CMMC Acquisition Rule Posted for Public Inspection
CMMC 2.0 Phase 1 implementation of self-assessments begins Nov 10th, 2025
View more information on Phased Implementation of CMMC Requirements at DLA.
Redirecting...

Cybersecurity Resources for Suppliers

To enhance DLA's cybersecurity and better protect DoW information, the Cybersecurity Maturity Model Certification (CMMC) Program   was created to empower Vendors to align with DoW cybersecurity requirements in order to work with the Government.

Small Business Cyber Readiness

Navigate

The links on this page lead to resources outside of DLA's Office of Small Business Programs. The content is informational only and should not be interpreted as being definitive, all-inclusive or an endorsement, sanction, approval, or authorization by DLA.

Updated Last: 12/12/2025

Foundations to CMMC

The CMMC program builds upon existing cybersecurity requirements found in the Defense Federal Acquisition Regulation Supplement (DFARS). As a Supplier, you are responsible for protecting two key types of information on your systems: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The CMMC framework formalizes and verifies compliance with the following foundational DFARS clauses:

  • DFARS 252.204-7019  and DFARS 252.204-7012 : Implement NIST SP 800-171 . This is the core requirement. Suppliers must implement the 110 security controls from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 to safeguard covered defense information.

Learn more about the DoW CIO Cybersecurity Maturity Model Certification (CMMC) Program .

  • DFARS 252.204-7020 : Assess and Verify Compliance. This clauses requires Suppliers to perform a self-assessment of NIST SP 800–171  implementation and report their score in the Supplier Performance Risk System (SPRS) . In addition, you must also be prepared to grant DoW assessors access for higher-level assessments and ensure your subcontractors have also posted their scores.

  • DFARS 252.204-7021  and 7025 : Achieve CMMC Certification. This is the final step. This clause mandates that your organization must achieve and maintain the CMMC level specified in a solicitation before it can be awarded. This moves beyond self-assessment to a required certification.

The Three CMMC Levels

The CMMC Program has three levels of assessments comprised of self (Level 1 and 2), CMMC Third Party Assessment Organization (Level 2-C3PAO), and the Defense Industrial Base Cyber Assessment Center (DIBCAC) assessments (Level 3). Suppliers must be certified in sequential order (i.e., To be Level 3 certified, the Supplier must first be Level 1 certified.).

CMMC Level 1

Basic Safeguarding of FCI

Level 1 is primarily designed to protect FCI which is basic information, not intended for public release, that the Government collects, develops, uses, or is provided when performing a contract.

CMMC Level 2

Broad Protection of CUI

Level 2 is designed to protect CUI as defined as information that the Government creates or possesses, or information an entity creates or possesses for the Government, and requires safeguards. 

Either a self-assessment or a C3PAO third party assessment is required every three years, as specified in the solicitation:

  • Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems
  • Annual affirmation verifying compliance with the 110 security requirements in NIST SP 800-171 Revision 2 

CMMC Level 3

Enhanced (Higher-Level) Protection of CUI

Level 3 is designed to protect CUI against advanced persistent threats when the information is highly sensitive and could harm national security if leaked.

  • Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
  • Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172 

Steps to CMMC Levels

Review the following processes to achieve the CMMC certification level that is right for your business.

CMMC Level 1 Self Assessment Steps

Phase 1: Scoping & Preparation

Goal: Understand your specific obligations and identify all systems that handle FCI.

  1. Confirm Requirements: Review your contracts for the DFARS 252.204-7021  clause. This confirms you must protect FCI.
     
  2. Define Your Scope: Use the official CMMC Level 1 Scoping Guide (PDF) to determine which people, technologies, and facilities are part of your assessment. 
     
  3. Know the Assessment: Use the official CMMC Level 1 Self-Assessment Guide (PDF) to understand what is required.
     
  4. Review Available Support: Explore no-cost Government resources that can help you prepare. This includes training from Project Spectrum  and vulnerability assessments from the NSA Cybersecurity Collaboration Center (CCC)  (See the Cybersecurity Resources section  for a more detailed list.).

