Upcoming CMMC Requirements
Background
As a follow-up to Cybersecurity Maturity Model Certification: Rulemaking Progress and Readiness for CMMC, beginning November 10, 2025, DOD contracts (except those for COTS items) are anticipated to begin requiring some level of CMMC compliance depending on the type of sensitive data being handled.
CMMC assessment requirements will be implemented using a four-phase plan over three years.
| Phase | Effective Date | Assessment Method |
| Phase 1 | 10 Nov 2025 | Self-assessment (Level 1 or Level 2) |
| Phase 2 | 10 Nov 2026 | Third-party Level 2 assessment by a C3PAO |
| Phase 3 | 10 Nov 2027 | Third-party Level 3 assessment by DIBCAC |
| Phase 4 | 10 Nov 2028 | Full program implementation |
However, in some procurements, the DOD may implement CMMC requirements in advance of the planned phase.
Regulatory Requirement
32 CFR § 170.23 requires CMMC compliance from all subcontractors at any tier that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) for a DOD contract. Subcontractors will be required to evidence compliance with the required CMMC level based on the data they handle.
At full program implementation:
- If a subcontractor handles only FCI, a CMMC Level 1 (Self-Assessment) or higher is required;
- If a subcontractor handles CUI, a CMMC Level 2 (Self-Assessment) or higher is required;
- If a subcontractor handles CUI and the associated prime contract has a requirement for CMMC Level 2 (C3PAO), then the CMMC Level 2 (C3PAO) is the minimum requirement for the subcontractor;
- If a subcontractor handles CUI and the associated prime contract has a requirement for CMMC Level 3 (DIBCAC), then the CMMC Level 2 (C3PAO) is again the minimum requirement for the subcontractor. CMMC Level 3 (DIBCAC) will be required of subcontractors only as specified by the DOD prime contracting officer.
More information on the CMMC Level determination can be found here.
Immediate Actions to Complete
Here is what you can do now to be ready to meet the Government’s CMMC requirements and avoid any procurement disruptions:
- CMMC Level 1 (Federal Contract Information) AND all DOD subcontractors who are not exempt as COTS only
- Document your Level 1 Self-Assessment in DOD's SPRS system
- CMMC Level 2 (CUI)
- In addition to your existing NIST Assessment score in SPRS, you need to update your SPRS profile to include a CMMC Level 2 Self-Assessment,
- Pursue your CMMC Level 2 C3PAO assessment since some GFY 2026 contracts may include a C3PAO requirement for CUI.
Lockheed Martin will require all suppliers to satisfy in-system documentation requirements reflecting the applicable CMMC Statuses that support Lockheed Martin subcontract work. Additional details on these requirements will be addressed in future communications.
Your proactive cooperation is essential to maintaining the security of the Defense Industrial Base and guaranteeing uninterrupted business operations with Lockheed Martin. Please allocate the necessary resources promptly to ensure your company is prepared.
For questions, please reach out using the link below.