In a recent supplier update, Northrop Grumman sent an update to its supply chain, effectively squashing the last hope of subcontractors playing the "wait-and-see" game with CMMC even after enforcement officially began in November: 

“Neither contracting officers nor prime contractors may waive or deviate from the CMMC cybersecurity control and assessment requirements. Contracting officers may not award contracts to noncompliant contractors and prime contractors may not award purchase orders to noncompliant subcontractors. We encourage you to proactively prepare to comply with this future contractual requirement.”

CMMC waivers have been a significant point of confusion across the Defense Industrial Base (DIB). Some organizations still view them as a viable alternative to CMMC certification or a potential lifeline that primes could throw their way. In reality, waivers are rare exceptions reserved for mission-critical emergencies.

If you’re delaying certification in hopes of a waiver, you are putting your contract eligibility and sensitive defense data at risk. We’ll explain why below.

What are CMMC waivers?

CMMC waivers are rare, time-bound exceptions where DoD may waive the application/inclusion of certain CMMC requirements (including assessment requirements) for a specific procurement or class of procurements. 

These waivers do not exempt contractors from otherwise-applicable cybersecurity obligations, including DFARS-based assessment and reporting requirements that may still apply (e.g., maintaining required self-assessment posture and SPRS-related obligations where applicable).

Only Service or Component Acquisition Executives can approve these waivers, and only in very limited circumstances where mission-critical operations would be disrupted without them.

What’s the purpose of CMMC waivers?

Waivers were introduced in the 32 CFR rule alongside self-assessments and Plans of Actions and Milestones (POA&Ms) to increase the flexibility of the CMMC 2.0 program—now known simply as CMMC. The Department of Defense (DoD) intended these options to minimize the economic impact of the program (on small businesses in particular) and mitigate implementation issues that might disrupt the defense supply chain’s operations or mission. 

In short, CMMC waivers can allow the DoD to proceed with an award without requiring the otherwise-applicable CMMC assessment requirement (or by invoking a lesser CMMC assessment level)—but only to avoid disrupting a mission-critical operation.

However, waivers are not a get out of CMMC free card. As specified in 32 CFR 170.5(d), contractual CMMC requirements would not be waived often:

“In very limited circumstances, and in accordance with all applicable policies, procedures, and requirements, a Service Acquisition Executive or Component Acquisition Executive in the DoD, or as delegated, may elect to waive inclusion of CMMC Program requirements in a solicitation or contract. In such cases, contractors and subcontractors will remain obligated to comply with all applicable cybersecurity and information security requirements.”

This section prompted multiple questions and comments during public feedback periods in the 32 CFR rulemaking process. Some wondered if the DoD would use waivers to reduce the risk of assessment failures or to manage the transition from NIST 800-171 Revision 2 to Revision 3, among other purposes and use cases.

To clarify the waiver process, the DoD promptly released a key memorandum in January 2025. 

When can CMMC waivers be used?

The DoD’s January 2025 memorandum, “Implementing the CMMC Program: Guidance for Determining Appropriate CMMC Compliance Assessment Levels and Process for Waiving CMMC Assessment Requirements,” clarifies that waivers are only possible for Level 2 and Level 3 Third-Party Assessments when:

• Market research indicates the requirement would impede competition or delay mission-critical capabilities.
• The DoD is seeking competition from non-traditional DoD sources.

Even then, the waiver must be:

1. Coordinated through the component CIO.
2. Requested by program managers and approved by an SAE or CAE.
3. Accompanied by a formal mitigation plan.
4. Time-bound (no open-ended exceptions).
5. Reported quarterly to the Under Secretary of Defense and the DoD CIO.

Image source: DoD's Implementing the Cybersecurity Maturity Model Certification (CMMC) Program memo

When can’t CMMC waivers be used?

According to the January 2025 DoD memorandum, waivers are considered highly unlikely or inappropriate for:

• Level 1 contracts
• Level 2 (Self) contracts
• Level 2 contracts requiring performance by a cleared defense contractor.
• Level 3 contracts or work statements requiring access to both unclassified and classified DoD information.

In short, the DoD expects most DIB organizations handling FCI or CUI to be certified. Period.

Why are CMMC waivers so rare?

The DoD memo explicitly states: “SAEs and CAEs must carefully weigh the risk of potential loss of CUI associated with mission critical capabilities before granting a waiver.”

This hits on exactly why CMMC waivers are so limited: The move to CMMC represents a strategic departure from the "trust-but-verify" model of self-attestation under DFARS 7012 and other existing regulations that lacked a rigorous assessment component. If the DoD granted waivers frequently, the entire purpose of the program—to ensure a consistent and verifiable baseline of cybersecurity across the defense supply chain—would be undermined. 

For the DoD, a waiver isn't a “favor" to a contractor; it is a calculated acceptance of national security risk.

Addressing 7 misconceptions about CMMC waivers

To understand why "waiver chasing" is a failing strategy, we have to debunk the myths currently circulating in the DIB. In the table below, we mapped the most common myths about CMMC waivers against the authoritative source text from the 32 CFR rule and the January 2025 DoD Memorandum.