Phase 2: Implementation & Documentation

Goal: Put the required security controls in place and document your approach.

  1. Inventory Assets & Data: Create a complete inventory of all users, devices, and cloud services. Map the flow of FCI through your systems to understand where it is stored and processed. This will define your "assessment boundary" which typically includes:
    • Locating any FCI in contracts
    • Mapping data flows (network topology)
    • Defining network boundaries
    • Minimizing scope by taking off any Non-FCI/CUI related/impacted systems in evaluation
    • Document network interconnections and how you are protecting boundaries
       
  2. Implement Security Controls: Put the 17 required security practices into action. See the 17 basic practices in the CMMC Level 1 Example Checklist (XLSX) .
     
  3. Develop a System Security Plan (SSP): This is a key document that explains how your organization meets the 17 security requirements. It is mandatory for compliance, and it includes policies and procedures regarding:
    • People - Who has access and where?
    • Processes - What process does the supplier use to track or maintain?
    • Technology - Does the Supplier use a specific database technology for data maintenance purposes?
       
  4. Gather Additional Evidence: Collect proof that your controls are working. This can include screenshots of security settings, system logs, or employee training certificates.

Phase 3: Assessment & Submission

Goal: Formally assess your compliance and report the score to SPRS.

  1. Conduct the Self-Assessment: Complete the self-assessment using the CMMC Level 1 Example Checklist and calculate your score out of 100%.
     
  2. Attest to Your Score: A senior official from your company must review the assessment and formally attest to its accuracy. This must be done annually.
     
  3. Report Your Score: Register in the Procurement Integrated Enterprise Environment (PIEE)  system. Once registered, log in to the Supplier Performance Risk System (SPRS)  to post your assessment score.

CMMC Level 2 Self Assessment Steps

Phase 1: Scoping & Preparation

Goal: Understand your specific obligations and identify all systems that handle FCI/CUI.

  1. Confirm Requirements: Review your contracts for the DFARS 252.204-7021  clause. This confirms you must protect FCI/CUI.
     
  2. Define Your Scope: Use the official CMMC Level 2 Scoping Guidance  to determine which people, technologies, and facilities are part of your assessment. 
     
  3. Know the Assessment: Use the official CMMC Level 2 Assessment Guide (PDF) to understand what is required.
     
  4. Review Available Support: Explore no-cost Government resources that can help you prepare. This includes training from Project Spectrum  and vulnerability assessments from the NSA Cybersecurity Collaboration Center (CCC)  (See the Cybersecurity Resources section  for a more detailed list.).

Phase 2: Implementation & Documentation

Goal: Put the required security controls in place and document your approach.

  1. Inventory Assets & Data: Create a complete inventory of all users, devices, and cloud services. Map the flow of CUI through your systems to understand where it is stored and processed. This will define your "assessment boundary" which typically includes:
    • Locating any CUI in contracts
    • Mapping data flows (network topology)
    • Defining network boundaries
    • Minimizing scope by taking off any Non-FCI/CUI related/impacted systems in evaluation
    • Document network interconnections and how you are protecting boundaries
       
  2. Implement Security Controls: Put the 110 required security practices/controls from NIST SP 800‑171  into action; use example database on DIBCAC  and the NIST SP 800-171 Protecting CUI in Nonfederal Systems and Organizations Requirements Spreadsheet (XLSX) .
  3. Develop a System Security Plan (SSP): This is a key document that explains how your organization meets the 110 NIST security requirements. It is mandatory for compliance, and it includes policies and procedures regarding:
    • People - Who has access and where?
    • Processes - What process does the Supplier use to track or maintain?
    • Technology - Does the Supplier use a specific database technology for data maintenance purposes?
       
  4. Gather Additional Evidence: Collect proof that your controls are working for the 110 requirements. This can include screenshots of security settings, system logs, or employee training certificates.

