Chief Information Officer U.S. Department of War
Phased Implementation of CMMC Requirements Has Begun!
CMMC Phase 1 Implementation (Nov 10, 2025 – Nov 9, 2026) to focus primarily on CMMC Level 1 and Level 2 self-assessments
**Reminder to submit AFFIRMATIONS with your CMMC assessments in SPRS**
About CMMC
Cybersecurity is a top priority for the Department of War (DoW or Department). The defense industrial base (DIB) faces increasingly frequent and complex cyber-attacks. To strengthen DIB cybersecurity and better protect DoW information, the Department developed the Cybersecurity Maturity Model Certification (CMMC) Program. CMMC assesses defense contractor compliance with existing information safeguarding requirements for federal contract information (FCI) and controlled unclassified information (CUI).
Overview of the CMMC Program
The CMMC Program aligns with the Department’s existing information safeguarding requirements for the DIB. The program provides the DoW with increased assurance that prospective contractors and subcontractors have implemented contractually required cybersecurity standards for nonfederal information systems that will process, store, or transmit FCI or CUI during contract performance.
Key features of the CMMC Program:
- Tiered Model: CMMC assesses compliance with cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the FCI or CUI. The program also outlines protection requirements for information flowed down to subcontractors.
- Assessment Requirement: CMMC assessments allow the Department to verify DIB implementation of foundational cybersecurity standards.
- Implementation through Contracts: DoW contractors and subcontractors entrusted with FCI or CUI must achieve a specific CMMC level as a condition of contract award.