UKWhat is CMMC and does it apply to me?
CMMC is DoD’s cybersecurity certification for contractors. The acquisition rule took effect November 10, 2025 and requirements phase into contracts through ~November 2028. Level 1 (15 basics, self-assessed) covers firms touching Federal Contract Information; Level 2 (NIST 800-171, usually third-party assessed) covers anyone handling Controlled Unclassified Information.
If you sell to DoD — or sub to someone who does — CMMC applies based on the data in your environment, not your size. Primes are flowing requirements down to subcontractors ahead of the official phase-in because their own awards depend on a compliant supply chain.
Start by classifying your data flows, shrink where sensitive data lives, run a NIST 800-171 self-assessment and post your SPRS score, then book a C3PAO early if Level 2 is your market.
Related
Still unsure? Ask us directly — we reply within one business day.
Get in contact →