Start here.
Look at your contracts first. CMMC is contract-borne. What a specific contract requires is written into a clause, not implied by a vendor’s marketing page or a rumor from another shop. This page starts with the signals that tell you whether CMMC reaches you at all, then routes you through the rest of the desk based on the question you’re actually asking.
01Does this apply to you
CMMC reaches you through a contract, not through a general sense that you should probably be doing something about cybersecurity. The table below lists the signals that actually show up in DoD contracting — a clause, a marking, a category of work — and what each one may indicate. “May indicate” is deliberate: these are signals worth verifying, not a verdict this page can hand you.
| Signal | Where you see it | What it may indicate |
|---|---|---|
| DFARS 252.204-7012 | Contract clause | Covered defense information is part of the work, with a safeguarding and 72-hour incident-reporting duty attached. |
| DFARS 252.204-7019 | Solicitation provision · legacy | A current NIST SP 800-171 DoD Assessment score is expected in SPRS. (Removed from new solicitations, February 2026.) |
| DFARS 252.204-7020 | Contract clause | DoD access to assessment information, plus flow-down mechanics if you have subcontractors of your own. |
| DFARS 252.204-7021 | Contract clause | A specific CMMC Status is a condition of this contract. |
| DFARS 252.204-7025 | Solicitation provision | The solicitation names the CMMC level required — and without a current status and affirmation in SPRS at that level, the offer is ineligible for award. |
| FCI only | The work you handle | A possible Level 1 path. |
| CUI handling | Markings, prime direction, or your contract itself | A possible Level 2 or Level 3 path. |
| COTS only | What you sell | A possible exemption path. |
Clause numbers moved in 2026: a new solicitation may show FAR 52.240-93 instead of 52.204-21 and 252.240-7997 instead of 252.204-7020, and drop 7019 entirely — interim class deviations, same substance. The contract clauses has the map.
For what each clause and term means in full, see the Glossary and Source Library; for how FCI and CUI are actually defined, see The Data.
02The four routes
Four readers use this desk, and each is really asking a different question. Pick the one closest to yours, start where it says, and read in the order given — the pages overlap across routes, but the order that makes sense doesn’t.
“What am I signing, and what’s my exposure?”
Start with: The Levels — the level table shows what tier of exposure a given contract actually puts on you, and its affirmations section explains exactly what you sign every year and why it carries weight.
Then read:
- The System — who checks your work, and when any of this reaches a contract that hasn’t been re-competed yet.
- The Assessment — what actually happens once an assessment is underway.
- FAQ
“What do I actually have to implement?”
Start with: The Data — implementation starts with knowing what you’re protecting and where it actually lives across your systems, not with a list of controls.
Then read:
- Scope & Boundary — what’s actually inside the assessment before you start implementing anything against it.
- Domains — the 14 security-requirement families, one page each.
- Evidence, SSP & POA&M
“What’s my role versus my client’s?”
Start with: Scope & Boundary — section 04 sets out exactly how an ESP’s services and responsibilities enter a client’s assessment scope, and what they don’t take off your client’s plate.
Then read:
- The System — the machinery your client is being checked against, so you know what your tooling actually feeds into.
- Evidence, SSP & POA&M — the kind of proof a responsibility matrix needs to hold up.
- FAQ
“What can I require of subs, and when?”
Start with: The System — the cast list and rule stack show who checks what, and the phases section sets the calendar for when a status requirement can actually reach a subcontract.
Then read:
- The Levels — what a given level actually requires of a sub, so a flow-down request is specific instead of a blanket ask.
- The System again, for the phases section (04) — now that the levels make sense, the phase calendar shows when each requirement can land on a specific subcontract.
- FAQ
Prefer a summary shaped like your job title instead of a reading route? By role compresses the desk for executives, technical leads, and compliance owners — and The implementation path lays the whole sequence out in order, with a checklist.
03Meet the shop
A few pages on this desk lean on the same worked example, so an abstraction has somewhere concrete to land. You’ll see it again as “At the shop” callouts.
Blanchard Tool & Machining is a fictional composite for illustration; any resemblance to an actual company is coincidental. Blanchard is a 45-person precision-parts subcontractor, tier-2 to two primes. Its IT function is two people, backed by a regional MSP. What Blanchard handles that matters here is technical drawings — CUI, marked that way by the primes that hand the drawings down. Wherever this desk needs a concrete case instead of an abstraction, Blanchard is it.
04Independence note
This desk is independent educational material. It is not affiliated with, endorsed by, or representing the U.S. Department of Defense, the Cyber AB, or any C3PAO. CMMC is a DoD program — act on the primary sources cited throughout this desk, and on your own advisors, not on this desk alone.