Is CMMC already in contracts?
CMMC is no longer theoretical—it’s appearing in real DoD solicitations today. If your company isn’t preparing, you may soon find yourself ineligible for contract awards.
The Cybersecurity Maturity Model Certification, or CMMC—which requires defense contracts to implement 110 controls dealing with the protection of CUI—is about to become codified in the federal register with the announcement of the effective date for 48 CFR. Once this happens, every new DoD solicitation and contract will include some level of CMMC requirement. While the timeline for CMMC has been debated for months since 32 CFR, the final legal steps are underway. Defense contracts are asking, what will this requirement look like in actual contracts? Are there already contracts that mention or even require CMMC?
The answer is an emphatic yes. CMMC is no longer the subject of webinars and idle speculation. It is here. Major DoD solicitations contain strong language around C3PAO-verified CMMC assessments.
If you haven’t started getting engaged in CMMC, now is the time to do so. It was probably the time in early 2024, but now the light is flashing red.
-Matt Travis, CEO, Cyber AB
List of Contracts Mentioning CMMC
Below is an up-to-date list of all DoD contracts, solicitations, and notices that already mention CMMC sourced from sam.gov, the Official U.S. Government System for contracts.
- 9/2/2025: UPDATE – Cybersecurity Maturity Model Certification (CMMC) 2.0 Implementation
- Issued by: U.S. Army Corps of Engineers, Headquarters, Directorate of Contracting
- Key Quotation: “New Solicitations and Contracts issued on or after [8/25/2025] will, to the maximum extent practicable, comply with Class Deviation 2005-O0006, requiring contracting officers not to use the contract clause at Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirement, in new solicitations and contracts.”
- 8/17/2025: FY2025 – FY2026 Projections
- Issued by: U.S. Army Corps Of Engineers, Engineer Division Pacific Ocean
- Key Quotation: “CMMC requirements become mandatory 1 Oct 2025. USACE Japan District anticipates that all solicitations and contracts will require Basic (Level 1) certification or higher.”
- 7/31/2025: INFOSEC ALERT – NOTICE TO THE DEFENSE INDUSTRIAL BASE
- Issued by: U.S. Army Corps of Engineers, Headquarters, Directorate of Contracting
- Key quotation: “Preliminary guidance indicates that October 1, 2025 will be the go LIVE date for the CMMC 2.0 Program; however the actual, official date is still pending. Once final, USACE solicitations will specify the level certification required for performance under the contract.”
- 7/29/2025: SOURCES SOUGHT – GROUND BASED STRATEGIC DETERRENT (GBSD) SENTINEL OPERATIONS GROUP FACILITY (OGF), FEW AFB, WY
- Issued by: U.S. Army Corps Of Engineers, Engineer Division Northwestern
- Key quotation: “This project is anticipated to be subject to Cybersecurity Maturity Model Certification (CMMC), Level 2 pursuant to DFARS Clause 252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement. Firms will need to ensure they are properly certified. Failure to meet the CMMC, Level 2 will make an offer ineligible for award.”
Don’t know how to get started?
The goal for defense contractors is to not only remain eligible to win defense contracts, but also to minimize business risk and protect CUI from our country’s adversaries. By getting started on your organization’s compliance journey, you can achieve these objectives and ensure your company is ready for ramped-up federal enforcement of cybersecurity regulations.
