If your business touches a DoD contract — directly or as a subcontractor — CMMC certification may already be required. Here's how to know for sure.
Every week we talk to Denver business owners who have heard the acronym "CMMC" floating around in their industry but aren't sure whether it applies to them. Some assume it's only for large defense prime contractors. Others think it only matters if they work directly with the military. Most are surprised to learn that CMMC reaches much further down the supply chain than they expected — and that the deadlines are already here.
This post answers the most common question we get: "Does my Denver business actually need CMMC certification?" We'll walk through who it applies to, what level you likely need, and what's at stake if you ignore it.
CMMC stands for Cybersecurity Maturity Model Certification. It's a framework created by the U.S. Department of Defense to ensure that every company in its supply chain — not just the big primes — is adequately protecting sensitive government information.
The DoD has been handing out contracts for years while trusting contractors to self-report their cybersecurity compliance. That approach didn't work. Data breaches in the defense supply chain exposed sensitive military information, in some cases traced back to small subcontractors with weak security. CMMC is the DoD's answer: third-party verification that you're actually doing what you said you were doing.
The short version: If your business handles information created or owned by the federal government — specifically Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) — CMMC applies to you.
CMMC applies to the entire Defense Industrial Base (DIB) — any company, at any tier, that does business with the Department of Defense. This includes:
The "flows down" part is what catches most small Denver businesses off guard. You might be three tiers removed from the actual DoD contract and still be required to achieve CMMC certification if any controlled government information passes through your systems.
Common Denver business types that frequently need CMMC include:
If you're unsure whether CUI flows to your business, the safest approach is to review your contracts for language about CUI handling requirements or check with your prime contractor. We can also help you evaluate this during a free assessment.
CMMC has three levels, and the level you need depends on the type of information your business handles and what your specific contracts require.
| Level | Who It's For | Requirements | Assessment Type |
|---|---|---|---|
| Level 1 | Companies handling Federal Contract Information (FCI) but not CUI | 17 basic cybersecurity practices | Annual self-assessment |
| Level 2 | Companies handling Controlled Unclassified Information (CUI) | 110 practices aligned with NIST SP 800-171 | Third-party assessment (C3PAO) for most contracts |
| Level 3 | Companies on the most sensitive DoD programs | 110+ practices from NIST SP 800-172 | Government-led assessment |
The vast majority of Denver defense contractors need CMMC Level 2. If you handle any technical drawings, specifications, engineering data, or other sensitive project information related to a DoD contract, that information is almost certainly CUI — which means Level 2.
Controlled Unclassified Information is government-created or government-owned information that requires safeguarding, but isn't classified. It's broader than most people expect. CUI includes:
If your team receives technical documents, contract details, or any project-specific data from a DoD prime contractor, there's a strong chance you're already handling CUI — and already obligated to protect it under NIST 800-171, whether you know it or not.
Already required, not coming soon: DFARS clause 252.204-7012 has required NIST 800-171 compliance for DoD contractors since 2017. CMMC adds third-party verification on top of that existing requirement. If you're handling CUI and haven't implemented NIST 800-171 controls, you're already out of compliance with existing contract terms.
This is the question that gets people's attention. The consequences of ignoring CMMC are significant:
Starting in 2025, DoD contracts are increasingly requiring CMMC certification as a condition of award. If a solicitation requires CMMC Level 2 and you can't demonstrate certification, your bid won't be considered — regardless of price, past performance, or relationships. This will only become more common as the rollout continues through 2028.
As existing contracts are renewed or modified, CMMC requirements are being added. A contract that didn't require CMMC when you won it may require it at the next option period. Failing to meet that requirement could mean losing work you've held for years.
Since 2017, DoD contractors have been required to self-attest to their NIST 800-171 compliance in government systems. If you've been certifying compliance you haven't actually achieved, you could face False Claims Act liability — which includes treble damages and civil penalties. The DoD is actively pursuing cases under this statute.
Most DoD contracts include cybersecurity requirements as contract terms. A breach — including a data breach caused by inadequate security — can result in contract termination, financial penalties, and reputational damage in the defense contracting community.
This is where most businesses are surprised. CMMC Level 2 certification is not something you can achieve in a few weeks. For a typical Denver small business starting from scratch, the realistic timeline is 3–9 months — and that assumes you move quickly.
Here's why it takes time:
If you're bidding on a contract that requires CMMC in the next six months, you need to start now. If you're not actively bidding on DoD work today but plan to in the future, starting early gives you a competitive advantage — you'll be certified when competitors are still scrambling.
For CMMC Level 2, you need to implement all 110 security practices defined in NIST SP 800-171 across 14 domains. These aren't abstract policy requirements — they're concrete technical and organizational controls including:
Most small businesses in Denver have implemented some of these — but very few have implemented all 110, and fewer still have the documentation required to prove it to an assessor.
Workplace IT has worked with Denver defense contractors on NIST 800-171 compliance and is actively helping clients navigate the CMMC certification process. Our approach:
We're based in downtown Denver and work with clients on-site when needed — not just remotely. If you're serious about pursuing DoD contracts, we'd like to talk.
We'll evaluate your current environment and give you a clear picture of what it takes to get certified — no obligation, no jargon.
Get a Free Assessment