Key Takeaways
- CMMC 2.0 is now a contractual condition for any organisation handling US Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and applies to UK exporters and subcontractors.
- Phase 2 mandatory third-party certification begins 10 November 2026.
- ISO 27001, Cyber Essentials, Cyber Security Model (Version 4) and the Defence Cybersecurity Certificate (DCC) carry no reciprocity with CMMC 2.0.
- UK contractors who supply to the US Department of Defence (DoD) will be required to meet CMMC 2.0 standards.
- Prime contractors supplying to the US DoD are now being formally assessed against the CMMC 2.0 standard and will likely flow down CMMC 2.0 requirements throughout their respective supply chains.
If your organisation supplies components, software, services, or specialist expertise into the US defence market, the rules for doing so have changed. The US Department of Defence (DoD) Cybersecurity Maturity Model Certification (CMMC) 2.0 is no longer an aspiration. Phase 1 went live in November 2025, and Phase 2, mandatory third-party certification, arrives in November 2026. This post explains what CMMC is, which level applies to most UK contractors, what the certification process involves, and what you need to be doing now.
What Is CMMC and Why Has the US DoD Introduced It?
For years, defence contractors supplying the US market were required to self-certify that their information security processes met the required standard to protect US DoD assets. However, some organisations were found to be lacking and self-attestation was not working. Suppliers were ‘ticking the boxes’, but their arrangements did not hold up to scrutiny. Sensitive defence data, classified as Controlled Unclassified Information (CUI) was being inadequately protected, right across the supply chain.
CMMC 2.0 is the DoD’s response to that failure. Rather than trusting contractors to assess themselves, it introduces a structured certification framework that independently verifies whether an organisation’s information security actually meets the required standard. It has three levels from basic safeguarding at Level 1, through to advanced protections for the most sensitive programmes at Level 3. For the majority of defence contractors, Level 2 is where the focus sits.
Does CMMC 2.0 Apply to UK Organisations?
This is the question UK contractors are starting to ask and the answer is YES, without exception. CMMC applies to any organisation that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of a US defence contract or subcontract, regardless of where that organisation is based. Being headquartered in the UK, Europe, or anywhere outside the US provides no exemption.
There is also a flow-down requirement that every supplier in a US defence programme needs to understand. Prime contractors are required to determine the appropriate CMMC 2.0 level for their subcontractors based on the type of data those subcontractors will handle. If you supply into a US programme through a prime, and that work involves CUI, the prime is obliged to pass the CMMC requirement down to you. Many UK organisations will receive that request before they have even begun to prepare.
One more point that cannot be overstated is there is no reciprocity with other certifications. While the CMMC 2.0 is based upon the NIST 800 standard; ISO 27001, Cyber Essentials, the Defence Cybersecurity Certificate (DCC), the Cyber Security Model (Version 4), do not satisfy CMMC requirements. UK organisations already navigating MOD frameworks such as DEFSTAN 05-138 will find that CMMC sits alongside those obligations not in place of them.
Understanding the Three Levels — and Where Most UK Contractors Will Land
Level 1 covers the basic safeguarding of Federal Contract Information. It requires 15 foundational security practices and can be met through annual self-assessment. This applies mainly to commodity suppliers who handle FCI but not CUI.
Level 2 is where most UK contractors in the US defence supply chain will sit. It requires full compliance with all 110 security controls from NIST SP 800-171, the US standard for protecting Controlled Unclassified Information. From November 2026, Level 2 compliance may require independent assessment by an accredited Certified Third-Party Assessor Organisation (C3PAO), or self-assessment depending whether or not the contract contains critical or non-critical CUI.
Level 3 applies to a small number of programmes involving the most sensitive or advanced technology. It goes beyond NIST SP 800-171 into enhanced controls under NIST SP 800-172 and requires a government-led assessment. Most UK organisations will not need to be here, but those working on breakthrough defence technology programmes may.
If you are supplying technical data, engineering services, integrated systems, or specialist consultancy into a US programme, assume Level 2 applies until you have confirmed otherwise with your contracting authority.
What the Certification Process Involves
For Level 2, the certification journey has several clear stages. It starts with a gap assessment, mapping your current information security controls against the 110 requirements in NIST SP 800-171. Results are entered into the Supplier Performance Risk System (SPRS) where evidence of how controls are met is recorded. Where shortcomings are identified, you may be able to develop a Plan of Action & Mitigation (POA&M) to manage how you meet these shortfalls. The POA&M will need to be assessed by a Certified Third-Party Assessor Organisation (C3PAO).
