CMMC – How do I know if it is required?

Researchers working in a lab with Controlled Unclassified Information image

CMMC is required for your project activity if (1) you are handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) and (2) your DOD contract includes any of the following Defense Federal Acquisition Regulations (DFARS) clauses:

DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7019, Notice of NIST SP 800-171 DOD Assessment Requirements
DFARS 252.204-7020, NIST SP 800-171 DOD Assessment Requirements’
DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements (through 9/30/2025)

Your Join Research Office for Contracts (JROC) team can assist in identifying whether these clauses are required and if the research contains FCI or CUI information.

If you plan to respond to a federal government RFP or RFI and anticipate that CUI may be involved then you must have adequate cybersecurity measures in place to accept said contract. Please contact the Joint Research Office for Contracts (JROC) to determine if the RFP/RFI will be subject to security requirements.

Back to CMMC at WUSTL and Security of Controlled Unclassified Information (CUI) in Sponsored Research