Phase 3: Assessment & Submission

Goal: Formally assess your compliance and report the score to SPRS.

  1. Conduct the Self-Assessment: Complete the self-assessment using the NIST SP 800-171 Protecting CUI in Nonfederal Systems and Organizations Requirements Spreadsheet (XLSX)  and calculate your score out of 100%.
     
  2. Attest to Your Score: A senior official from your company must review the assessment and formally attest to its accuracy. This must be done annually.
     
  3. Report Your Score: Register in the Procurement Integrated Enterprise Environment (PIEE)  system. Once registered, log in to the Supplier Performance Risk System (SPRS)   to post your assessment score.

CMMC Level 2 C3PAO Assessment Steps

  1. Ensure Level 2 Self Compliance is submitted in SPRS
  2. Shop for a C3PAO Certification provider on the Cyber AB Marketplace 
  3. Select a C3PAO provider that suits your company
  4. Cyber assessment will be conducted by the C3PAO, and the score will be uploaded to SPRS by the C3PAO.
  5. Conduct annual affirmation. Suppliers annually log into SPRS to self-certify they are still following the methodology that allowed them to pass the C3PAO Assessment.

CMMC Level 3 DIBCAC Compliance Steps

  1. Ensure Level 2 C3PAO Compliance as it is required prior to a Level 3 DIBCAC assessment. 
  2. Review contracts for DFARS 252.204‑7021  and check if CUI is processed, stored, or transmitted.
  3. Follow the above process aligned with NIST SP 800-172  and utilize the DoD CIO Assessment Guide (PDF).
  4. Request DIBCAC assessment. When requesting a CMMC Level 3 (DIBCAC) assessment, please submit an email to DCMA DIBCAC CMMC  dcma.lee.hq.mbx.dibcac-cmmc@mail.mil with the subject line ‘CMMC level 3 (DIBCAC) Assessment Request’ and attach CMMC Status of Final level 2 (C3PAO) Certificate issued by C3PAO.
  5. Conduct annual affirmation. Suppliers annually log into SPRS self-certify they are still following the methodology that allowed them to pass the DIBCAC Assessment.

Note: Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) .

Automated vs Manual Awards

For DLA automated orders, DLA will provide Suppliers with a window to achieve certification, allowing time to plan and prioritize compliance. For manual awards, DLA may integrate the CMMC Levels when the requiring activity requires CMMC and in alignment with the phased rollout (see 32 CFR part 170 ).

Phased Implementation of CMMC Level Requirements

Starting November 10, 2025, DLA will begin a phased implementation of CMMC requirements in accordance with DFARS 204.75 .

How to Prepare: To help our industry partners prepare, DLA has identified which National Item Identification Numbers (NIINs) will require either:

  • Level 2: Requiring a self-assessment or a third-party (C3PAO) certification.
  • Level 3: In rare cases, requiring a Government-led (DIBCAC) certification.

What to Expect

Defense contractors who process, store, transmit, or handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must demonstrate compliance with CMMC requirements before contract award. These requirements will appear in DLA solicitations and contracts through Clauses, Procurement Notes, and Standard Text Objects (STOs). This does not apply to procurements of purely Commercial-Off-The-Shelf (COTS) items.

While most contracts will follow a three-year phased approach, please be aware that any DLA contract issued after November 10, 2025, may include CMMC requirements. See solicitations and contracts for additional information.

See the below for an overview of phased implementation details. 

