WiseExecution ← wiseexecution.us

Field Primer · Defense Eligibility

The CMMC gate: what DoD work requires before you can bid

Most early-stage teams chasing their first defense dollar don't learn about this until it disqualifies them. Since November 10, 2025, a cybersecurity certification called CMMC is a condition of award on Department of Defense work — and the entry tier is triggered the moment your company so much as handles Federal Contract Information. No certification, no eligibility; in practice, no information exchange.

(The department is being rebranded the "Department of War," but it remains DoD in the DFARS and the federal registry — same agency, same rules.)

What CMMC actually is

The Cybersecurity Maturity Model Certification is how DoD verifies that a contractor protects government information. It enters your world through DFARS clause 252.204-7021, written into the solicitation, and it steps up in three levels according to how sensitive the data you touch is. One thing to be clear on: CMMC governs unclassified information only — Federal Contract Information and Controlled Unclassified Information. Classified work runs on a separate clearance regime entirely.

The three levels

LEVEL 1

Foundational

Federal Contract Information (FCI)
  • The floor. Triggered by any contract that generates FCI — which is essentially all of them. Without it, your company can't exchange information with a defense customer or be eligible for award.
  • 15 basic safeguarding practices (FAR 52.204-21): access control, user identification, media handling, physical and basic system protection.
  • And it all has to be written, complete, and compliant — a documentation stack, not a checkbox. The artifacts you must have on file:
    • System Security Plan (SSP)
    • General Security Policy
    • Access Control Policy
    • Configuration Management Policy
    • Media Protection Policy
    • Physical & Environmental Security Policy
    • Incident Response Plan (IRP)
    • Plan of Action & Milestones (POA&M)
  • Self-assessed and affirmed. You score against the practices, post to SPRS, and a senior official signs — no third party at Level 1. But a false affirmation is False Claims Act exposure, and the documentation has to hold up the moment you're audited or challenged. At Levels 2 and 3, an assessor — a C3PAO, or the government's DIBCAC at Level 3 — reviews this exact stack before award.
  • And the shredder is the cheap part. Destroying FCI takes a compliant cross-cut shredder — the line item people notice, and the smallest one. Meeting the 15 practices means a secured environment to stand up and maintain: servers, locked-down workstations for authorized users, access controls and monitoring — plus the outside help most small teams need to keep it defensible. Five figures a year, every year. Teams routinely underestimate Level 1 until they are inside it.
Cost: five figures a year — a secured environment to stand up and maintain, not a checkbox
LEVEL 2

Advanced

Controlled Unclassified Information (CUI)
  • The moment you exchange technical data with a service branch, you are almost certainly in CUI — and that is Level 2, a materially bigger lift.
  • All 110 controls of NIST SP 800-171 (Rev. 2). Self-assessment today; from November 10, 2026, a third-party C3PAO assessment every three years, plus annual affirmations.
  • Carries an enclave, tooling, documentation, and an outside assessment — an ongoing program, not a one-time filing.
Cost: ~$75,000/yr and up — frequently into six figures
LEVEL 3

Expert

The most sensitive CUI · APT protection
  • Reserved for the most sensitive programs — roughly 1% of contractors — and built to withstand advanced persistent threats.
  • The 110 NIST 800-171 controls plus 24 enhanced controls from NIST SP 800-172 (134 total), assessed by the government's DIBCAC, not a third party.
Cost: high six figures and up — DoD estimates $500K to several million over three years

This is not a deadline-week form

CMMC readiness is a 90-day-minimum effort even at Level 1 — standing up the safeguards, the System Security Plan, and the SPRS attestation — and Level 2 commonly runs 12 to 18 months. Enforcement Phase 1 began November 10, 2025; mandatory third-party Level 2 certification arrives November 10, 2026. If a defense opportunity is on your horizon, the compliance clock starts now — not at solicitation.

The bottom line

This is the part founders miss: your company won't get the privilege of information exchange without Level 1, and it won't survive a real technology engagement with a service branch without a credible path to Level 2. It isn't a paperwork footnote — it's an eligibility gate with a budget and a calendar attached.

That's exactly the terrain a commercialization plan has to map before you commit to a defense topic. At WiseExecution, eligibility and the compliance runway are part of the go / no-go from day one — so the prerequisite shows up in your plan at the start, not as a disqualification at the finish line.

Weighing a DoD opportunity? Let's map the eligibility runway before the window opens →

Informational primer — not legal or compliance advice. CMMC status is established through self-assessment, an authorized C3PAO, or DIBCAC, depending on level. Requirements and dates reflect the DFARS final rule as of mid-2026; always confirm the specific level and conditions in the live solicitation.