Does CMMC apply to civilian agency contracts (GSA, HHS, DHS)?

Not directly today. CMMC is a Department of Defense program established under 32 CFR Part 170 and enforced through the DFARS clause 252.204-7021. Civilian-agency contracts use FAR 52.204-21 (which mirrors the 15 Level 1 safeguards) but do not require CMMC certification or affirmation in SPRS. The pending FAR rule (the 'CUI rule,' RIN 9000-AN56) may extend similar requirements government-wide in future years, but as of 2026 only DoD contracts trigger CMMC obligations.

Do I need CMMC just to bid on a DoD opportunity?

Often yes — increasingly. Under the 48 CFR phased rollout that began November 10, 2025, more DoD solicitations include the CMMC clause as a condition of award. For Level 1 opportunities, the requirement is to have a current annual affirmation in SPRS at the time of award. For Level 2, a current C3PAO assessment status. Filing the affirmation is the bid-eligibility step; submitting a proposal without it is allowed in some solicitations and disqualifying in others. Read the specific solicitation.

Do I Even Need CMMC? A 4-Question Decision Tree for 2026

Q: Do subcontractors need CMMC?

Yes, if the prime contract is a DoD contract that includes the CMMC clause (DFARS 252.204-7021) or DFARS 252.204-7012. The prime is required to flow the clause down to subcontractors that handle FCI or CUI. Subs at the FCI-only tier need Level 1; subs that receive CUI need Level 2. If you're a sub on a contract where the prime never gives you FCI or CUI (e.g., you provide a fully commercial off-the-shelf product unrelated to the covered work), you may not be in scope — get that confirmed by the prime in writing.

Q: Do state and local contracts require CMMC?

No. CMMC is a federal program — specifically a DoD program. State, county, and municipal contracts are governed by state procurement law and any state-specific cybersecurity requirements (e.g., CJIS for criminal justice data, HIPAA for state health data, CMMC-like programs in some states). They do not require CMMC certification.

Q: Do I need CMMC if I only have commercial customers?

No. CMMC is triggered by federal DoD contracts and the flow-down of FAR 52.204-21 or DFARS 252.204-7012/-7021. If your customers are all commercial (private businesses, no federal pass-through), CMMC does not apply. You may still adopt parts of the framework for security maturity or to win commercial customers that care, but there is no federal obligation.

About half the small businesses who land on a CMMC page don't actually need CMMC at all. The other half need it more urgently than they realize. The four-question decision tree below is the same one a contracting officer would walk through if you called.

TL;DR — the decision tree at a glance

The CMMC level decision tree: which level applies based on the data you handle. Source: 32 CFR Part 170 §170.14.

Q1: Do you have or seek a federal contract?

“Federal contract” means a direct contract from a federal agency or a subcontract under a federal prime. Commercial-only businesses, state/local contractors, and nonprofits without federal awards stop here.

Yes → Go to Q2.
No → CMMC does not apply. (You may still adopt parts of the framework for security maturity. There is no federal obligation.)

Q2: Is the contract a DoD contract?

CMMC is a Department of Defense program established under 32 CFR Part 170. It is enforced through DFARS, not through the broader FAR. Today, only DoD contracts (and their DoD subcontracts) require CMMC affirmation or certification.

If your contract is...	CMMC required?	What does apply
DoD prime or DoD sub	Yes	Continue to Q3 to determine level
Civilian agency (GSA, HHS, DHS, etc.)	Not today	FAR 52.204-21 still obligates the 15 basic safeguards, just no CMMC affirmation
State / local government	No	State procurement law and any sector-specific rules (CJIS, HIPAA, state-specific)
Commercial customer	No	Whatever the customer's contract requires

Yes (DoD) → Go to Q3.
No → No CMMC obligation today. Watch the FAR rule.

Q3: Does the contract handle CUI?

Look at your award (or the solicitation) for two things:

Documents with the CUI banner marking— a yellow/black header that reads “CUI” or “CONTROLLED UNCLASSIFIED INFORMATION.”
The clause “DFARS 252.204-7012” (Safeguarding Covered Defense Information and Cyber Incident Reporting).

Q4: Is it a high-priority program?

Most CUI-handling contractors land at Level 2— 110 NIST 800-171 controls with a C3PAO assessment every three years. A small number of programs are designated “high-priority” by the DoD and require Level 3— Level 2 plus a subset of NIST SP 800-172 enhanced controls and a DCMA-led assessment.

The contracting officer or PM tells you if you're Level 3. You don't self-designate.

Standard CUI → Level 2.
High-priority designation → Level 3.

Edge cases people get wrong

1) “I'm only a sub — the prime handles compliance.”

Wrong. Required clauses flow down to subcontractors handling FCI or CUI. The prime is required to flow them down; the sub is required to comply. The prime cannot “cover” you.

2) “It's a civilian agency, so no CMMC.”

Correct today — but FAR 52.204-21 still applies. You still owe the 15 basic safeguards. The difference is no annual SPRS affirmation requirement (yet).

3) “We just register in SAM, we don't have a contract yet.”

SAM registration alone does not trigger CMMC. The trigger is being awarded (or seeking award of) a contract with the relevant clauses. Some solicitations now require an affirmationat proposal time, so check each one.

4) “The data isn't classified, so it's not CUI.”

Classified is different from CUI. CUI is the layerbelowclassified — sensitive but not classified. You can absolutely be a Level 2 contractor handling CUI without ever touching a classified document.

5) “We're an SBIR Phase I winner, do we need Level 2?”

Usually no — Phase I is typically Level 1. See our SBIR Phase I timeline guide for the full breakdown.

What to do this week

Walk the four questions above against your current and pipeline contracts.
Take the free CMMC check to confirm independently — 5 minutes, no signup.
If Level 1 applies, take the SPRS readiness quiz for a checklist of the 15.
Subscribe to the Monday Bid Digest for weekly Level 1-fit opportunities surfaced from SAM.gov.

FAQ

Do subcontractors need CMMC?

Yes, if the prime contract is a DoD contract with the relevant clauses. Required clauses flow down.

Does CMMC apply to civilian agency contracts?

Not directly in 2026. CMMC is DoD-only. Civilian agencies currently use FAR 52.204-21 without the CMMC affirmation requirement.

Do state and local contracts require CMMC?

No. CMMC is federal. States have their own procurement and sector-specific rules.

Do I need CMMC if I only have commercial customers?

No. CMMC is triggered by federal DoD contracts and their flow-downs.

Do I need CMMC just to bid?

Often yes — many DoD solicitations now require a current SPRS affirmation as a condition of award. Read each solicitation.