Compliance Connections Tour | CMMC Edition on 10/27 → Save your spot

CMMC: What UK and European defense contractors need to know 

by: A-LIGN 16 Oct,2025 3 mins

The Cybersecurity Maturity Model Certification (CMMC)  is now a contractual requirement for organisations doing business with the US Department of Defense (DoD) starting 10 November 2025. 

This marks the beginning of Phase 1 of the CMMC rollout, and from this date forward, any organisation — regardless of its headquarters location — must demonstrate CMMC compliance to be eligible for new US DoD contracts. 

Why this matters for UK and European companies

Organisations that handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) as part of their work with the DoD or its prime contractors are required to be CMMC certified by a certified third-party assessor organisation (C3PAO).  

According to The Cyber AB, the official accreditation body for CMMC, there is no reciprocity with other cybersecurity standards — including ISO 27001, NIS2 Directive, or GDPR. All contractors, whether US-based or international, must follow the same certification process, with no exceptions. 

What you should do now 

Start early! The average preparation time for a CMMC Level 2 assessment is 9 to12 months. With limited C3PAO availability and rising demand, early engagement helps you avoid delays and stay ahead of competitors. Here are some steps to get started:  

STEP 1. Identify your CMMC level:  

blog cmmc buyers guide cmmc model 1 0

Level 1 [Foundational]: Applicable to defence or aerospace contractors bidding on DoD contracts handling FCI. All contractors in Level 1 must implement 17 basic cybersecurity practices to safeguard FCI. If the FAR 52.204-21 requirement is in your current contracts, you are most likely in the CMMC Level 1 category. 

Level 2 [Advanced]: Applicable to defence or aerospace contractors bidding on DoD contracts handling: 

  • CUI 
  • CTI 
  • ITAR or export-controlled data that is CUI 
  • All contractors in Level 2 must implement 110 security controls from NIST 800-171. If the DFARS 252.204-7012 requirement is in your current contracts, you are most likely in the Level 2 category. 

Level 3 [Expert]: Applicable to defence or aerospace contractors bidding on DoD contracts handling Critical CUI. Level 3 security requirements are expected to contain a subset of NIST SP 800-172. If the DFARS 252.204-7012 requirement is in your current contracts and you have had a DIBCAC assessment, you are most likely in the Level 3 category. 

STEP 2. Identify in-scope assets such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). 

STEP 3. Identify gaps by performing a gap assessment.  

STEP 4. Develop an implementation plan based on findings from your gap assessment and address vulnerabilities to meet the control objective requirements.  

STEP 5. Engage a C3PAO: Because CMMC is a rigorous cybersecurity framework, it’s critical to engage with a C3PAO that has extensive US federal expertise with frameworks such as FedRAMP. There are a limited number of C3PAOs authorised to conduct CMMC assessments, and not all are created equal. We recommend seeking out a C3PAO that has deep experience in US federal compliance, delivers high-quality final reports, and streamlines the process. To learn more about choosing the right C3PAO, download our CMMC Checklist.   

How A-LIGN can help

A-LIGN is the only leading American C3PAO with offices in Europe. For companies headquartered in the UK and Europe, this means having access to deep US federal expertise with the convenience of local support in your own time zone.  

We’ve completed over 1,000 US federal assessments, including: 

  • CMMC: Certified C3PAO with extensive readiness experience. 
  • NIST 800-171: The foundation of CMMC Level 2. 
  • FedRAMP: Top 3PAO with 100% authorisation success rate. A-LIGN’s A-SCEND is one of a few audit management platforms to be FedRAMP 20x authorised. 
  • GovRAMP: The only registered assessor currently on the market. 

A-LIGN offers fast onboarding, with CMMC kick-off in just 6–8 weeks—twice as fast as the industry average—and streamlined support, with tailored guidance for international companies and a local presence in Europe. 

Ready to start your CMMC journey? Book a meeting with A-LIGN today and get expert support on your timeline, in your region.  

Let's map out your compliance roadmap.

Begin your compliance journey with A-LIGN today.

GET STARTED