Don’t lose out on DoD work: New Level 1 CMMC cybersecurity rules now in contracts

Don’t lose out on DoD work: New Level 1 CMMC cybersecurity rules now in contracts Main Photo

30 Mar 2026


News

Late last year, the Department of Defense (DoD) implemented new cybersecurity requirements that directly impact contractors across the Defense Industrial Base (DIB). Known as CMMC Level 1, these rules are now being integrated into DoD contracts, and the message is clear: If your company does not meet Level 1 standards, it will not be eligible to work on contracts that require them.

Who is affected now and in the future?

CMMC Level 1 applies to 60%-70% of all DoD contractors, including prime contractors, subcontractors, and suppliers who handle Federal Contract Information (FCI). While some exemptions exist, such as companies selling Commercial-off-the-shelf (COTS) items without modification or contracts valued under $15,000, the majority of DIB organizations will need to comply. Looking ahead, adherence to these standards is expected to become increasingly critical as the DoD expands cybersecurity requirements across higher levels of CMMC, affecting more contracts and more suppliers.

Advanced CMMC Levels 2 and 3 will be phased in over 2026 and 2027 and require additional safeguards for companies that handle Controlled Unclassified Information (CUI). CUI is sensitive information that the U.S. federal government wants protected but that is not classified as Confidential, Secret or Top Secret. In other words, it’s important information that could cause problems if it fell into the wrong hands, but it doesn’t rise to the level of classified procurements.

Common examples of CUI are technical information or drawings for defense equipment or systems, contract information that includes sensitive business, or pricing data and export-controlled information.

Understanding CMMC Level 1 requirements

CMMC Level 1 is designed to ensure basic cyber hygiene for protecting sensitive information. It consists of 17 fundamental security practices, including the use of unique user IDs, strong passwords, limiting system access, maintaining basic device configurations, and ensuring proper media handling. These practices expand into 59 specific controls that a company must address.

While Level 1 is the least burdensome CMMC tier, achieving compliance still requires careful planning and documentation. For organizations with existing security measures, the process can take as little as 30 to 90 days. Small to medium-sized firms may require four to eight weeks for assessment and SPRS entry, while companies that need significant new controls or cloud-based solutions should anticipate three to six months or longer to fully close gaps and document evidence.

More on CMCC at Regional Defense Manufacturing and Innovation Summit

Get updates on contracting policy developments such as cybersecurity (CMMC) and defense procurement tools (e.g., DIBBS) at the April 28 Regional Defense Manufacturing and Innovation Summit. Details & no-cost registration here. 

 

Act now, stay competitive

CMMC Level 1 is no longer a future concern: It is here, and the DoD is enforcing it through new contract requirements. Contractors who fail to meet these cybersecurity standards risk losing access to valuable work. By understanding the requirements, documenting processes and leveraging available resources, businesses can secure compliance and maintain eligibility for contracts within the DIB. Acting now ensures you stay competitive in a landscape where cybersecurity is becoming a baseline expectation rather than an optional practice.

About Washington APEX Accelerator

Washington APEX Accelerator (APEX) advises businesses on how to win government contracts and subcontracts. The one-on-one no cost technical assistance includes advising, bid reviews, marketing assistance, contract performance, and small business certifications. APEX also hosts procurement training classes and seminars and helps businesses register with the correct databases to compete for government contracts.

Skagit County businesses are served by two APEX Advisors, Cara Buckingham and Mark Johnson, who also partner with EDASC to bring programming to the area. They are based at Economic Alliance Snohomish County and serve a five-county region. Register here to become a client.

 

 

 

 

More Topics

Economist Rissmiller says ‘seeds of inflation’ still present Photo

Economist Rissmiller says ‘seeds of inflation’ still present

Mar 17 2026
Economist Don Rissmiller, a founding partner of Strategas and featured speaker at EDASC’s Economic Forecast Night, cautioned inflation may be in the U.S. economy’s future – just not yet. “I characterize the inflation picture as the ‘seeds of inflation’ still in the economy, but 2026 is probably a little premature to...Continue Reading
Skagit County Offers No-Cost Data Hub Tools to Enhance Market Research Photo

Skagit County Offers No-Cost Data Hub Tools to Enhance Market Research

Mar 3 2026
Skagit County is one of the Pacific Northwest’s best kept secrets for business, investment and economic development.No other location is as centrally and strategically connected with the Seattle and Vancouver metropolitan regions, which are North America’s leading gateways to the Asia-Pacific region.  Home to innovative, solution-oriented industry leaders, and a...Continue Reading
Getting to know the SWIFT Center Photo

Getting to know the SWIFT Center

Mar 2 2026
Many people know of Northern State Hospital, the former mental hospital in Sedro-Woolley that operated from 1912 to 1973. The landscape of the campus and the architecture of the buildings are rich with as much history as beauty. Today, the campus is brimming with activity of a different kind, and...Continue Reading