If you’re a contractor or subcontractor in the defense industrial base (DIB), you’ve likely heard about the Cybersecurity Maturity Model Certification (CMMC). But one of the most common questions we hear is: “Am I actually in scope for Level 2 compliance?”
After years of anticipation, the Cybersecurity Maturity Model Certification (CMMC) Final Rule is expected to clear regulatory review and be published as early as next week in the Federal Register. Once published, it can go into effect in as little as 1 to 60 days (Fall 2025!)
This rule updates 48 CFR and DFARS 252.204-7021, formally embedding CMMC into the federal acquisition process. From the effective date, all new DoD solicitations will require a level of CMMC compliance, which means Level 2 certification, not just self-assessment.
What Does “In Scope” Mean?
Being “in scope” means your organization will be required to comply with CMMC Level 2 in order to continue doing business with the Department of Defense (DoD). This applies to both prime contractors and subcontractors who handle Controlled Unclassified Information (CUI).
CUI is sensitive information that isn’t classified but still requires safeguarding. Examples include:
- Technical drawings
- Engineering data
- Test results
- Product specifications
- Contract performance details
If your company stores, processes, or transmits CUI as part of a DoD contract, you are in scope for Level 2.
Who Needs to Comply with Level 2?
You are likely in scope for CMMC Level 2 if:
- You are a DoD contractor or subcontractor
- You handle CUI in any form (digital or physical)
- Your contracts include DFARS 252.204-7012 or will include CMMC clauses once 48 CFR is finalized
- You are part of the supply chain for aerospace, defense, or military systems
- Even if you don’t currently handle CUI, you may still be in scope if your future contracts require it. Many companies are choosing to prepare now to remain competitive in upcoming bids.
- What Happens If You’re Not Compliant?
- Once the final rule is published, Level 2 compliance will be a prerequisite for contract eligibility. If you’re not certified:
- You may be disqualified from bidding on new contracts
- You could lose existing contracts that are modified to include CMMC clauses
- You risk reputational damage and lost revenue
The DoD has made it clear: compliance is not optional. It’s a matter of national security.
How to Determine If You’re in Scope
Here are a few steps to help you assess your status:
- Review Your Contracts: Look for DFARS clauses or references to CUI.
- Talk to Your Prime: If you’re a subcontractor, ask your prime contractor if CUI is involved.
- Conduct a CUI Inventory: Identify where CUI exists in your systems, who accesses it, and how it’s protected.
- Consult a CMMC Expert: A qualified MSP like ISM can help you evaluate your exposure and readiness.
How ISM Helps You Navigate Scope and Compliance
At ISM, we specialize in helping aerospace and defense contractors understand their CMMC obligations and build a roadmap to compliance. Our services include:
- CUI scoping assessments
- Gap analysis against NIST SP 800-171
- Remediation planning and implementation
- Documentation and evidence preparation
- Ongoing compliance support
We don’t just help you check boxes—we help you build a secure, resilient infrastructure that meets DoD expectations and supports your business goals.
Schedule Your Complimentary CMMC Readiness Meeting
ISM is offering a free one-hour consultation to help you determine if you’re in scope and what steps to take next. Whether you’re just starting or already on the path to compliance, we’re here to help.
