CMMC Requirements

On September 10, 2025, the Department of Defense (DOD) published a final rule () implementing the Cybersecurity Maturity Model Certification program (CMMC) for DOD contractors and subcontractors.ÌýÌý

Effective November 10, 2025, the CMMC Final Rule requires DOD to include CMMC requirements in contracts that include the handling of Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).Ìý

What Is CMMC?

CMMC is a unified assessment model created by DOD in response to the growing threat of cyberattacks and data theft from the defense contractors. CMMC is designed to ensure that DOD contractors and subcontractors adequately safeguard two categories of sensitive government information: CUI and FCI.Ìý

While DOD contractors have already been subject to information security requirements in DFARS and FAR clauses, CMMC builds on these existing requirements by requiring all DOD contractors and subcontractors who handle CUI and FCI during contract performance to certify compliance with security controls via mandatory self-assessments, third-party assessment, and affirmations of compliance.Ìý

The type of data (i.e., CUI or FCI) and the sensitivity of the contract being performed dictates the type of assessment and the security controls that apply.ÌýÌý

The CMMC framework is broken out into three levels:

  • CMMC Level 1 applies to contractors and subcontractors that store, process, or transmit FCI. CMMC Level 1 includes 17 of the NIST SP 800-171 security requirements, which are listed in the FAR 52.204-21 Basic Safeguarding clause, sections (b)(1)(i) through (b)(1)(xv). Level 1 requires a contractor’s self-assessment, conducted annually.
  • CMMC Level 2 applies to contractors and subcontractors that store, process, or transmit CUI. CMMC Level 2 consists of 110 requirements that correspond with the requirements found in NIST SP 800-171A. Level 2 requires either a self-assessment (conducted annually) or an external assessment conducted by a certified third-party assessor (conducted every three years).
  • CMMC Level 3 applies to a select group of contractors that store, process, or transmit high-value CUI, as determined by DOD. CMMC Level 3 includes all Level 2 requirements, as well as 24 selected requirements from NIST SP 800-172. All Level 3 certifications require a DOD-conducted assessment every three years. Level 3 will be phased in in November 2027.Ìý

CU Boulder’s Support for Principal Investigators with CMMC RequirementsÌý

CU Boulder is committed to supporting federally funded research by maintaining CMMC-aligned mechanisms and procedures for PIs to meet compliance requirements and support project success. CU Boulder is prepared to accept CMMC Level 1 and CMMC Level 2 Self-Assessment on or soon after November 10, 2025.Ìý

ÌýProposal StageÌý

  • OCG Proposal Analysts and PIs will review DoD Solicitations and Requests for Proposals (RFPs) to identify the required CMMC level (Level 1 or 2) that will apply to the award.Ìý
  • PIs will meet with to discuss system and process requirements needed to comply with the required CMMC level and estimate costs associated with implementing CMMC compliance.Ìý
  • Information technology costs associated with CMMC are an allowable cost and should be budgeted at the proposal stageÌýÌýÌý

Award Review & Negotiation StageÌý

  • OCG Contract Officers will review the award for CMMC requirements and consult with the PI on next steps to ensure compliance.Ìý
  • For projects that require CMMC Level 1, PIs must meet with at the time of award to discuss system and process requirements for the project.Ìý
  • For projects that require CMMC Level 2, PIs are required to use The Preserve to receive, transmit, store and create controlled unclassified information (CUI).Ìý
  • CU Boulder’s and Research Computing will offer consultation and technical support to comply with CMMC requirements identified in a DOD contract.Ìý

Post Award Contracts AmendmentsÌý

  • DOD may amend current contracts to include CMMC requirements.Ìý
  • If OCG receives an amendment to a contract that requires CMMC compliance, OCG will notify PIs with next steps.Ìý

CU Boulder ResourcesÌý

  • Ìý

CMMC Federal ResourcesÌý

  • Ìý
  • Ìý

Research and expertise across CUÌýBoulder.

Ìý Ìý

Our 12Ìýresearch institutes conduct more than half of
the sponsored research at CUÌýBoulder.

More than 75 research centers span the campus,
covering a broad range of topics.

A carefully integrated cyberinfrastructure supports CUÌýBoulder research.

Ìý Ìý