Cybersecurity Maturity Model Certification (CMMC) 2.0 Requirements

IS4S is notifying all suppliers that due to Defense Federal Acquisition Regulation Supplement (DFARS) changes effective 10 November 2025, all suppliers must meet CMMC 2.0 Level certification as dictated by the Department of War (DoW) for contracts that incorporate the new flow-down clause DFARS 252.204-7021. Failure to meet CMMC 2.0 requirements will result in your inability to bid on or be awarded DoW subcontracts that have a CMMC 2.0 requirement. Any supplier that has access to Federal Contract Information (FCI) will be required to meet CMMC Level 1 at a minimum. Suppliers who process, store or transmit Controlled Unclassified Information (CUI) will be required as a condition for award to be certified at the same level as IS4S which is CMMC Level 2.

As new solicitations and contracts (both new and on-going) incorporate this clause, it’s important that you maintain or get compliant so that you can continue to be a part of the IS4S subcontractor team. Compliance at the CMMC Level 2 C3PAO takes time due to availability of a C3PAO to do your assessment, so please don’t wait.

To maintain IS4S compliance and the integrity of our supply chain, IS4S is requiring all suppliers to send a copy of their CMMC Level 2 C3PAO certificate for verification. With customers starting to incorporate this requirement into solicitations and contracts, we are requesting that you become certified as soon as possible to avoid any potential disruption or exclusion from being a supplier with IS4S on DoW contracts. Please send your certification to Johnathon Bailey at cybersecurity.team@is4s.com.

IS4S appreciates your prompt attention to this requirement, and we are looking forward to continuing our successful relationship with you.

Stacey A. Darhower

Vice President, Contracts