Not long ago, we discussed the basics of the Cybersecurity Maturity Model Certification (CMMC) Program at DFARS subpart 204.75. Of course, with such a large new system as the CMMC Program, there is more to it than what we reviewed there. In this second set of posts, we will dive deeper into the requirements and procedures of the CMMC Program implemented by DoD back in September 2025, among other items. We will explore what the general rules on what systems are covered by the CMMC Program, when the contractor must be in compliance with the CMMC Program, and what levels will apply for contracts.
Scope
While the CMMC Program has many requirements, it does not apply to every single asset, record, and system a contractor has. It depends on the asset or system’s involvement with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). For example, 32 C.F.R. § 170.19 notes that for Level 1, for the contractor, (or Organization Seeking Assessment (OSA), as the regulation states) “OSA information systems which do not process, store, or transmit FCI are outside the scope for CMMC Level 1” and “only OSA information systems which process, store, or transmit FCI are in scope for CMMC Level 1 and must be self-assessed against applicable CMMC security requirements.” In other words, if the contractor’s system never touches FCI, that system need not meet the requirements of CMMC Level 1. So long as the systems that actually interact with FCI meet the CMMC Level 1 requirements, the contractor should still meet CMMC Level 1.
As one might expect, Levels 2 and 3 are stricter. In addition to those assets that touch FCI, the contractor must consider the assets that process, store, or transfer CUI for the Level 2 and Level 3 assessments. In fact, even for those assets that don’t otherwise process, store, or transfer CUI, if the assets are nonetheless capable of doing such, those need to be accounted for as well. Only those assets that are incapable of processing, storing, or transferring CUI and that do not process, store, or transfer FCI are excluded from the assessment. Of course, if you are claiming an asset is incapable of holding or transferring CUI, you will need to actually explain why that is the case.
Time for Compliance
As we noted in our prior post, there were certain parts of DFARS that were changed as well regarding acquisition policies. One key regulation is DFARS 204.7502. That regulation notes that, if CMMC Program compliance is required, the contractor must both have the required CMMC Program level status (or higher) at the time of award as well as throughout the duration of the contract. This must be reflected by the CMMC certificate held by the company, which is going to be in the Supplier Performance Risk System. All levels are noted in the SPRS. Not only this, but as DFARS 204.7503 states, a contractor cannot receive an extension or option on their contract if that contract requires as a certain CMMC Program level and the contractor no longer meets the requirements of that level.
The CMMC in Procurements
Of course, the CMMC Program doesn’t just have requirements for contractors. As we noted in our prior post, there were certain parts of DFARS that were changed as well regarding when CMMC compliance will be required. Key is DFARS 204.7504. Up until November 9, 2028, this regulation states that it is entirely up to the procuring agency what CMMC level, if any, will be required of bidders. After that date, it entirely will depend on if the contract involves FCI and/or CUI. This would mean that if it is FCI only, one should expect only a Level 1 requirement. With CUI, it would seem that it would be up to the contracting officer to determine which of Level 2 and Level 3 should apply, no doubt something that DoD could address with internal guidance. In either case, until November 2028, agencies are going to have basically total discretion on whether CMMC Program requirements apply to a given procurement. After that, they will be bound to use certain levels, but even then, there may be some discretion.
Summary
No doubt there will be further changes for the CMMC Program down the road. Cybersecurity is one of the fastest-developing fields today. As such, we would advise not becoming too wedded to the CMMC Program as it currently exists. Be ready for further tweaks and changes. That said, hopefully these posts have helped provide some clarity on one of the newest systems in federal contracting.
Questions about this post? Email us. Need legal assistance? Call us at 785-200-8919.
Looking for the latest government contracting legal news? Sign up for our free monthly newsletter, and follow us on LinkedIn, Twitter and Facebook.