CMMC Acquisition Rule Posted for Public Inspection
CMMC 2.0 Phase 1 implementation of self-assessments begins Nov 10th, 2025
View more information on Phased Implementation of CMMC Requirements at DLA.
Redirecting...

Small Business Cyber Readiness with tech icons

Cybersecurity Resources for Vendors

Vendors can find the cybersecurity requirements, program information, and helpful resources they need to ensure compliance when working with DLA and the DoD.

The links on this page lead to resources outside of DLA's Office of Small Business Programs. The content is informational only and should not be interpreted as being definitive, all-inclusive or an endorsement, sanction, approval, or authorization by DLA.

Navigate

Cybersecurity infographic

Why is Cybersecurity Important at DLA?

Strengthening cybersecurity measures is crucial for handling and protecting information as cyber-threats continue to grow. To enhance DLA's cybersecurity and better protect DoD information, the Cybersecurity Maturity Model Certification (CMMC) Program  was created to empower Vendors to align with DoD cybersecurity requirements in order to work with the Government.

Cybersecurity Maturity Model Certification (CMMC)

The CMMC Program is structured to align with the DoD’s current information security requirements for the Defense Industrial Base (DIB). It's purpose is to ensure the safeguarding of sensitive unclassified information shared by the DoD with contractors and subcontractors. By implementing this program, the DoD ensures that Vendors are adhering to cybersecurity standards when using nonfederal systems handling Federal Contract Information (FCI)   and Controlled Unclassified Information (CUI)  .

Currently Suppliers are expected to comply with the following if they are storing, transmitting, and processing CUI:

DFARS 252.204-7012  requires Suppliers to implement 110 cybersecurity requirements, specified in the NIST Special Publication (SP) 800-171 , Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, for most Defense contracts.

Suppliers are also required to develop a System Security Plan (SSP) detailing the policies and procedures they have in place to comply with NIST SP 800-171.

DFARS 252.204–7019  requires Suppliers to conduct a NIST SP 800–171A, Rev. 3  self-assessment.

A Supplier can take a self-assessment with NIST SP 800-171A, Rev. 3 

However, there is an exception for Commercial Off the Shelf (COTS) items that the Government categorizes as COTS.

Self-assessment scores must be reported in the Supplier Performance Risk System (SPRS). In order to upload into SPRS, a Supplier must first register in the Procurement Integrated Enterprise Environment (PIEE) .

Self-assessments must be submitted by the time of award and must not be more than 3 years old.

DFARS 252.204–7020  notifies contractors that DoD reserves the right to conduct a higher-level assessment and that contractors must give assessors full access to their facilities, systems, and personnel.

It requires contractors to confirm their subcontractors have assessment scores posted in SPRS.

DFARS 252.204-7021 will require Suppliers and their subcontractors (if applicable) to have a certain CMMC level before being awarded a contract.

newest cmmc 2.0 Implementation

Phased Implementation of CMMC Requirements at DLA

DLA will implement Cybersecurity Maturity Model Certification (CMMC) 2.0 pursuant to DFARS 204.75  using a phased approach beginning on the effective date of November 10, 2025. As part of this rollout, DLA may gradually introduce requirements, in the form of DLA Procurement Notes and Standard Text Objects (STOs), aligned with the appropriate CMMC levels.

To support early visibility for industry partners, DLA has identified which NIINs will correspond to Level 2 (self-assessment or C3PAO certification) and, in rare cases, Level 3 (DIBCAC certification). While final DLA procurement policy is still in development, more guidance will be provided near the DFARS effective date.

To increase the cybersecurity posture of the Defense Industrial Base and better protect sensitive unclassified information, all defense contractors and subcontractors must demonstrate compliance with applicable security requirements—through self-assessment or independent assessmentprior to contract award, excluding Commercial-Off-The-Shelf procurements.

CMMC requirements may appear in any contract after November 10, 2025, if included by the requiring activity. However, for most DLA contracts, DLA will follow the phased approach outlined below:

Collapse All Expand All
Expand List item 5959Collapse List item 5959  Phase 1 - Initial Implementation
  • Begins at 48 CFR Rule Effective Date, 10 Nov 2025
  • Where applicable, solicitations will require Level 1 (Federal Contract Information (FCI)) or 2 Self-Assessment (Controlled Unclassified Information (CUI))
Expand List item 5960Collapse List item 5960  Phase 2
  • Begins 12 months after Phase 1 start, 10 Nov 2026
  • Where applicable, solicitations will require Level 2 Certification (CUI) Certified Third Party Assessment Organization (C3PAO)
Expand List item 5961Collapse List item 5961  Phase 3
  • Begins 24 months after Phase 1 start, 10 Nov 2027
  • Where applicable solicitations will require Level 3 Certification (CUI)
Expand List item 5962Collapse List item 5962  Phase 4 - Full Implementation
  • Begins 36 months after Phase 1 start
  • Solicitations and contracts will include applicable CMMC Level requirements as a condition of contract award
  • At full implementation (Nov 2028), DLA will accept CMMC Final, and CMMC Conditional will be accepted only in limited case-by-case exceptions (DLAD 4.7503)
    • Fully certified
    • Valid for 180 days, requires manual review, tracking, extra justification, and approval

