Breaking into the United States Department of War (U.S. DoW) market isn’t just about winning contracts—it’s about meeting strict cybersecurity standards that protect sensitive government data. Under the Cybersecurity Maturity Model Certification (CMMC), every company bidding on new U.S. DoW contracts will need to demonstrate that their networks and those of their entire supply chain meet one of the three CMMC compliance levels.
For Canadian firms, understanding these requirements is critical: compliance is not optional, and failure to meet them can block access to lucrative defence opportunities. This page gives you practical, step-by-step guidance to determine your required certification level, close compliance gaps, and position your business as a trusted partner in the world’s largest defense market.
What is CMMC?
CMMC is a U.S. DoW program designed to ensure that contractors and their supply chain partners have adequate cybersecurity measures in place to protect sensitive U.S. government information. More information on CMMC
A recent amendment to the Defense Federal Acquisition Regulation Supplement DFARS 252.204-7021 Cybersecurity Maturity Model Certification Requirements, has officially mandated that all Department of War solicitations and contracts include requirements for Cybersecurity Maturity Model Certification (CMMC). This means you must have the right cybersecurity measures in place to be considered for an award.
What Level of CMMC Do You Need?
To determine if you will need CMMC and what level, here’s a simple guide based on the kind of information you will be handling for U.S. DoW contracts:
Only basic contract details (pricing, schedules, delivery info)
- This is Federal Contract Information (FCI) → Level 1
- Requires 15 basic practices for safeguarding FCI
Sensitive technical data (drawings, engineering specs, export-controlled info)
- This is Controlled Unclassified Information (CUI) → Level 2
- Requires 110 practices aligned with NIST SP 800-171
Highly sensitive defense work (critical programs, advanced weapons systems, national security impact)
- Requires Level 3
- Requires advanced cybersecurity practices aligned with NIST SP 800-172, plus additional U.S. DoW requirements
Implementation of CMMC Level 1 and 2 active now
The first phase of CMMC implementation is now underway from November 10, 2025, through November 9, 2026. During this period, the focus will be driving industry compliance for Level 1 and Level 2 self-assessments, ensuring that the industrial base begins aligning their cybersecurity practices with CMMC requirements.
Getting started with CMMC 2.0
The best official U.S. government resource for companies preparing for CMMC Level 1, 2, or 3 certification is the U.S. Department of War Chief Information Officer (U.S. DoW CIO) CMMC Resources & Documentation page. This site provides everything you need to start and complete the process.
| Step | Activity |
|---|---|
| Get the standard and guidance documents | Start by obtaining the relevant CMMC framework documents. These provide the baseline cybersecurity requirements for your operations. |
| Determine your required level | Conduct a risk assessment to determine the sensitivity of the information you will handle, and the level of certification required (Level 1, 2, or 3). This ensures you focus on the appropriate controls and scope. |
| Conduct a gap assessment / self-assessment | For all Levels: Compare your current cybersecurity practices against the control requirements outlined in the standard. Identify gaps in policies, procedures, technology, and staff training that need remediation. |
| Implement required security controls and remediation | For all Levels: Address deficiencies identified during the gap assessment by upgrading technology, improving processes, strengthening policies, and training staff. This step is critical for meeting compliance requirements before formal assessment. |
| Hire a certified assessor / certified body | For Level 2 and Level 3: You must engage an external, accredited Certified Third-Party Assessment Organization (C3PAO) or equivalent. |
| Undertake the formal assessment / audit | For Level 2 and Level 3: The assessor will evaluate your systems, processes, and documentation against the standard. You may be required to provide evidence, test results, and other supporting documentation. For Level 3: A further assessment is conducted by U.S. DoW Information System Security Certification and Accreditation Center. |
| Certification / attestation | Upon passing the assessment, your organization is officially certified at the relevant CMMC level. Assessment results are entered into the CMMC Enterprise Mission Assurance Support Service (eMASS) and Supplier Performance Risk System (SPRS). Certification is typically valid for three years from the official CMMC Status Date. |
| Maintain and monitor compliance | CMMC compliance is continuous, not one-time. Organizations must perform annual affirmations, internal audits, and updates to security controls to address emerging risks. Failure to maintain compliance can result in the lapse of certification, requiring reassessment. |