On January 15, 2025, the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) issued a memorandum titled Cybersecurity Maturity Model Certification (CMMC) Implementation Policy. This memo outlines the process and criteria that Department of Defense (DoD) program offices must follow when determining the cybersecurity assessment requirements for solicitations and contracts. For defense contractors, this memo is essential. It clarifies how decisions will be made about the level of CMMC assessment required—self-assessment, certification assessment, or affirmation—and what documentation will support those decisions.
DoD contractors must begin by identifying what type of information will be processed, stored, or transmitted on their information systems. The two primary data classifications driving CMMC assessment requirements are Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The presence of either has significant implications for the organization’s cybersecurity policies and practices. The presence of CUI or contractual requirements drives the specific assessment scope and depth requirements. Contractors unsure whether the data they handle qualifies as CUI should consult the NARA CUI Registry, which categorizes CUI into discrete categories—ranging from Controlled Technical Information and Export Controlled data to Legal and Privacy categories.
For solicitations and awards that require the safeguarding of CUI, a certification assessment conducted by a CMMC Third Party Assessment Organization (C3PAO) will be required to demonstrate adherence to NIST SP 800-171 standards. This applies to environments requiring certification as “CMMC Level 2.”
Where only FCI is present and CUI is not involved, contractors may be required to conduct a self-assessment under “CMMC Level 1,” certifying compliance with the basic safeguarding requirements of FAR 52.204-21.
The memo anchors its guidance in DoD Instruction (DoDI) 8582.01, which outlines responsibilities for assessing contractor cybersecurity across the acquisition lifecycle. This instruction serves as a foundational compliance framework and is referenced as the primary guide for establishing cybersecurity requirements in solicitations.
The heart of the memo is found in its Attachment 1: CMMC Implementation Decision Flow for DoD Program Managers and Requiring Activities. This attachment introduces a structured decision tree and procedural guidance that contracting officials must follow when deciding which type of assessment a contractor must undergo. It is not simply a flowchart; it embodies the policy’s operational backbone. The attachment enforces that assessment level determinations must be traceable, justified, and based on the specific type of data transmitted through the contract’s execution. For example, if a contract entails the generation or handling of CUI categories like “Export Controlled” or “Defense,” a full certification assessment is warranted.
Understanding Assessment Types and When a C3PAO Assessment Is Not Required
To assist DoD contractors in determining which CMMC assessment pathway is appropriate, the table below outlines each CMMC assessment type, the associated data classifications, relevant NARA CUI categories, the regulatory basis, and the required assessment method.
CMMC Assessment Requirements by Data Classification
A critical nuance within the memo pertains to the role and permanence of the CMMC Level 2 self-assessment requirement. The document emphasizes that, effective September 29, 2020, DFARS Subpart 204.73 mandates the inclusion of DFARS clause 252.204-7019 in nearly all solicitations, excluding only those involving commercial off-the-shelf (COTS) products. This clause requires offerors to maintain a current NIST SP 800-171 DoD Assessment on record prior to contract award, provided they are subject to DFARS clause 252.204-7012.
Given this longstanding requirement for a Basic self-assessment and the structured process for submitting Plans of Action and Milestones (POA&Ms) through the Supplier Performance Risk System (SPRS), the memo makes clear that “there are no circumstances likely to warrant approval of requests to waive CMMC Level 2 self-assessment requirements.”¹ This solidifies the self-assessment as a permanent and non-waivable component of CMMC Level 2 compliance in scenarios where CUI is present but does not require third-party certification. For DoD contractors, this reinforces that even absent a need for C3PAO engagement, formal attestation of cybersecurity posture is still required—and cannot be bypassed.
Contractors should be proactive. This memo is not a distant roadmap—it is a near-term directive. Once the CMMC final rule becomes effective with the publication of the 48CFR (expected in mid-2025), these requirements will begin appearing in solicitations. Contractors should immediately assess their environments, classify the information they handle, and determine whether they are prepared for self-assessment, certification, or affirmation. Those found unprepared when solicitations are released may face delays, potential disqualification, or rushed compliance efforts that can incur significant cost and risk.
Ultimately, contractors need to perform an internal mapping of their systems and data flows to assess if and where CUI is present. Leverage the NARA registry to classify data elements, validate your cybersecurity practices against NIST 800-171 for Level 2 or FAR 52.204-21 for Level 1, and begin documentation efforts to support your selected assessment track. Those required to pursue a certification assessment should immediately begin coordination with a C3PAO without delay.
References:
1. DoD Memo – CMMC Implementation Policy (2025-01-15): https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Implementation_Policy_d26075de0f.pdf
2. NARA Controlled Unclassified Information (CUI) Category List: https://www.archives.gov/cui/registry/category-list
3. DoD Instruction (DoDI) 8582.01: https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/858201p.pdf
4. Federal Acquisition Regulation (FAR) 52.204-21: https://www.acquisition.gov/far/part-52#FAR_52_204_21
5. Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012: https://www.acquisition.gov/dfars/252.204-7012
6. NIST SP 800-171 Revision 2: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf
7. Federal Register – CMMC Final Rule, Published 10/15/2024: https://www.federalregister.gov/documents/2024/10/15/2024-22579/cybersecurity-maturity-model-certification-cmmc-program
