CMMC Compliance and How to Apply Requirements to Your Xometry Order
Learn about the different CMMC tiers and timelines and how to correctly select them for your Xometry orders
Xometry is proud to be CMMC Level 2 certified, demonstrating our firm commitment to meeting the rigorous security standards expected by our aerospace and defense customers. We understand that protecting Controlled Unclassified Information (CUI) is critical to the defense industrial base (DIB). Our certification, which was validated by a Certified Third-Party Assessor Organization (C3PAO) with a perfect SPRS score of 110, affirms our adherence to the demanding cybersecurity requirements set forth by the Department of Defense and firmly establishes our role as a trusted manufacturing partner.
In this article, we will provide an overview of CMMC and offer information on the different tiers and timelines associated with the certification, enabling you to make more informed decisions about applying its requirements to your orders. We will also cover how to use the Xometry Instant Quoting Engine® to flow down CMMC requirements for your orders correctly.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive cybersecurity framework established by the United States Department of Defense (DoD). Its primary purpose is to protect the defense industrial base (DIB) from increasingly frequent and complex cyberattacks. The CMMC framework is designed to safeguard sensitive information, specifically Controlled Unclassified Information (CUI) and export-controlled data (like ITAR), that is shared between the DoD and its contractors and subcontractors.
The CMMC model comprises three distinct levels. These levels are cumulative, meaning each subsequent level includes all the security requirements of the previous one (for instance, Level 1 is a subset of Level 2). To achieve compliance, organizations must meet the specific cybersecurity requirements for their target level, and for Levels 2 and 3, they must undergo rigorous external assessments to verify that all necessary controls are fully implemented.
The graphic below summarizes the different levels and the requirements associated with them:
CMMC Timeline
CMMC Level 1 will apply to all new DoD contract solicitations on or after 11/10/25. Both Level 1 and Level 2 may be applied to existing contracts by agreement with the contractor.
CMMC Level 2 will generally apply to all new DOD contract solicitations involving CUI on or after 11/10/26. Contracting officers have discretion to apply this level to new contracts before that date, or to defer the requirement to an option period rather than at the time of award. After 11/10/27, contracting officers no longer have discretion to defer the requirement, and it becomes mandatory for option periods on any contract awarded after 11/10/25.
The table below outlines these timelines in greater detail:
| Phase | Timing | Description |
|---|---|---|
Phase 1 | Timing Begins November 10, 2025 | Description
|
Phase 2 | Timing Begins November 10, 2026 | Description
|
Phase 3 | Timing Begins November 10, 2027 | Description
|
Phase 4 | Timing Begins November 10, 2028 | Description
|
Source: https://www.arnoldporter.com/en/perspectives/advisories/2025/09/cmmc-final-rule-key-takeaways-for-defense-contractors
When to Apply CMMC Level 1
CMMC Level 1 applies to any contractor that processes, stores, or transmits Federal Contract Information (FCI). FCI is defined as:
"Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government."
CMMC Level 1 contractors are required to comply with the 15 "basic safeguarding" cybersecurity controls set forth in FAR 52.204-21. This compliance is verified through an annual self-assessment, which the contractor must affirm via the Supplier Performance Risk System (SPRS). Contractors must meet all 15 controls to be considered compliant; there are no exceptions or allowances for a Plan of Action and Milestones (POA&M) at this level.
If your order contains FCI, at a minimum, CMMC Level 1 should be applied. This will generally include any orders originating from DoD contracts signed after 11/10/2025.
When to Apply CMMC Level 2
CMMC Level 2 applies to any contractor that processes, stores, or transmits Controlled Unclassified Information (CUI). The official definition of CUI is:
“Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls."
In other words, it’s sensitive information that the government requires to be protected and not released to the public. This typically includes orders that are subject to ITAR (International Traffic in Arms Regulations) and/or EAR (Export Administration Regulations) and part of DoD contracts signed after 11/10/2026.
CMMC Level 2 contractors are required to undergo a third-party audit against the 110 security controls set forth in NIST SP 800-171 Rev 2, and be issued a certificate. Contractors with some minor noncompliances may be granted conditional certification and will have 180 days to remediate the open issues. Contractors should also affirm their compliance via SPRS. You can view our certificates, including our CMMC level 2 certification, on our legal page.
Applying CMMC Requirements in the Xometry Instant Quoting Engine®
Xometry simplifies the process of applying or flowing down CMMC and other certification/supplier requirements. Start by uploading your 3D CAD and technical drawings to the Xometry Instant Quoting Engine®. Once your parts are finished processing and your quote has been built, you can add certification requirements in one of two ways:
- By clicking the “Add Certifications” button, located to the upper right of the quote summary page.
- Clicking the “Edit Configuration” button on a line item and scrolling down to the “Certifications and Supplier Qualifications” section.
From the list of options, you’ll find the checkbox for “Cybersecurity Maturity Model Certification (CMMC)”. Once checked, CMMC Level 1 will be selected by default. Click the radio button for CMMC Level 2 if your order requires it.
Note: It is essential to remember that, although the CMMC program has a phased, multi-year rollout, Contracting Officers (COs) have the discretion to require CMMC Level 2 on new contracts even before the dates specified in the official rollout schedule.
This makes it critical to review your contractual obligations carefully. When in doubt about what is required for your order, your contract is the definitive source of truth. Always review the solicitation and contract language for any specific CMMC "flow-down" requirements to ensure you select the correct compliance level for your Xometry order.
Instantly Quote Compliant Parts
Get your CMMC and ITAR-controlled parts from a single, certified source.