepted formats: PDF, JPEG, or PNG).
  6. Click “Save” to confirm your changes.
Only the POC can make this update.
If you’re unsure who your company’s POC is, go to “Company Roster” and look for the person with the black check mark under “Is Primary Contact“.
For any questions or assistance, please contact membership@nstxl.org.

Regulatory Disclaimer

NSTXL membership policies are subject to change due to DoW policy updates and requirements. NSTXL will keep you up to date on new information regarding CMMC and our membership policy.

Frequently Asked Questions (FAQs)

These frequently asked questions come from the Department of War Chief Information Officer’s (DoW CIO) website.
To see the full list of questions, click the button below.

The DoW will begin to incorporate CMMC assessment requirements in applicable procurements on November 10, 2025, when the revised Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021 becomes effective. The first 12 months of implementation will primarily focus on self-assessments. For further information on the DoW’s phased implementation plan, please see 32 Code of Federal Regulations (CFR) 170.3(e).
Costs incurred to implement existing contract requirements for safeguarding information (e.g., DFARS 252.204-7012) are not considered part of the CMMC compliance cost. However, the cost of achieving CMMC compliance (i.e., self-assessment or certification) depends on various factors, including, but not limited to, the CMMC level required, the complexity of the defense industrial base (DIB) company’s unclassified network, the existing cybersecurity posture of the organization, and market forces of supply and demand.
The DoW provides resources to help businesses who wish to enter the DIB reach cybersecurity compliance.

  • The DoW CIO DIB Cybersecurity Program has compiled a list of no-cost Cybersecurityas-a-Service resources to reduce barriers to DIB community compliance and support contract cybersecurity efforts at dibnet.dod.mil under DoW DIB Cybersecurity-As-A Service (CSaaS) Services and Support.
  • The CMMC Accreditation Body, currently the Cyber AB, has a marketplace of certified CMMC assessors, professionals, and registered practitioner organizations that companies can engage now to prepare for CMMC implementation: https://cyberab.org/marketplace
  • The Defense Acquisition University offers free online CMMC and cybersecurity training: https://www.dau.edu/cybersecurity/training
  • The Defense Acquisition University also offers a drop-down for CMMC web events: https://www.dau.edu/cybersecurity/cyber-solutions (click the drop-down labeled “CMMC Resources from the DoW CIO”)
  • DoW’s Office of Small Business Programs has compiled a list of resources on their website that are aimed at helping small and medium-sized businesses understand security requirements and reach compliance: https://business.defense.gov/Resources/FAQs/
Once CMMC is implemented contractually, the DoW will specify the required CMMC level in the solicitation and the resulting contract.

Yes. Companies can implement Revision 3 but must use the DoW’s Organization-Defined Parameters (ODPs) defined in the April 2025 memorandum, “Department of War Organization-Defined Parameters for National Institute of Standards and Technology Special Publication 800-171 Revision 3” found here: https://dodcio.defense.gov/Portals/0/Documents/CMMC/OrgDefinedParmsNISTSP800-171.pdf Because CMMC Assessments will be conducted against Revision 2 until the class deviation memo (Q3 of this section) is withdrawn or otherwise superseded, DIB companies must ensure any identified gaps between Revision 2 and Revision 3 are addressed.

Level 1 self-assessments will be required on an annual basis, and CMMC Levels 2 and 3 will be required every 3 years. An affirmation of continued compliance is required for all CMMC levels at the time of assessment and annually thereafter. Please reference 32 CFR 170.3(e) for details on the DoW’s timeline for phased implementation of CMMC requirements in applicable procurements.
No, if a DIB company does not process, store, or transmit CUI, it does not need an independent assessment. If the company handles FCI only, a CMMC Level 1 self-assessment is required.

The public will not have access to a listing of DIB companies that have completed their CMMC self-assessments or received CMMC certificates. Such information is available to the DoW officers leading procurement activities.

A company can view their own scores and status in the Supplier Performance Risk System (SPRS). Suppliers may print verification of their status from SPRS to share with their Primes. Subcontractors may voluntarily share their CMMC Status, assessment scores, or certificates to facilitate business teaming arrangements. The DoW expects that defense contractors will share information about CMMC status with other DIB members to facilitate effective teaming arrangements when bidding for DoW contracts.