Is CMMC compliance mandatory?

The short answer is yes — eventually.

The interim rule for CMMC became effective on November 30, 2020. The interim rule will also require a Congressional Review.

The DoD (Department of Defense) is rolling out CMMC (Cybersecurity Maturity Model Certification) compliance via contract requirements in a phased program. The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).

Contracts that have language requiring CMMC compliance will scale up from a minority of contracts in 2021 and fiscal year 2026, when all DoD contracts are slated to have CMMC compliance as a requirement. (CMMC requirements for primary contractors will ‘roll down’ to participating subcontractors.)

So, in effect, the goal is to ultimately have every contractor in the DIB (Defense Industrial Base) following CMMC security requirements by 2026.