Updated as of 03/10/2026
What is CMMC?
Cybersecurity Maturity Model Certification program (CMMC) is the Department of Defense’s standardized framework designed to ensure that all defense contractors implement and maintain appropriate cybersecurity protections for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC establishes tiered security levels, each with specific technical, procedural, and policy requirements that companies must meet and affirm in order to handle DoD-related data and remain eligible for contract awards. Refer to USTC Advisory #26-0025C for additional information.
Terms:
- CUI: Controlled Unclassified Information: information that is not classified but that the U.S. Government requires to be safeguarded or controlled because unauthorized access could impact national security, mission operations, or individual privacy.
- PII: Personally Identifiable Information: any information that can be used to identify, locate, or contact a specific individual, either on its own or when combined with other data.
- SPRS: Supplier Performance Risk System: Department of Defense’s official database used to collect, store, and evaluate performance, security, and risk information about defense contractors.
What Is Happening?
- DP3 shipments routinely involve PII of military members (names, addresses, SSNs, orders, etc.).
That PII is classified as CUI.
- The DoD is now requiring that all companies who TOUCH that data meet modern cybersecurity standards under the CMMC program. This requirement is NOT localized to USTRANSCOM/Industry etc. Any entity working with the DoD must comply.
- If we do not comply → we (TSPs) will NOT be awarded DP3 shipments. This compliance includes making sure our underlying service providers are also compliant.
Why?
This standardized cybersecurity framework is designed to reduce vulnerabilities across the defense supply chain and prevent cyberattacks, data breaches, and adversarial exploitation. By enforcing minimum security controls and verified compliance, the DoD strengthens national security and ensures mission-critical information is protected at every level of contractor involvement.
Underlying Service Providers for NFC: What You Need to Do
If you would like to learn more about CMMC Level 1, helpful information is available on the International Association of Movers (IAM) website:
https://iamovers.org/iam-cmmc-resource-center/.
Under the DP3 Program, the Transportation Service Provider (TSP) is responsible for ensuring that any companies they hire (such as agents, haulers, or other service providers) also follow CMMC Level 1 cybersecurity requirements. As a general rule:
- If you bill the government directly and they pay your company directly, you must complete the official CMMC Level 1 self-certification through the government system by March 15.
- If you are working as a subcontractor or underlying service provider and are paid by a TSP or management company, you should check with each company you work with to see what they require. Some may use their own portal, while others may ask you to complete a simple compliance form.
NFC Compliance
NFC understands that the full government registration process can be complicated. The official process may require steps such as obtaining a CAGE Code, registering in SAM.gov, and creating accounts in PIEE, which can be time-consuming.
Because of this, NFC is creating a simplified portal where our network partners can complete the required CMMC Level 1 self-certification without going through those government registration steps.
All companies in our network will need to complete this certification by May 15, 2026, to service NFC shipments. We will send a notification when the portal is ready.
If your company has already completed the formal government self-certification, you may email agencyservices@nationalforwarding.com with a screenshot of your certification, and we will mark you as compliant in our system. Please make sure to advise which locations the certification applies to!