CMMC is a DoD program. The regulatory framework, the certification requirements, and the enforcement mechanism all sit in DoD-land. GSA Schedule contractors, civilian agency contractors, and organizations that work primarily outside the DoD typically view CMMC as someone else's compliance problem.
Not necessarily for civilian-only work, but GSA Schedules are frequently used by DoD agencies for task orders that involve CUI. If a DoD task order on your GSA Schedule includes DFARS 252.204-7012 or DFARS 252.204-7021, CMMC requirements apply to that work. Additionally, Executive Order 14028 is driving civilian agencies toward similar cybersecurity standards, making CMMC-aligned security posture increasingly relevant across all federal contracting.
When a DoD agency places a task order on a GSA Schedule contract and includes DFARS 252.204-7021 (the CMMC clause), the contractor must meet the specified CMMC level for that task order. The CMMC requirement flows through the task order, not the underlying GSA Schedule contract. This means a contractor can hold a GSA Schedule without CMMC, but cannot accept DoD task orders requiring it.
FedRAMP Moderate authorization and CMMC Level 2 share substantial overlap in security controls, as both derive from the NIST 800-53 control catalog. However, they are not equivalent. FedRAMP focuses on cloud service providers, while CMMC applies to the contractor's entire in-scope environment. A FedRAMP-authorized cloud environment can support CMMC compliance, but the contractor must still address controls outside the cloud boundary.
That framing is increasingly inaccurate for two reasons. First, many contractors hold both DoD and non-DoD work simultaneously. Second, the civilian agency cybersecurity landscape is shifting in a direction that makes CMMC-aligned practices increasingly expected even outside of formal CMMC requirements.
This article explains the current state of CMMC for civilian-primary contractors, what is changing, and why organizations with mixed contract portfolios should think about CMMC more broadly than just their DoD line items.
CMMC requirements, as currently codified in 32 CFR Part 170 and DFARS 252.204-7021, apply exclusively to DoD contracts. A contractor holding only GSA Schedule contracts with civilian agencies has no current CMMC certification requirement.
This is not a gap in the program. It is by design. The DoD has jurisdiction over its own contracting regulations, and civilian agencies operate under different contracting frameworks (FAR rather than DFARS). Extending CMMC to civilian agencies would require either separate rulemaking by each agency, a governmentwide policy through OMB, or specific legislative action.
So a purely civilian contractor has no current CMMC obligation. That is the accurate statement.
The issue for most mid-sized federal contractors is that "purely civilian" describes few of them. The federal contractor market has extensive overlap across DoD and civilian agency work, and that overlap is growing:
DoD task orders on civilian vehicles: GSA Schedule, SEWP, and other civilian contract vehicles are widely used by DoD components for commercial technology acquisitions. A contractor that holds a GSA Schedule and wins a task order from a DoD customer is now performing DoD work. If that task order involves CUI, CMMC requirements apply to the task order even though the underlying contract vehicle is GSA.
Cross-agency program data: Intelligence community and national security programs involve data that flows across agency boundaries. Contractors working on multi-agency national security programs may encounter CUI requirements even when their primary contracting agency is a civilian department.
M&A and teaming: A company that has never held DoD work may acquire or merge with one that does. Teaming with a DoD prime on a federal proposal creates DoD subcontract exposure. CMMC requirements follow the data, and the data increasingly does not respect agency boundaries.
Executive Order 14028 (May 2021, "Improving the Nation's Cybersecurity") directed civilian federal agencies to adopt security practices aligned with Zero Trust principles, NIST SP 800-207, and elevated identity and access management standards. While EO 14028 does not require CMMC, the security posture it drives civilian agencies toward is substantially aligned with CMMC Level 2 practices.
The practical effect: civilian agency contracting officers, program managers, and IT security teams are increasingly familiar with NIST SP 800-171 and CMMC-aligned practices. Agency RFPs in the post-EO 14028 environment increasingly include cybersecurity questionnaires, vendor security assessments, and contractual cybersecurity requirements that mirror CMMC language.
A contractor with a documented CMMC Level 2 program has a stronger response to these civilian agency requirements than a contractor who has never engaged with the NIST 800-171 framework.
The General Services Administration has been closely monitoring CMMC implementation for several reasons:
GSA IT contracts touch sensitive data. Many GSA-managed contracts involve IT infrastructure, cloud services, and systems that process sensitive government data. The IT category under GSA Schedules includes products and services that directly touch CUI handling for the agencies using them.
