The CMMC compliance requirements under FAR 52.204-21 and DFARS 252.204-7012 apply to Defense Contractors with US federal contracts or subcontracts valued at $50 million or more as well as Commercial Item Acquisitions over $500,000. However, it is important for those businesses that do not have federal contracts to be aware that in many cases, they are still being given opportunities to provide products or services that require the CMMC compliance. Many prime contractors have decided to establish their own policies requiring all subcontractors to be CMMC compliant.
For example, when your company is approached by a potential customer requesting certain hardware/software solutions, ask yourself if this customer has any federal contracts or subcontracts that would trigger the CMMC compliance requirements. If so, your company must be CMMC compliant.
For businesses without any federal contracts or subcontracts, ask yourself if this customer has established its own policy requiring all vendors to be CMMC compliant. Again, if so, your company must be CMMC compliant. If your company is required to be CMMC compliant under the customer’s policy, that is all that is necessary; it doesn’t matter if you meet that requirement for US federal government contracts.
Another important consideration relates to Commercial Item Acquisitions over $500,000. Note that this number will increase each year—it is $500,000 for Fiscal Year 2018. Again, ask yourself if this customer has any federal contracts or subcontracts that would trigger the CMMC compliance requirements. If so, your company must be CMMC compliant.
For businesses without any federal contracts or subcontracts, ask yourself if this customer has established its own policy requiring all vendors to be CMMC compliant. Again, if so, your company must be CMMC compliant. If your company is required to be CMMC compliant under the customer’s policy, that is all that is necessary; it doesn’t matter if you meet that requirement for US federal government contracts.
To summarize, the business owner should ask themselves the following two questions to determine if they are required to be CMMC compliant:
1. Does this customer have any US federal contracts or subcontracts?
2. Does this customer have a policy requiring all of its vendors to be CMMC compliant?
If the answer is yes, your company needs to be CMMC compliant. If the answer is no, you do not need to be CMMC compliant.