Why this matters now

The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program is now being phased into DoD solicitations and awards. For contractors and subcontractors, the practical question is simple: what CMMC level will my contract require, and when will that requirement block or allow me to bid? This article translates the DoD documentation into a clear, actionable plan you can use today.

Key official sources used: DoD CMMC Program resources and Assessment Guides, the DFARS assessment rules, and the Supplier Performance Risk System (SPRS).

Where CMMC stands (official rule & phased roll‑out)

The DoD published the CMMC program and accompanying acquisition rule as part of a multi‑phase implementation intended to incrementally introduce assessment requirements into solicitations. The final CMMC acquisition rule (published in the Federal Register) and DoD program pages describe a phased approach so the community can train assessors and prepare suppliers. The DoD’s public pages make it clear that the program is being implemented in phases rather than all at once.

Phase descriptions in DoD guidance show early phases prioritize self‑assessments while later phases expand third‑party (C3PAO) and government‑led assessments. The DoD also published Level‑specific assessment guidance (Level 2 Assessment Guide) to define what assessors will look for.

Which Level means what (quick recap)

The CMMC model in DoD guidance is organized around three levels relevant to most contractors: • Level 1 (Foundational)—Covers basic safeguarding of Federal Contract Information (FCI). Generally assessed by self‑assessment. • Level 2 (Advanced)—The baseline for Controlled Unclassified Information (CUI) requiring implementation of NIST SP 800‑171 controls. Level 2 assessments can be either a self‑assessment or a certification assessment (C3PAO or DIBCAC), depending on the contract and DoD component requirements. • Level 3 (Expert)—Reserved for the highest‑priority programs and requires government‑led assessments with enhanced protections (aligned to NIST SP 800‑172).This mapping—FCI → L1; CUI → L2; critical national security program → L3—is the practical starting point for deciding what your contract will need.

If you need a plan for Level 2, see our CMMC compliance management.

How to tell what level your contract will require (step‑by‑step)

1. Read the solicitation clauses and attachments. Look for explicit CMMC clauses or references to DFARS/CMMC clauses, or statements that the contract requires a CMMC status or SPRS record. If the solicitation names CUI in the PWS, SOW, or performance work statement, assume Level 2 is in scope.

2. Check DFARS & solicitation flow‑downs. Many solicitations will reference DFARS clauses requiring NIST SP 800‑171 assessment evidence; DFARS procedures (e.g., 252.204‑7020 and related clauses) show where assessment evidence is expected to be submitted to SPRS.

3. Ask the contracting officer/prime. If the clause is ambiguous, ask the CO or prime what assessment type they will accept (self‑assessment vs C3PAO) and whether they will require an SPRS record or a CMMC certificate at bid time.

4. Assume that primes will flow requirements down. Prime contractors commonly flow higher CMMC expectations to subs, even if the direct award would be lower. If you support a system that touches CUI, plan for Level 2 readiness.

5. Validate through SPRS / eMASS. If the DoD solicitation requires a CMMC status, the awarding authority will verify the status in SPRS or CMMC eMASS as part of source selection. Maintain your SPRS entry and ensure your SSP and POA&M are current.

Self‑assessment vs C3PAO vs government‑led: what to expect

DoD guidance distinguishes assessment types by level and by the sensitivity of the program. The practical rules are: • Level 1: Self‑assessment (basic hygiene). • Level 2: Can be a self‑assessment for lower‑risk CUI scopes or a certification assessment by a C3PAO (or government DIBCAC for high‑priority programs) when the contract requires verified attestation. The Level 2 Assessment Guide details the scope, documentation, and evidence expectations for both self and certification assessments.

DoD also allows a conditional CMMC status under specific POA&M rules: if select requirements are NOT MET at the time of assessment, a conditional status may be granted with an enforced close‑out plan. The POA&M closeout window and conditions are codified in the CMMC rules and assessment guides—POA&M closeouts that are not completed within the required period will cause the conditional status to expire.

SPRS: the single place the DoD will look for your score

The Supplier Performance Risk System (SPRS) is the DoD’s authoritative repository for NIST SP 800‑171 assessment data and CMMC status for contractors. The DoD uses SPRS data as a risk signal in acquisitions—missing or low scores can meaningfully affect award decisions. Contractors with CUI obligations must upload their NIST SP 800‑171 assessment score and maintain an SSP and POA&M in SPRS (or linked CMMC eMASS entries) according to DoD rules.

POA&M rules and Conditional status — the 180‑day closeout

The DoD’s CMMC rules and assessment guides allow limited use of a Plan of Action & Milestones (POA&M) to manage remediation for select unmet requirements, but the rules are strict about timelines and scope. Where Conditional status is used, a POA&M closeout assessment or remediation is enforced within a statutory period (commonly 180 days), and the DoD expects documented closure of those items. Failure to close POA&Ms within the required window may cause the Conditional CMMC status to expire. Review 32 CFR §170.21 and the Level 2 Assessment Guide for the exact POA&M conditions and allowable exceptions.

Immediate action checklist (what to do this week)

- Identify whether your contract or pipeline handles CUI or FCI (review PWS/SOW).

- If CUI is present: update or create your System Security Plan (SSP) and Plan of Action & Milestones (POA&M).

- Run a NIST SP 800‑171 self‑assessment (DoD methodology) and calculate your SPRS score; submit it to SPRS if required.

- If you can't meet all controls, produce realistic POA&M entries with dates and owners (closeout is enforced under CMMC rules).

- Talk to your prime or CO to confirm whether a C3PAO assessment will be required for your award.

- If a certification assessment is possible, start preparing artifacts (logs, evidence matrix, training records) per the Level 2 Assessment Guide.

Typical procurement lifecycle—where CMMC shows up

Solicitation → Proposal → Evaluation → Award → Performance. CMMC requirements can appear at the solicitation/offer stage (stated requirements), during evaluation (SPRS status checks), and as a contract clause (flow‑downs). Plan for readiness by the proposal stage: DoD increasingly expects evidence at bid time, not after award.

Frequently Asked Questions

Q: Can I bid without certification?

A: In early phases, you may bid with a self‑assessment SPRS entry for some Level 2 scopes, but many solicitations will require a current SPRS record or CMMC status. Confirm with the contracting officer.

Q: What if my SPRS score is low?

A: A low score is a competitive disadvantage; prioritize closing high‑risk POA&M items and be transparent with primes/COs about remediation timelines.

Q: How long does certification last?

A: Final CMMC statuses are recorded in SPRS/eMASS and are time‑bounded—final assessments typically have an expiration (e.g., 3 years for final assessments; conditional statuses may expire earlier). Check the assessment guides for exact status durations.

Q: Who performs C3PAO assessments?

A: C3PAOs are certified third‑party assessment organizations authorized by the program; DoD guidance explains C3PAO scope and responsibilities in the assessment guides.

Conclusion: Get SPRS‑ready before your next bid

CMMC is now an acquisition reality. For small and mid‑sized suppliers, the fastest path to competitiveness is to: (1) identify CUI exposure; (2) complete a NIST SP 800‑171 self‑assessment and submit to SPRS; (3) remediate high‑risk gaps via POA&Ms; and (4) be ready for a C3PAO assessment if the contract demands verified certification. The DoD assessment guides and SPRS rules are the authoritative references—use them for scope and evidence requirements.

Hire A Cyber Pro helps small teams prepare SSPs, run self‑assessments, package SPRS submissions, and prepare for C3PAO assessments. Learn more:https://www.hireacyberpro.com/services-new

Quick decision flowchart

Use the flowchart below to quickly self‑identify which level is likely required for your contract.