Collapse All Expand All
Expand List item 5959Collapse List item 5959  Phase 1 - Initial Implementation
  • Begins at 48 CFR Rule Effective Date, 10 Nov 2025
  • Where applicable, solicitations will require Level 1 (Federal Contract Information (FCI)) or 2 Self-Assessment (Controlled Unclassified Information (CUI))
Expand List item 5960Collapse List item 5960  Phase 2
  • Begins 12 months after Phase 1 start, 10 Nov 2026
  • Where applicable, solicitations will require Level 2 Certification (CUI) Certified Third Party Assessment Organization (C3PAO)
Expand List item 5961Collapse List item 5961  Phase 3
  • Begins 24 months after Phase 1 start, 10 Nov 2027
  • Where applicable solicitations will require Level 3 Certification (CUI)
Expand List item 5962Collapse List item 5962  Phase 4 - Full Implementation
  • Begins Nov. 10, 2028 and is final stage
  • All solicitations and contracts will include applicable CMMC Level requirements as a condition of contract award
  • At full implementation (Nov 2028), DLA will primarily accept CMMC Final, and CMMC Conditionals will be accepted only in limited case-by-case exceptions (DLAD 4.7503)
    • Final - Fully certified
    • Conditional - Valid for 180 days, requires manual review, tracking, extra justification, and approval

Supply Class to CMMC Level Expectation Breakout

Find below what CMMC levels with expected predominance are associated with the following DLA Supply Classes.

DLA anticipates 25% of it's total procurements to require CMMC.

DLA Supply Class Number DLA Supply Class Description Expected CMMC Levels with Percentages in Supply Class
Class I Subsistence, including food and food-related supplies, including condiments, utensils, paper products, and bottled water
  • Level 2 Self (95%)
  • Level 2 C3PAO (5%)
Class II Clothing, individual equipment, tentage, organizational tool kits, and hand tools
  • Level 2 Self (70%)
  • Level 2 C3PAO (30%)
Class III Petroleum fuels, lubricants, hydraulic and insulating oils, preservatives, liquid and compressed gases, bulk chemical products, coolants, de-icing and antifreeze compounds, together with components and additives of such products, and coal
  • Level 1 (95%)
  • Level 2 Self / C3PAO (4%)
  • Level 3 (1%)
Class IV Construction materials including installed equipment and all fortification or barrier materials
  • Level 2 Self (72%)
  • Level 2 C3PAO (28%)
Class VIII Medical materiel, including medical-peculiar repair parts
  • Level 2 Self (98%)
  • Level 2 C3PAO (2%)
Class IX Repair parts and components including kits, assemblies and subassemblies, and reparable and consumable items required for maintenance support of all equipment, excluding medical-peculiar repair parts
  • Level 2 Self (77%)
  • Level 2 C3PAO (23%)
Service Contracts Includes service contracts from DCSO, Disposition, and Distribution for basic supplies or services (non-technical), services, logistics IT/system integration.
  • Level 1 (1%)
  • Level 2 Self (12%)
  • Level 2 C3PAO (73%)
  • Level 3 (10%)

Important: Table depicts general applications of levels. Solicitations are the official source for each requirement.

Resource/Training Primary Core Services / Offerings Access/Cost
Project Spectrum 
  • Education, self-assessment guidance  for Levels 1 and 2
  • Access to Cyber Advisor Support to get practical guidance on next steps or low-cost fixes
  • Provides templates ready for policies, incident responses and cyber compliance checklists
  • Free Platform
  • Suppliers must register to begin courses
NIST Publications 
  • Defines baseline security controls Suppliers must implement to win/keep DoW/DLA contracts
  • Provide foundation/framework to DoW Cybersecurity regulations including formation and implementation of CMMC
  • Shows exactly how assessors/auditors will test cyber controls/infrastructure and what evidence will be collected
  • Free Publications
DoW Cyber Crime Center (DC3) 
  • Access to cyber forensic analysis (tech reports) of networks, devices, and media
  • Operational assistance for active cyber incidents and receive triage with next steps
  • Leverage DC3 tools or guidance to analyze potential malware and system logs
  • Most services are free
  • Fees may apply for specialized training or work
  • Access via DoW Sponsor, Prime Contractor, or the CCC intake process
NSA Cybersecurity Collaboration Center (CCC) 
  • Assistance identifying gaps and vulnerabilities in tech infrastructure
  • Eligible DoW Contractors can get free assessments and scans to identify cyber weak spots
  • Access to a cyber mitigation playbook to help small teams act quickly and efficiently to attacks.
  • Free platform
  • Access via DoW Sponsor, official referral, or Prime Contractor

Cybersecurity Trainings

When it comes to strengthening cybersecurity and acquisition knowledge, several training options are available to support businesses and individuals working with Government contracts.