For DLA automated orders, DLA will provide suppliers with a window to achieve certification, allowing time to plan and prioritize compliance. For manual awards, DLA may integrate the CMMC Levels when the requiring activity requires CMMC, and in alignment with the phased rollout (see 32 CFR part 170 ).

DLA has conducted NIIN-level mappings and developed policy tools to help communicate expected CMMC levels. These resources will be shared through official channels and industry engagement forums once finalized.

In the meantime, we encourage suppliers to continue self-assessments IAW DFARS 252.204-7012  based on the sensitivity of the data, the nature of the work performed, and the suppliers desired CMMC level.

For questions, please refer to the DLA Cyber Resources webpage and DIBBS announcements.

The video provides an overview of the Department’s plans for implementation of the DoD CIO Cybersecurity Maturity Model Certification (CMMC) Program.

Learn more about the DoD CIO Cybersecurity Maturity Model Certification (CMMC) Program .

Back to Top

Overview of Assessments

The CMMC Program has three levels of assessments comprised of self, CMMC Third Party Assessment Organization (C3PAO), and the Defense Industrial Base Cyber Assessment Center (DIBCAC) assessments.  Each assessment incorporates security requirements from existing requirements and publications. Once the CMMC Program is implemented, a DoD solicitation will specify the minimum CMMC Status required to be eligible for award. Below is an overview of the assessment requirements found on the Chief Information Officer- About CMMC   webpage.

Level 1: Basic Safeguarding of FCI

Requirements:

  • Annual self-assessment and annual affirmation ; of compliance with the 15 security requirements in FAR clause 52.204-21 
    • Annual affirmation requires all CMMC-certified contractors (any level) to affirm their compliance annually and upload the results to SPRS. Contracting officers will use SPRS to verify an offeror or contractor’s CMMC level.

Level 2: Broad Protection of CUI

Requirements:

  • Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation
    • Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems
    • Annual affirmation, verify compliance with the 110 security requirements in NIST SP 800-171 Revision 2 

See also the CMMC Level 2 Self-Assessment Quick Entry Guide from SPRS .

Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats

Requirements:

  • Achieve CMMC Status of Level 2
  • Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
  • Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172 

Project Spectrum

Project Spectrum infographic

Designed to help Vendors understand CMMC, Project Spectrum  is an initiative supported by the DoD OSBP that is free for Suppliers. Project Spectrum provides information, training, and risk assessments to help Vendors improve cyber readiness and comply with DoD requirements. Register with this learning platform to begin preparing for the CMMC. 

Project Spectrum provides Cyber Readiness Training videos that cover all CMMC Level 1 and CMMC Level 2 controls to prepare Vendors for their self assessments. Begin the CMMC Level 1 online course by selecting the button below.

Begin CMMC Level 1 Online Course 

 

 View Project Spectrum's YouTube channel  to learn more about Project Spectrum through several video resources.

 CMMC Level 1 and 2 self-assessments can be found in the Supplier Performance Risk System (SPRS)  . 

When a Vendor is ready to begin the Level 1 self-assessment, they will need to visit the SPRS website  and access the reference material to start the self-assessment.

Begin Level 1 Assessment 

Overview of CMMC Policy: Title 32 and Title 48

The Department of Defense (DoD) has implemented Cybersecurity Maturity Model Certification (CMMC) requirements through two distinct regulatory frameworks: Title 32, CMMC Program, and Title 48, Assessing Contractor Implementation of Cybersecurity Requirements, of the Code of Federal Regulations.

Collapse All Expand All
Expand List item 6242Collapse List item 6242  Title 32

Title 32  governs the programmatic aspects of CMMC implementation, establishes the CMMC Program structure, including assessment procedures, scoring methodology, and certification pathways.

Title 32:

  • Defines CMMC levels and assessment criteria
  • Establishes the role of CMMC Third-Party Assessor Organizations (C3PAOs)
  • Applies to all DoD contractors who process, store, or transmit CUI
  • Sets the baseline for cybersecurity readiness across the supply chain
Expand List item 6243Collapse List item 6243  Title 48

Title 48 integrates CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS). This rule governs how CMMC is enforced through contracts, specifying when and how certification must be demonstrated during the acquisition process. Title 48 ensures that cybersecurity compliance is a condition of contract award, and it provides the legal framework for incorporating CMMC clauses into solicitations and agreements.

