CMMC Compliance Overview

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a standard issued by the Department of War (DoW). It establishes mandatory cybersecurity requirements for contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

NSTXL requires all members to complete a CMMC Level 2 Self-Assessment by November 10, 2026, or members risk losing access to their membership.

When to Be Certified

The Department of War has designated November 10, 2026, as a critical milestone for achieving CMMC Level 2 certification.

In alignment with this directive, NSTXL requires all members to complete a CMMC Level 2 self-assessment by November 10, 2026. Members who do not submit proof by that deadline risk losing access to their membership or being ineligible to compete for proposals.

Additionally, program offices may impose more stringent requirements, including full C3PAO certification. While NSTXL’s baseline requirement is a Level 2 self-assessment, members are strongly encouraged to proactively pursue C3PAO certification to ensure continued eligibility for future opportunities.

We are committed to supporting our members through this transition. Partnerships with vendors who can assist with achieving compliance will be announced soon. If you have questions or need assistance, please contact us at membership@nstxl.org.

Certification Levels and Requirements

Certification requirements vary by level, but all come directly from the Department of War and will be phased into contracts over the next several years.

Level 1 Requirements (Foundational)

Requires organizations to implement 17 basic cyber hygiene practices derived from FAR 52.204-21. Certification can be achieved through a self-assessment submitted annually through the Supplier Performance Risk System (SPRS).

Level 2 Requirements (Advanced)

Aligned with the 110 security controls within NIST SP 800-171 Revision 2. Some contracts will allow for Level 2 self-assessments, but most will require an independent evaluation conducted by a Certified Third-Party Assessment Organization (C3PAO).

Level 3 Requirements (Expert)

Aligned with the 110 security controls in NIST SP 800-171 Revision 2, along with an additional 24 controls outlined in NIST SP 800-172. Requires a government-led assessment every three years by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Members: How to Update Your CMMC Status

If you are the designated Point of Contact (POC) for your organization, you can update your company’s CMMC status by following these steps:
  1. Log in at nstxl.org
  2. From the left-hand menu, select “My Account“.
  3. Click “Company Info“.
  4. Select “Edit Info“.
  5. Locate the “Compliance Status” field and update your selection.
    • Note: You must upload your CMMC certification file (accepted formats: PDF, JPEG, or PNG).
  6. Click “Save” to confirm your changes.
Only the POC can make this update.
If you’re unsure who your company’s POC is, go to “Company Roster” and look for the person with the black check mark under “Is Primary Contact“.
For any questions or assistance, please contact membership@nstxl.org.

CMMC Compliance Requirements for NSTXL Membership

To be considered compliant for NSTXL membership, your SPRS UID must reflect a valid CMMC 2.0 assessment.
NSTXL recognizes the following UID prefixes as compliant:
If your SPRS UID begins with one of the above prefixes, your assessment aligns with CMMC 2.0 requirements.


UID Prefixes That Do NOT Count Toward CMMC Compliance

The following prefixes reflect legacy NIST SP 800-171 assessments under older DFARS clauses and do not satisfy NSTXL’s CMMC compliance requirement:
While SB/SM/SH assessments may still be valid for certain contracts operating under DFARS 252.204-7019/7020, they do not qualify as CMMC 2.0 certification for NSTXL membership purposes.

If your UID begins with SB, SM, or SH, you must complete the appropriate CMMC 2.0 assessment to remain compliant and maintain NSTXL membership.

Regulatory Disclaimer

NSTXL membership policies are subject to change due to DoW policy updates and requirements. NSTXL will keep you up to date on new information regarding CMMC and our membership policy.

Frequently Asked Questions (FAQs)

These frequently asked questions come from the Department of War Chief Information Officer’s (DoW CIO) website.
To see the full list of questions, click the button below.

The DoW began incorporating CMMC requirements in applicable procurements on November 10, 2025, when the revised Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021 became effective. The first 12 months of implementation will primarily focus on self-assessments. For further information on the DoW’s phased implementation plan, please see 32 Code of Federal Regulations (CFR) 170.3(e).