The formal assessment itself is conducted by a C3PAO, a Certified Third-Party Assessor Organisation, authorised by ISACA, the sole accreditation body for the CMMC ecosystem. The assessor evaluates each of the 110 controls as MET, NOT MET, or NOT APPLICABLE. Once you pass, the result is submitted to the DoD’s Supplier Performance Risk System (SPRS), making your certification visible to prime contractors.
One of the practical concerns that UK organisations need to consider is a significant global shortage of qualified C3PAO assessors. Pera Prometheus has connections with an ISACA approved and US based C3PAO organisation who can assist you in this process. As the November 2026 Phase 2 deadline approaches, demand for assessment slots is expected to spike. Organisations that leave preparation until mid-2026 may find themselves unable to secure an assessor in time. The common pitfalls in defence information security readiness are underestimating timelines and treating compliance as a last-minute exercise.
Which Revision of CMMC applies?
NIST SP 800-171 Rev. 3 is the current published standard, but CMMC 2.0 assessments are still based on Rev. 2. The US DoD has stated that Rev. 3 will be incorporated into CMMC after a transition period, likely beginning late 2025 into 2026. Until the rulemaking update is complete, Rev. 2 remains the assessment baseline.
What this means is:
- Today: CMMC = Rev. 2 (110 controls)
- Future (expected 2025–2026): CMMC = Rev. 3 (expanded, reorganised controls)
- Practical advice: Prepare for Rev. 2 now, but design your controls to meet Rev. 3, because the uplift is mostly about clarity, structure, and alignment with 800-53.
What UK Organisations Need to Do Now
The most important step is also the most straightforward. Establish whether your current or anticipated contracts involve FCI or CUI. If you are unsure, speak to your prime contractor now, do not wait for them to come to you. Once you know what data you handle, your required CMMC 2.0 level becomes clear.
From there, the practical priorities should be to conduct a gap assessment against NIST SP 800-171, build or update your System Security Plan, address any gaps in your controls, and identify a Cyber AB-authorised C3PAO to book your assessment. The earlier you start this process, the more control you have over the timeline and cost.
CMMC is also a good moment to revisit the foundations of your information security programme. Organisations that have embedded the Cyber Security Model (Version 4) or have achieved a DCC Level https://pera-prometheus.com/the-secure-by-design-process/will find the gap assessment process significantly more straightforward than those approaching it reactively.
Role for Pera Prometheus
UK organisations already managing MOD compliance, DEFSTAN requirements, and Cyber Essentials may now have a US certification framework to layer on top of these and the clock is running. At Pera Prometheus, we work with defence contractors and supply chain organisations at exactly this stage, helping them understand their obligations, conducting gap assessments, closing identified shortcomings and achieving certification with minimal disruption to operations.
If your organisation has dealings with US DoD then get in touch, to understand where you sit on this whole process.
Frequently Asked Questions
Q: Does CMMC apply if we only supply as a subcontractor to a US prime?
A: Yes. CMMC requirements flow down from prime contractors to subcontractors based on the type of data handled. If your work involves FCI or CUI, you are in scope regardless of your position in the supply chain.
Q: Will our ISO 27001 or Cyber Essentials certification count towards CMMC?
A: No, not directly. There is no automatic equivalence between CMMC and any other certification framework, like ISO 27001 or Cyber Essentials. However, the controls you have in place for these standards may serve to meet CMMC 2.0 control requirements.
Q: What is a C3PAO and how do we find one?
A: A C3PAO (Certified Third-Party Assessor Organisation) is an independent assessor authorised by ISACA to conduct formal CMMC Level 2 assessments.
Q: How long does a CMMC Level 2 assessment typically take?
A: The assessment itself usually takes several days on-site (and is dependant upon the size and scale of the business being audited). The full process i.e. the gap assessment, remediation, SPRS preparation, and external audit typically runs three to six months for an average sized business Starting early gives you room to address gaps without pressure.
Q: What happens if we miss the November 2026 Phase 2 deadline?
A: Without the required CMMC certification, your organisation will not meet the conditions for contract award on applicable DoD solicitations. That means being excluded from bidding on or renewing US defence contracts until certification is achieved.
Stay Safe, Stay Secure.