Addressing 7 misconceptions about CMMC waivers

To understand why "waiver chasing" is a failing strategy, we have to debunk the myths currently circulating in the DIB.

1. False: Primes can waive CMMC requirements for their subcontractors.

Reality: As the Northrop Grumman letter confirms, prime contractors have zero authority to waive CMMC. If a contract contains a CMMC flowdown requirement, the prime is legally obligated to ensure its subcontractors meet that level. A prime cannot "vouch" for you to bypass the rule.

2. False: CMMC waivers are for companies, not contracts.

Reality: Waivers are tied to specific contracts, not companies. So if the DoD decides it’s genuinely necessary to waive the inclusion of CMMC requirements in one contract because there aren’t enough certified companies who could fulfill the work otherwise, that does not mean you are exempt from CMMC requirements in your other contracts. 

3. False: CMMC waivers are a permanent “pass” on CMMC requirements.

Reality: Waivers don’t give your business a permanent pass from needing CMMC. If you do get a waiver, it’s short-lived and tied to conditions in the specific contract, including a deadline for CMMC certification at the required level. In other words: a waiver isn’t a blank check to keep working for the DoD indefinitely without CMMC certification.

4. False: CMMC waivers eliminate underlying security obligations.

Reality: Even if the CMMC level and assessment requirement is waived at the time of award, your obligation to protect data is not. If you’re handling FCI or CUI, you still must comply with applicable cybersecurity requirements (e.g., FAR 52.204-21 for FCI; DFARS 252.204-7012 and NIST SP 800-171 for CUI; and where applicable pursuant to DoD policy, NIST SP 800-172), plus any other contract-specific security requirements. 

5. False: CMMC waivers eliminate CMMC requirements entirely.

Reality: Just as a waiver doesn’t exempt you from existing applicable cybersecurity and information security requirements like DFARS 7012, it may not exempt you from CMMC requirements entirely either. A contracting officer may waive the inclusion of a Level 2 (C3PAO) requirement but still require Level 2 (Self), for example. 

6. False: You can request a waiver during the RFP process.

Reality: Waivers must be predetermined at the acquisition level in advance of the solicitation. So if you see a CMMC requirement in an RFP/RFQ, the window for a waiver has already closed. You cannot bid and then ask for a waiver as a condition of winning the award.

7. False: Large, legacy Primes will just lobby for waivers and get them.

Reality: Some commenters raised concerns during rulemaking that waivers could be unevenly applied. In practice, DoD policy makes clear waivers are intended to be rare, timebound exceptions with strict approval, mitigation, and reporting requirements. 

Because every waiver must be reported to the Office of the DoD CIO and include a justification of why market research failed to find a certified competitor, "lobbying" for waivers is a high-risk, low-reward strategy for primes and the acquisition executives authorized to approve them. 

Bottom line for most DIB organizations: You won’t get a CMMC waiver

CMMC waivers are a narrow, temporary exception that applies only at the contract level when certified bidders are scarce. They don’t remove core security requirements and they won’t replace CMMC certification as the new contractual cybersecurity standard. If your goal is to win defense work and scale, you must pursue CMMC certification, not waiver chasing.

Mariano Ospina, a CMMC Solutions Advisor at Secureframe, stresses that DIB organizations can’t build a business plan around CMMC waivers: “Waivers are not a strategy. They are rare, inconsistent, and outside your control. You might get short term relief on one contract, but certification does not go away. The DoD expects contractors to be certified, period. If you want repeatable access to federal work, CMMC readiness is the cost of entry.”

How Secureframe can help you keep your contracts and national security information safe

Just as the DoD “took aggressive steps” to revise the initial version of the CMMC program to reduce the burden on defense contractors and still meet the objectives of the rule, Secureframe is committed to developing and continuously improving its end-to-end CMMC solution to help the DIB prepare for and complete CMMC assessments at speed and scale.

Secureframe automates the hardest parts of CMMC so you can:

• Cut readiness timelines by 60%: Move from a 12-18 month manual process to a 4-6 month automated sprint to Level 2 compliance by automating infrastructure provisioning, scoping, control implementation, documentation, continuous monitoring, and more.
• Deploy a CUI enclave in as little as ~30 minutes: Instead of spending the average 8-10 weeks building a secure environment for your CUI, even with the help of a consultant, auto-provision a pre-configured, CMMC-compliant enclave in half an hour. 
• Automate documentation: Instantly generate machine-readable SSPs and POA&Ms based on the control, policy, and vendor data from your Secureframe instance.
• Automate GRC workflows: Manage all the usual GRC tasks and workflows required for any other framework for CMMC, from automated evidence collection to asset inventory, employee training, risk management, vendor due diligence, documentation updates, and continuous monitoring.
• Real-time SPRS tracking: Track your SPRS score in real-time to track and monitor your level of CMMC readiness ahead of award deadlines and during contract periods.
• Trusted C3PAO Network: Connect with C3PAOs who use the Secureframe platform to complete your Level 2 assessment faster and at a lower cost.

Don’t wait for a waiver that isn't coming. Talk to an expert to see how Secureframe can help you secure your spot in the future of the DIB.