All members of the Defense Industrial Base (DIB) that process Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) for the Department of Defense (DoD) must comply with the CMMC. The DIB consists of the prime contractors and suppliers and vendors to those prime contractors and the DoD itself. By the way, CMMC isn’t necessarily something an organization “complies” with; it is better stated that the CMMC will result in a certification issued to organizations whose cybersecurity program passes an assessment. There is one exception–those organizations that supply Commercial Off The Shelf (COTS) items to the DoD do not need a CMMC certification. For confirmation of this, see the FAQs on CMMC here: https://www.acq.osd.mil/cmmc/faq.html. All of the other 350,000+ members of the DIB will need a certification. Those DIB members that only process FCI will require a CMMC Level 1 certification–this includes simple service providers such as lawn maintenance and janitorial services at DoD facilities. Those organizations that process CUI will be required to carry a CMMC Level 2-5 certificate, depending on the risk level associated with the particular information. Prime contractors are expected to flow CMMC certification requirements ALL the way down their supply chain. This supply chain encompasses a vast number of organizations; the DoD estimates 350,000+.