Title 48:

  • Mandates CMMC certification as a prerequisite for contract eligibility
  • Details how contracting officers evaluate and verify compliance
  • Aligns cybersecurity with procurement and acquisition strategy
  • Supports enforcement through DFARS clauses and contract terms

Back to Top

Cybersecurity Resources

The below resources are available for Vendors to stay informed and compliant with the DoD's security requirements.

NIST Issues Cybersecurity Primer for Protecting CUI

The National Institute of Standards and Technology (NIST) recently released SP 1318: Small Business Primer for Protecting Controlled Unclassified Information (CUI)  a new resource that explains in plain language how small businesses can meet the requirements of NIST SP800-171, the federal standard for safeguarding sensitive but unclassified data.

The Small Business Primer breaks down what leadership, IT staff, and employees need to know, offering FAQs, examples, and step-by-step starting points that make compliance more achievable.

​​DoD's Small Business Programs Cybersecurity webpageCybersecurity awareness month

​​DoD's Small Business Programs Cybersecurity   webpage  is designed to assist small businesses in enhancing their cybersecurity measures.  Vendors can find a variety of resources to help businesses secure their systems and data to comply with federal requirements.  For questions and concerns, contact DoD OSBP by phone at  571-372-6191.

DoD Procurement Toolbox

​DoD Procurement Toolbox   is a comprehensive collection of tools, training materials, and services designed to assist organizations in managing, enabling, and sharing procurement information across the DoD.

DoD's Controlled Unclassified Information (CUI) Program  

DoD's Controlled Unclassified Information (CUI) Program  is the central resource for the DoD's CUI Program providing policy, training, desktop aids, CUI registry, and latest news information.  

DoD Chief Information Officer (CIO)

DoD Chief Information Officer (CIO)  provides informational guides and supplemental documentation designed to support companies in defining the scope of a CMMC assessment and in preparing for, or conducting, a CMMC assessment.

DoD Cyber Crime Center (DC3)

DoD Cyber Crime Center (DC3)  provides cyber threat information and free cybersecurity services that cover a wide range of cyber threats and support DIB companies on their CMMC journey. 

National Security Agency (NSA) Cybersecurity Collaboration Center

NSA Cybersecurity Collaboration Center  provides no-cost cybersecurity solutions for qualifying Defense Industrial Base (DIB) companies such as Protective Domain Name System (DNS), attack surface management, and access to NSA non-public DIB-specific threat intelligence.  

Other Security Resources

Other Cyber Security Resources can be found on the Information Operations Contractor Cyber Security Resources page.

Cybersecurity Trainings

When it comes to strengthening cybersecurity and acquisition knowledge, several training options are available to support businesses and individuals working with Government contracts.

APEX Accelerators

The APEX Accelerators program  , formerly known as Procurement Technical Assistance Program (PTAP), under management of the Department of Defense (DoD) Office of Small Business Programs (OSBP), plays a critical role in the Department’s efforts to identify and helps a wide range of businesses enter and participate in the defense supply-chain. The program provides the education and training to ensure that all businesses become capable of participating in federal, state, and local government contracts.

Get Started by Finding Your APEX Location 

Defense Acquisition University

Defense Acquisition University (DAU) hosts the DAU Cyber Solutions program  which has weekly small business cybersecurity acquisition webinars on topics such as CMMC, Cyber Incident Reporting, and Cybersecurity for Contracts. 

One training in particular that stands out is DAU Cyber Solutions - Basic Cyber Hygiene: A walk-through of the FAR 52-204.21 and CMMC Level 1 .

Department of the Air Force Chief Information Security Officer’s Blue Cyber Education Series

Department of the Air Force (DAF) Chief Information Security Officer’s (CISO) Blue Cyber Education Series  for Small Businesses provides free and open to the public cybersecurity information and support.

Back to Top

Terms Glossary

Term Used Meaning/Definition
C3PAO CMMC Third Party Assessment Organization
CISO Chief Information Security Officer
CMMC Cybersecurity Maturity Model Certification
CUI Controlled Unclassified Information
DAF Department of the Air Force
DAU Defense Acquisition University
DC3 DoD Cyber Crime Center
DFARS Defense Federal Acquisition Regulation Supplement
DIB Defense Industrial Base
DIBCAC Defense Industrial Base Cyber Assessment Center
DNS Domain Name System
DoD Department of Defense
FCI Federal Contract Information
NSA National Security Agency
OSBP Office of Small Business Programs
SPRS Supplier Performance Risk System