Answer-first · primary sources · no email gate
Do I need CMMC certification?
If you hold or bid on DoD contracts, you almost certainly need CMMC at some level. Handle only FCI → Level 1, an annual self-assessment with no certificate. Handle CUI → Level 2, increasingly a third-party C3PAO certification from November 10, 2026. Here's how to tell which is you.
"Do I need CMMC?" is really three questions
1. Does CMMC apply to me at all?
CMMC attaches to DoD contracts and subcontracts. No DoD work means no CMMC obligation today — but the requirement arrives with the solicitation, and readiness takes months, so it is worth knowing before you bid.
2. Which level — 1 or 2?
FCI-only work is Level 1; any CUI puts you in Level 2. That decision turns on what information your contracts involve, and it is worth getting exactly right — the Level 1 vs Level 2 guide walks it with a short quiz.
3. Self-assessment or third-party certification?
This is the part most people miss. Level 1 is always self-assessed. Level 2 has a self-assessment track for a subset of contracts — but from November 10, 2026, a C3PAO third-party certification becomes the default for contracts involving CUI, applied per-solicitation through full implementation in 2028.
Sources: 32 CFR 170.3(e) and 170.21; NIST SP 800-171 Rev 2; DFARS rule effective Nov 10, 2025. No delay announced as of June 2026.
Self-assessment ≠ certification
A self-assessed SPRS score is something you produce and post. A CMMC Level 2 certification is something a Certified Third-Party Assessment Organization (C3PAO) issues after assessing you. They are not the same milestone — and under Phase 2, contracts involving CUI will increasingly require the certification, not just the score. Conditional Level 2 status is possible with a score of at least 88 of 110 where every open gap is POA&M-eligible and closes within 180 days.
Four myths that get contractors caught
"I already posted an SPRS score, so I'm certified."
A self-assessed SPRS score is not a CMMC certification. Under Phase 2, contracts involving CUI will increasingly require a C3PAO third-party assessment as a condition of award. The score tells you where you stand; the certification is a separate, assessor-issued result.
"I'm just a subcontractor, so CMMC doesn't apply to me."
CMMC follows the information, not your tier. If a prime flows down DFARS 252.204-7012 and you handle covered defense information, the same level applies to you. Many subs need exactly the same Level 2 readiness as the prime.
"I'll deal with it once I win a contract that requires it."
C3PAO assessment waitlists already run months, and you cannot predict which solicitation will carry the requirement first under the per-solicitation rollout. Readiness that starts when a solicitation demands it usually arrives too late to bid.
"CMMC is just more paperwork — there's nothing to actually do."
Level 2 is all 110 NIST SP 800-171 requirements implemented and evidenced — MFA, encryption, logging, access control, an accurate SSP. Real technical and process work, not a form. The SSP (3.12.4) gates everything: without one, no assessment can even be completed.
Straight answers
Do I need CMMC certification if I hold DoD contracts?
Almost certainly you need CMMC at some level — the open questions are which level and whether you self-assess or need a third-party certification. If your DoD work involves only Federal Contract Information (FCI), you self-assess at Level 1 (17 safeguards, annual, no certificate issued). If it involves Controlled Unclassified Information (CUI), you are in Level 2 — all 110 NIST SP 800-171 requirements — and from November 10, 2026, a C3PAO certification becomes the default condition of award per-solicitation.
What is the difference between a self-assessment and a CMMC certification?
A self-assessment is you scoring your own systems against NIST SP 800-171 and posting the result to SPRS — no third party. A CMMC certification (Level 2) is a Certified Third-Party Assessment Organization (C3PAO) independently assessing you and issuing a result. Level 1 is always self-assessed; Level 2 has a self-assessment track for a subset of contracts, but C3PAO certification becomes the default for CUI contracts under Phase 2 (from November 10, 2026).
Does CMMC apply to subcontractors?
Yes, when the data does. If a prime flows down DFARS 252.204-7012 and your performance involves covered defense information, the corresponding CMMC requirement applies to you as well. Being a subcontractor does not exempt you — primes are obligated to ensure their subs meet the requirement.
Can I get a CMMC certification before I have a contract that requires it?
Yes — and given multi-month C3PAO waitlists and the unpredictable per-solicitation rollout, getting ready ahead of a requirement is the prudent move. You cannot reliably time it to a specific award. The conservative sequence is: measure your SPRS score now, close the must-fix gaps, then enter the assessor queue.
Is having a good SPRS score the same as being CMMC certified?
No. The SPRS score is a self-reported readiness number under the DoD Assessment Methodology; CMMC Level 2 certification is an independent C3PAO result. A strong score makes the assessment achievable — conditional Level 2 needs at least 88 of 110 with every open gap POA&M-eligible — but the score and the certification are different things. This is compliance information, not legal advice.
This is compliance information, not legal advice. The solicitation and your actual data flows govern; for contract-interpretation questions, consult qualified counsel.
Whether you self-assess or get certified, it starts with your score
The free assessment computes your SPRS score with the exact DoD methodology and shows which gaps are POA&M-eligible and which you must fix before any assessor sees them.
Start the free assessment