Updated as of 12/12/2025

What is CMMC?

Cybersecurity Maturity Model Certification program (CMMC) is the Department of Defense’s standardized framework designed to ensure that all defense contractors implement and maintain appropriate cybersecurity protections for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC establishes tiered security levels, each with specific technical, procedural, and policy requirements that companies must meet and affirm in order to handle DoD-related data and remain eligible for contract awards. Refer to USTC Advisory #26-0025 for additional information. 

Terms:

  • CUI: Controlled Unclassified Information: information that is not classified but that the U.S. Government requires to be safeguarded or controlled because unauthorized access could impact national security, mission operations, or individual privacy.
  • PII: Personally Identifiable Information: any information that can be used to identify, locate, or contact a specific individual, either on its own or when combined with other data.
  • SPRS: Supplier Performance Risk System: Department of Defense’s official database used to collect, store, and evaluate performance, security, and risk information about defense contractors.

What Is Happening?

  • DP3 shipments routinely involve PII of military members (names, addresses, SSNs, orders, etc.).
    That PII is classified as CUI.
  • The DoD is now requiring that all companies who TOUCH that data meet modern cybersecurity standards under the CMMC program. This requirement is NOT localized to USTRANSCOM/Industry etc. Any entity working with the DoD must comply.
  • If we do not comply → we (TSPs) will NOT be awarded DP3 shipments. This compliance includes making sure our underlying service providers are also compliant.

Why?

This standardized cybersecurity framework is designed to reduce vulnerabilities across the defense supply chain and prevent cyberattacks, data breaches, and adversarial exploitation. By enforcing minimum security controls and verified compliance, the DoD strengthens national security and ensures mission-critical information is protected at every level of contractor involvement.

What Is Required?

There will be two phases of CMMC cybersecurity requirements:

Phase 1 – CMMC Level 1 (by March 15, 2026):

  • Complete a CMMC Level 1 self-assessment (17 controls/practices)
  • Upload a “CMMC Level 1 Affirmation” on the SPRS website (Supplier Performance Risk System)
  • This applies to every system companies use to store, process, or transmit:
    • Customer info
    • Shipment documents
    • Any FCI/CUI used to run DP3 work

If not completed → TSPs cannot receive shipments with pickup dates on or after May 15, 2026.

Phase 2 – CMMC Level 2 (by March 15, 2027)

This is a much higher bar (110 controls/practices). TSPs & partners must:

  • Complete a CMMC Level 2 assessment
  • Upload an affirmation in SPRS
  • Applies to ALL systems handling DP3-related CUI

This will be required for any shipment picking up on or after May 15, 2027.

National will be taking a targeted approach to communicate to our agent family and subcontractors to ensure they meet the required CMMC level and submit their own SPRS affirmations. Once your Level 1 compliance as been submitted, you are “self-attesting” that you are in compliance, and you automatically become approved. Your submission certifies you, so any agent/subcontractor that submits the form will need to send proof of the submission to our Agent & Business Services department - agencyservices@nationalforwarding.com. 

Resources

If you haven’t begun reviewing and working towards the requirements of Level 1 certification, you might already be behind. It is imperative that you work with your IT to begin preparing for the Level 1 certification requirement in order to receive shipments from us. While NFC cannot walk you through the process of CMMC certification, there are several resources recommended by IAM, listed below. Please contact IAM at the email address provided if you need further guidance on the application process. As more information becomes available, we will post it here, so continue to check back.

  • DoD’s Chief Information Officer has an extensive website on CMMC information and resources https://dodcio.defense.gov/CMMC/Resources-Documentation/ 
  • The International Association of Movers (IAM) https://iamovers.org/ has formed a CMMC working group to inform membership about the CMMC compliance process. You’ll hear more about the working group’s efforts in the near future and they will be creating a webpage as well. If you have questions, you can email: cmmc@iamovers.org.
  • IAM has recommended Washington Apex Accelerator, who has a CMMC training course that can also help.  You can learn more about their training, and register for the sessions at this website: CMMC Level 1 (Department of Defense Cybersecurity) Readiness Workshop Series. The cost is $200 per person. It includes one live virtual kick off meeting (9 January); access to on demand presentations, learning resources, and ready-made self-assessment tools to streamline your assessment process; three (3) live 1-hour Q&A sessions (virtual); you’ll also get access for the month to a Level I assessment tracking tool.  

Government Assistance Resources - Cyber Security