Project Spectrum

Designed to help Vendors understand CMMC, Project Spectrum  is an initiative supported by the DoW OSBP that is free for Suppliers. Project Spectrum provides information, training, and risk assessments to help Vendors improve cyber readiness and comply with DoW requirements. Register with this learning platform to begin preparing for the CMMC.

View Project Spectrum's YouTube channel  to learn more about Project Spectrum through several video resources.

Project Spectrum provides Cyber Readiness Training videos that cover all CMMC Level 1 and CMMC Level 2 controls to prepare Vendors for their self assessments. 

Begin CMMC Level 1 Online Course 

DLA SPRS Cyber Trainings

When a Vendor is ready to upload their CMMC score, they will need to visit the SPRS website  and follow the steps to upload their scores. See the following SPRS trainings for further guidance:

APEX Accelerators

The APEX Accelerators program  , formerly known as Procurement Technical Assistance Program (PTAP), under management of the Department of Defense (DoD) Office of Small Business Programs (OSBP), plays a critical role in the Department’s efforts to identify and help a wide range of businesses enter and participate in the defense supply-chain. The program provides the education and training to ensure that all businesses become capable of participating in Federal, state, and local Government contracts.

Get Started by Finding Your APEX Location 

Defense Acquisition University

Defense Acquisition University (DAU) hosts the DAU Cyber Solutions program  which has weekly small business cybersecurity acquisition webinars on topics such as CMMC, Cyber Incident Reporting, and Cybersecurity for Contracts. 

The  DAU Cyber Solutions - Basic Cyber Hygiene: A walk-through of the FAR 52-204.21 and CMMC Level 1  is a particularly valuable resource.

Department of the Air Force Chief Information Security Officer’s Blue Cyber Education Series

Department of the Air Force (DAF) Chief Information Security Officer’s (CISO) Blue Cyber Education Series  for Small Businesses provides free and open to the public cybersecurity information and support.

Cybersecurity Resources

The below resources are available for Vendors to stay informed and compliant with the DoD's security requirements.

 National Security Agency (NSA) Cybersecurity Collaboration Center

NSA Cybersecurity Collaboration Center  provides no-cost cybersecurity solutions for qualifying Defense Industrial Base (DIB) companies including:

  • Protective Domain Name System (DNS)
  • Attack Surface Management (ASM)
  • Continuous Autonomous Penetration Testing (CAPT)
  • Access to NSA non-public DIB-specific threat intelligence 

 DoD Chief Information Officer (CIO)

DoD Chief Information Officer (CIO)  provides informational guides and supplemental documentation designed to support companies in defining the scope of a CMMC assessment and in preparing for, or conducting, a CMMC assessment.

NIST Issues Cybersecurity Primer for Protecting CUI

The National Institute of Standards and Technology (NIST) recently released SP 1318: Small Business Primer for Protecting Controlled Unclassified Information (CUI)  a new resource that explains how small businesses can meet the requirements of NIST SP800-171, the Federal standard for safeguarding sensitive but unclassified data.

​​DoD's Small Business Programs Cybersecurity webpage

​​DoD's Small Business Programs Cybersecurity   webpage is designed to assist small businesses in enhancing their cybersecurity measures. Vendors can find a variety of resources to help businesses secure their systems and data to comply with Federal requirements.

DoD's Controlled Unclassified Information (CUI) Program  

DoD's Controlled Unclassified Information (CUI) Program  is the central resource for DoD CUI policy, training materials, the CUI registry, and related news.

Other Security Resources

Other Cyber Security Resources can be found on the Information Operations Contractor Cyber Security Resources page.