Costs incurred to implement existing contract requirements for safeguarding information (e.g., DFARS 252.204-7012) are not considered part of the CMMC compliance cost. However, the cost of achieving CMMC compliance (i.e., self-assessment or certification) depends on various factors, including, but not limited to, the CMMC level required, the complexity of the defense industrial base (DIB) company’s unclassified network, the existing cybersecurity posture of the organization, and market forces of supply and demand.
The DoW provides resources to help businesses who wish to enter the DIB reach cybersecurity compliance.

  • The DoW CIO DIB Cybersecurity Program has compiled a list of no-cost Cybersecurityas-a-Service resources to reduce barriers to DIB community compliance and support contract cybersecurity efforts at dibnet.dod.mil under DoW DIB Cybersecurity-As-A Service (CSaaS) Services and Support.
  • The CMMC Accreditation Body, currently the Cyber AB, has a marketplace of certified CMMC assessors, professionals, and registered practitioner organizations that companies can engage now to prepare for CMMC implementation: https://cyberab.org/marketplace
  • The Defense Acquisition University offers free online CMMC and cybersecurity training: https://www.dau.edu/cybersecurity/training
  • The Defense Acquisition University also offers a drop-down for CMMC web events: https://www.dau.edu/cybersecurity/cyber-solutions (click the drop-down labeled “CMMC Resources from the DoW CIO”)
  • DoW’s Office of Small Business Programs has compiled a list of resources on their website that are aimed at helping small and medium-sized businesses understand security requirements and reach compliance: https://business.defense.gov/Resources/FAQs/
Once CMMC is implemented contractually, the DoW will specify the required CMMC level in the solicitation and the resulting contract.

Yes. Companies can implement Revision 3 but must use the DoW’s Organization-Defined Parameters (ODPs) defined in the April 2025 memorandum, “Department of War Organization-Defined Parameters for National Institute of Standards and Technology Special Publication 800-171 Revision 3” found here: https://dodcio.defense.gov/Portals/0/Documents/CMMC/OrgDefinedParmsNISTSP800-171.pdf Because CMMC Assessments will be conducted against Revision 2 until the class deviation memo (Q3 of this section) is withdrawn or otherwise superseded, DIB companies must ensure any identified gaps between Revision 2 and Revision 3 are addressed.

Level 1 self-assessments will be required on an annual basis, and CMMC Levels 2 and 3 will be required every 3 years. An affirmation of continued compliance is required for all CMMC levels at the time of assessment and annually thereafter. Please reference 32 CFR 170.3(e) for details on the DoW’s timeline for phased implementation of CMMC requirements in applicable procurements.
No, if a DIB company does not process, store, or transmit CUI, it does not need an independent assessment. If the company handles FCI only, a CMMC Level 1 self-assessment is required.

The public will not have access to a listing of DIB companies that have completed their CMMC self-assessments or received CMMC certificates. Such information is available to the DoW officers leading procurement activities.

A company can view their own scores and status in the Supplier Performance Risk System (SPRS). Suppliers may print verification of their status from SPRS to share with their Primes. Subcontractors may voluntarily share their CMMC Status, assessment scores, or certificates to facilitate business teaming arrangements. The DoW expects that defense contractors will share information about CMMC status with other DIB members to facilitate effective teaming arrangements when bidding for DoW contracts.

To be considered CMMC compliant for NSTXL membership, your SPRS UID must begin with one of the following prefixes:

  • S1 – Level 1 Self-Assessment
  • S2 – Level 2 Self-Assessment
  • L2 – Level 2 C3PAO Assessment
  • L3 – Level 3 DIBCAC Assessment

If your SPRS UID begins with SB, SM, or SH, this reflects a legacy NIST SP 800-171 assessment conducted under older DFARS clauses and does not meet NSTXL’s CMMC 2.0 compliance requirement.

For more information: https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf

An SPRS UID beginning with SB, SM, or SH reflects a NIST SP 800-171 assessment entered under DFARS 252.204-7019/7020 requirements.

While these assessments may still be valid for certain contracts operating under older DFARS clauses, they do not satisfy the current CMMC 2.0 framework required for NSTXL membership compliance.

CMMC 2.0 introduced updated assessment structures and UID prefixes. To meet NSTXL’s requirement, your SPRS record must reflect a qualifying CMMC 2.0 UID (S1, S2, L2, or L3).

If your organization has already completed a NIST SP 800-171 assessment, you are likely well-positioned to complete the required CMMC 2.0 assessment.

For more information: https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf