Is CMMC already in contracts?
CMMC is no longer theoretical—it’s appearing in real DoD solicitations today. If your company doesn’t already meet CMMC requirements, you will soon find yourself ineligible for contract awards.
The Cybersecurity Maturity Model Certification, or CMMC—which requires defense contracts to implement the 110 NIST 800-171 controls to protect CUI—is about to become codified in the federal register with the announcement of the effective date for 48 CFR. Once this happens, it enables the DoD to add CMMC requirements to any new solicitation or contract. While some primes have already made their CMMC posture clear, defense contracts are still asking, what will this requirement look like in actual contracts? Are there already contracts that mention or even require CMMC?
The answer is an emphatic yes. CMMC is no longer the subject of webinars and idle speculation. It is here. Major DoD solicitations contain strong language around C3PAO-verified CMMC assessments.
If you haven’t started getting engaged in CMMC, now is the time to do so. It was probably the time in early 2024, but now the light is flashing red.
-Matt Travis, CEO, Cyber AB
List of Contracts With CMMC
Below is an up-to-date list of all DoD contracts, solicitations, and notices that already mention CMMC sourced from sam.gov, the Official U.S. Government System for contracts.
- 9/2/2025: UPDATE – Cybersecurity Maturity Model Certification (CMMC) 2.0 Implementation
- Issued by: U.S. Army Corps of Engineers, Headquarters, Directorate of Contracting
- Key Quotation: “New Solicitations and Contracts issued on or after [8/25/2025] will, to the maximum extent practicable, comply with Class Deviation 2005-O0006, requiring contracting officers not to use the contract clause at Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirement, in new solicitations and contracts.”
- 8/17/2025: FY2025 – FY2026 Projections
- Issued by: U.S. Army Corps Of Engineers, Engineer Division Pacific Ocean
- Key Quotation: “CMMC requirements become mandatory 1 Oct 2025. USACE Japan District anticipates that all solicitations and contracts will require Basic (Level 1) certification or higher.”
- 7/31/2025: INFOSEC ALERT – NOTICE TO THE DEFENSE INDUSTRIAL BASE
- Issued by: U.S. Army Corps of Engineers, Headquarters, Directorate of Contracting
- Key quotation: “Preliminary guidance indicates that October 1, 2025 will be the go LIVE date for the CMMC 2.0 Program; however the actual, official date is still pending. Once final, USACE solicitations will specify the level certification required for performance under the contract.”
- 7/29/2025: SOURCES SOUGHT – GROUND BASED STRATEGIC DETERRENT (GBSD) SENTINEL OPERATIONS GROUP FACILITY (OGF), FEW AFB, WY
- Issued by: U.S. Army Corps Of Engineers, Engineer Division Northwestern
- Key quotation: “This project is anticipated to be subject to Cybersecurity Maturity Model Certification (CMMC), Level 2 pursuant to DFARS Clause 252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement. Firms will need to ensure they are properly certified. Failure to meet the CMMC, Level 2 will make an offer ineligible for award.”
Behind on CMMC? Here’s how to catch up
PreVeil’s CMMC solution is trusted by thousands of defense contractors to streamline compliance and cut costs by 77%. Our Compliance Accelerator provides pre-filled, assessment-ready documentation, reducing certification preparation time from 12-24 months to just 4-6 months, and our Compliance Team + Preferred Partner Network of consultants, MSPs, and Assessors is here to help every step of the way.
