DOES MY COMPANY NEED TO BE CMMC COMPLIANT?
The short answer is this...do you work as a Prime or Subprime contractor for the Department of Defense, chances are you do.
CMMC certification is required by organizations operating with DoD information. If the organization is operating with non-classified DoD information, it may only need a Level 3 clearance or below. If the organization is operating with high-value information, it will likely need a clearance of Level 4 or higher. However, classifications are set by the project.
Who does CMMC directly affect?
Any contractor or vendor doing business with the DoD is affected, and will eventually be required to obtain a CMMC certification. The definition of contractor or vendor includes all suppliers across every tier of the supply chain, small businesses, foreign suppliers and commercial item contractors.
The certification process is handled by the CMMC Accreditation Body (CMMC-AB), who coordinates directly with the DoD. Together, they have developed procedures to accredit independent CMMC Third-Party Assessment Organizations (CP3AOs) and assessors that will evaluate and certify CMMC levels.
Under the new guidance, all newly awarded contracts to any DIB vendor or subcontractor will have to demonstrate CMMC compliance. Essentially, this applies to any organization that handles CUI.
The only companies exempt from CMMC certification are those that solely produce Commercial-Off-The-Shelf (COTS) products.