Can You Bid Without CMMC Certification?
In practical terms, no. While a company may technically submit a proposal, a contractor that does not hold the required CMMC certification at the time of award is not eligible to receive the contract. Prime contractors are increasingly enforcing this condition before bids are even accepted, screening out suppliers that cannot demonstrate certification or a verified assessment timeline. For defense subcontractors, these CMMC requirements are not advisory. They are a condition of contract eligibility enforced through DFARS clauses and prime contractor supply chain controls.
Where CMMC Requirements Appear in DoD Contracts
CMMC requirements enter a solicitation through two primary instruments. DFARS 252.204-7021 is the contract clause that establishes the certification obligation. DFARS 252.204-7025 is the companion solicitation provision that notifies offerors of the specific CMMC level required for the effort. Additional flow-down language typically appears in Section H (Special Contract Requirements).
Why Prime Contractors Are Screening Suppliers Before Bidding
Before releasing a formal solicitation, many prime contractors now issue a preliminary screening to their supply chain: Supplier Enablement Inquiries, Supply Chain Readiness Assessments, or Cybersecurity Compliance Verification Requests. The function is the same. The prime is identifying which suppliers can demonstrate CMMC readiness and which cannot, then building its team sheet accordingly. This practice has accelerated since 2025, with primes enforcing requirements well ahead of the DoD phased rollout through November 2028.
"All tiered suppliers" extends the requirement beyond the direct subcontractor relationship. Any subtier supplier accessing CUI faces the same obligation.
"Documented evidence" means artifacts: a current SSP, a POA&M if applicable, and a confirmed C3PAO engagement letter with a scheduled assessment date.
"Current CMMC status in SPRS" reflects the shift from the legacy self-assessment score to the contractor's certification status and annual affirmation as the primary data point.
"Immediate disqualification" is a binary outcome, not a negotiation opening.
The CMMC Compliance Questionnaire: 10 Questions to Expect
Prime contractors increasingly issue structured compliance questionnaires to evaluate subcontractor eligibility. The following table presents the data points primes are requesting. These are not hypothetical.
| # | Question | What This Reveals |
|---|---|---|
| 1 | Does your organization currently hold a CMMC Level 2 certification (conditional or final)? | Immediate eligibility determination. A "no" triggers follow-up on timeline and readiness artifacts. |
| 2 | What is your current CMMC status as reflected in SPRS? | Validates that the certification record is posted. Primes cross-reference SPRS directly. |
| 3 | When was your most recent annual CMMC affirmation submitted, and who is the designated affirming official? | A lapsed or missing affirmation can disqualify a contractor from option year exercises. |
| 4 | Does your organization maintain a current SSP that defines your CUI environment boundary? | The SSP is the most referenced artifact in a C3PAO assessment. Outdated or nonexistent signals fundamental unreadiness. |
| 5 | Have you engaged a C3PAO? If yes, what is your scheduled assessment date? | Determines whether the certification timeline is realistic relative to the award date. |
| 6 | Do you have open POA&M items? Projected remediation completion date? | Evaluates whether remaining gaps are manageable within the 180-day conditional window or structural. |
| 7 | Describe your process for identifying, marking, storing, and transmitting CUI. | Tests whether the compliance program is operationalized or theoretical. |
| 8 | Documented cyber incident response plan? Incidents reported to DIBCNET in the past 24 months? | Assesses both preparedness and disclosure history under DFARS 252.204-7012. |
| 9 | Do you use external service providers (MSPs, MSSPs, cloud) to process, store, or transmit CUI? Are they CMMC-certified? | External providers within the CUI boundary are in scope. An uncertified provider is a compliance gap. |
| 10 | Have you verified the CMMC status of your own subtier suppliers who will access CUI? | DFARS 252.204-7021 requires flow-down to all tiers. Tests whether the subcontractor has conducted its own supply chain due diligence. |
Each response communicates more than a data point. A company that provides its certification status, affirmation date, C3PAO engagement, and projected timeline is communicating operational maturity. Vague timelines or qualifications such as "we are working on it" signal risk. Questionnaire responses should be treated with the same precision as a financial disclosure, because they become part of the contractual record.
The SPRS Delta: When the Reported Score Does Not Match Reality
Pause and Engage Counsel
If there is any difference between the compliance posture reported in SPRS and the actual implemented state of the organization's security controls, that difference will surface during the C3PAO assessment. The assessor evaluates each of the 110 NIST SP 800-171 requirements against documented evidence and operational practice. A score that reflects controls not actually implemented is a documented misrepresentation to the United States Government and creates the precise condition the Department of Justice targets through the False Claims Act.
If an organization has reason to believe its reported SPRS score or CMMC status does not accurately reflect its current security posture, the appropriate response is to pause forward compliance assertions and engage legal counsel before taking any further steps. Under counsel's direction, a qualified third-party practitioner should conduct an independent scope discovery to establish the actual state of the environment, identify which controls are and are not implemented, and determine the true delta. This is not a remediation exercise. It is a factual determination that must be completed before the organization can make informed decisions about how to proceed, what to disclose, and how to correct the record.
Proceeding to a C3PAO assessment with a known delta between reported and actual compliance posture compounds the exposure rather than resolving it.
Business Impact: Revenue, Disqualification, and Legal Exposure
The practical window between a prime contractor's Supplier Enablement Inquiry and the contract award date is typically 120 to 180 days. Organizations beginning their compliance journey at the point they receive the inquiry face a readiness gap that requires capital allocation, personnel time, and organizational change management to close. If the inquiry arrives in April and the award decision is in October, the preparation needed to have been underway well before the inquiry was issued.
The contractor's CMMC status and affirmation record in SPRS is a formal representation to the United States Government. The Department of Justice has pursued contractors who misrepresent their cybersecurity posture through its Civil Cyber-Fraud Initiative, which provides for treble damages and per-claim penalties.
Work a company has performed for years under existing contracts may not be available for recompete if certification is not in place by the new solicitation date. In practical terms, this is not simply contract loss. It is competitive displacement, where certified competitors replace incumbents who cannot meet the eligibility threshold.
Download the Full White Paper
Includes the complete contract clause analysis, Section H flow-down deconstruction, the full 10-question sample compliance questionnaire with practitioner commentary, the SPRS delta advisory, and the executive action framework.
The CMMC Decision, Second Edition
The complete guide for defense contractor executives navigating CMMC Level 2, including the cost framework, assessment process, and organizational decisions that determine whether a certification engagement succeeds.
Free Download →