Breaking Down the Latest DoD CIO Memorandum on CMMC Requirements

Christopher Souza | CEO

The DoD CIO office has released a new memorandum that provides much-needed clarity on the assessment versus attestation requirements for Organizations Seeking Assessment (OSAs) and Contracting Officers. This memo explicitly defines when each level of CMMC will be required and, by extension, what type of assessment will be necessary.

For organizations handling Controlled Unclassified Information (CUI) classified within any defense-specific category, CMMC Level 2 Certification (C3PAO assessment) will be required to secure a contract. As such, the following categories of CUI necessitate a third-party certification:

• Controlled Technical Information
• DoD Critical Infrastructure Security Information
• Naval Nuclear Propulsion Information
• Privileged Safety Information
• Unclassified Controlled Nuclear Information – Defense

Clarification on CMMC Level 2 Requirements

The memo outlines distinct requirements for CMMC Level 2 assessments based on the type of CUI involved:

✅ CMMC Level 2 (Self-Assessment): This is the minimum requirement for CUI outside of the National Archive’s CUI Registry Defense Organizational Index Grouping. In other words, if your organization handles any CUI, this official self-assessment and attestation of 100% compliance will be the minimum requirement for securing contracts.

✅ CMMC Level 2 (Certification): This is the minimum requirement when a contract requires a contractor (or subcontractors) to process, store, or transmit CUI categorized under the National Archive’s CUI Registry Defense Organizational Index Grouping (which includes the five categories listed above). In other words, if your organization handles Defense Marked CUI, then a 3rd party official assessment (C3PAO) and certification of 100% compliance will be the minimum requirement for securing contracts.

What Does This Mean for DoD Contractors?

If your organization handles CUI that falls within these specific categories, you must undergo a C3PAO-conducted CMMC Level 2 Certification assessment before being awarded a contract. This ensures compliance with the latest DoD requirements and mitigates the risk of security vulnerabilities within the defense industrial base. This memo implements 32 CFR 170 for the DoD acquisition workforce and has been signed by the Undersecretaries for Research and Engineering, Acquisition and Sustainment, and the Acting DoD CIO.

Key Takeaways

• CMMC Level 2 (Self-Assessment) is only sufficient for non-defense organizational CUI.
• CMMC Level 2 (Certification) is mandatory for contracts involving CUI under the DoD’s Defense Organizational Index Grouping.
• Organizations seeking DoD contracts should assess their compliance requirements now to avoid future delays.

With this new memorandum in place, it’s crucial for contractors and subcontractors to stay ahead of compliance requirements. If you need guidance on preparing for a CMMC Level 2 Certification assessment, TSI is here to help. Contact us today to ensure your organization is CMMC-ready and positioned for success in the evolving defense landscape.

About Technical Support International

TSI is 35-year old cybersecurity (MSSP) and IT support (MSP) company specializing in helping DIB organizations address their NIST 800-171 and CMMC compliance obligations. As a CMMC-AB Registered Provider Organization (RPO), TSI offers a complete NIST 800-171 and CMMC support solution to help guide our clients toward a successful certification audit and provide the assurance that they’re adhering to these expansive compliance requirements.