GSA Supply Chain Risk Management (SCRM): GSA has its own supply chain risk management program and has been active in vendor cybersecurity assessment for high-risk IT categories. The CMMC ecosystem provides a model for verified vendor cybersecurity assessment that GSA is watching as a potential template.
FIPS and FedRAMP alignment: GSA administers the FedRAMP program for cloud service authorization. FedRAMP Moderate baseline requirements substantially overlap with CMMC Level 2 requirements. Organizations holding FedRAMP Moderate authorizations or working toward them will find that work directly applicable to CMMC Level 2 readiness.
Federal agencies beyond DoD generate, handle, and share CUI. The National Archives' CUI Program covers all executive branch agencies. A contractor working with CUI for a civilian agency — handling personally identifiable information, acquisition-sensitive data, tax information, or law enforcement sensitive information — has the same obligation to protect that CUI as a DoD contractor, under the same CUI Framework.
What civilian agencies do not currently have is a verified certification program for contractor CUI protection comparable to CMMC. The FAR Council has had a proposed rule in development to address CUI security requirements for all federal contractors, not just DoD. That proposed rule has moved slowly, but the direction of travel is toward broader federal adoption of verified cybersecurity practices for contractors handling government data.
Organizations that build CMMC-aligned programs now are not just meeting a DoD requirement. They are building the infrastructure for a federal cybersecurity posture that will increasingly be expected across the entire federal market.
For contractors holding both DoD and civilian agency contracts, the strategic question is: should CMMC compliance be scoped to DoD work only, or treated as an enterprise-wide program?
The argument for enterprise-wide adoption:
Scoped environments are harder to maintain. If CUI is handled in a DoD-specific environment and a separate commercial environment for civilian work, you are managing two security programs. If the same systems serve both, CUI from both flows through the same environment regardless of agency source.
Civilian agency expectations are rising. Contractors who can demonstrate CMMC Level 2 compliance have a differentiated security posture that civilian agency contracting officers increasingly value. In competitive proposals, a documented CMMC certification is a stronger cybersecurity representation than a self-reported NIST framework alignment statement.
One program is less expensive than two. The overhead of maintaining a CMMC-compliant environment for DoD work plus a separate security program for civilian work exceeds the overhead of a single enterprise CMMC program. For contractors where DoD work is significant, extending the CMMC program across the full enterprise eliminates the complexity of managing boundary distinctions.
The argument for DoD-scoped compliance:
Civilian work may not involve CUI. If the civilian agency work genuinely does not involve CUI or sensitive government data, the security requirements for that work are lower. Applying full Level 2 requirements to commercial or low-sensitivity civilian work is over-engineering.
Budget constraints are real. For small contractors, the cost of a full-enterprise CMMC program versus a scoped program is meaningful. If the civilian work is a small fraction of revenue, scoping compliance to DoD work and maintaining basic security hygiene for civilian work may be the practical choice.
The resolution is usually: scope CMMC formally to DoD work where required, but extend the practices informally to the enterprise as a security and market positioning investment. The actual incremental cost of extending good security practices from a scoped environment to the full enterprise is often less than building and maintaining separate programs.
A specific scenario worth addressing: a GSA Schedule contractor wins a task order from a DoD component. The task order involves CUI. Does CMMC apply?
The answer is yes, if the task order includes DFARS 252.204-7021 or if the contracting officer incorporates CMMC requirements via a contract modification. The underlying vehicle (GSA Schedule) does not override the task order terms. CMMC requirements follow the data and the contract clauses, not the contract vehicle.
GSA Schedule holders who perform DoD task orders should:
- Review each DoD task order for CMMC clause inclusions
- Verify their SPRS submission covers the systems used for DoD task order performance
- Ensure their CMMC Assessment Boundary includes the systems used for DoD task order performance, not just a subset maintained specifically for DoD
For contractors pursuing or holding FedRAMP Moderate authorizations, there is substantial overlap between FedRAMP and CMMC Level 2:
A contractor with a FedRAMP Moderate Authorization to Operate (ATO) is not automatically CMMC Level 2 certified, but the compliance investment is substantially applicable. Organizations building FedRAMP programs should document the CMMC mapping explicitly to maximize the return on their compliance investment.
Federal contractor with a mixed DoD and civilian portfolio? NR Labs helps organizations right-size their CMMC programs to address DoD requirements while building a security posture that strengthens their competitive position across the federal market. Contact us to discuss your specific situation.
