Understanding CMMC
in the DP3 Program

Next Major Deadline
March 15, 2026

Days
Hours
Minutes
Seconds

EST/UTC-5
Nov 2025 DoD Rule Effective
Today
Mar 2026 Level 1 Deadline
Mar 2027 Level 2 Deadline

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is DoD’s standardized framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) data when it resides in federal contractor and subcontractor systems. In DP3, the information handled by TSPs and their subcontractors includes such data.

Why It Applies To You

If your company receives, stores, processes, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) during the management or delivery of DP3 household goods shipments, you must comply with CMMC Level 1 by March 15, 2026, and CMMC Level 2 by March 15, 2027.
This applies to all TSPs, domestic and international agents, storage facilities, OA/DA and hauling agents, crating companies, IT vendors, subcontracted labor and service providers, freight forwarders, claims service providers, and any entity having access to FCI and CUI data in support of DP3. If you touch DP3 shipment information, you are part of the cybersecurity chain of custody.
FCI - Federal Contract Information (FCI) means information, not intended for public release, that is provided by or generated for the Government under the ToS to develop or deliver a service to the Government. It does not include information provided by the U.S. Government to the public, such as on public websites, or simple transactional information, such as information necessary to process payments.
CUI - Controlled Unclassified Information (CUI) means information the U.S. Government creates or possesses, or information an entity creates or possesses for or on behalf of the U.S. Government, that a law, regulation, or U.S. Government wide policy requires or permits an agency to handle using safeguarding or dissemination controls (32 CFR 2002.4(h)).
 Update 1/30/26:  The Permanent Change of Station Joint Task Force (PCS JTF) provided an update to Advisory #26-0025 via Advisory #26-0025B.

Of note, the main change is the addition of paragraph 2.d., which includes an update on providing the CMMC Unique Identifier (UID) to the appropriate TRANSCOM Quals organization email address NLT 15 March. The advisory states:

 "All TSPs are required to provide the CMMC UID used for CMMC affirmation in SPRS to the DPMO at transcom.scott.tcj9.mbx.pp-quals@mail.mil NLT 15 Mar 2026. These UIDs are crucial for the purpose of validating the completions of CMMC assessments by TSPs in SPRS. CMMC UIDs are assigned by SPRS."

Helpful Resources

Curated guides, templates and official DoD documentation.
Link

Advisory #26-0025B.

A new advisory update has been issued, including an added section with updated instructions for submitting the CMMC unique identifier.
Access Resource
Link

Preparing for Certification

DoD system for managing NIST SP 800-171 assessment data for CMMC compliance.
Access Resource
PDF

CMMC Scoping Guide Level 1

Official guide that explains what’s in scope for CMMC Level 1 assessments.
Access Resource
PDF

CMMC Scoping Guide Level 2

Official guide that explains what’s in scope for CMMC Level 2 assessments.
Access Resource
PDF

CMMC Assessment Guide level 1

Official DoD guide for conducting your annual Level 1 self-assessment.
Access Resource
PDF

CMMC Assessment Guide level 2

Official DoD guide for conducting your annual Level 2 self-assessment.
Access Resource
PDF

What You Need to Do for CMMC

If you need help getting started with CMMC Level I Compliance, here is a high-level step-by-step guide to help you begin.
Access Resource
Email

TCJ6 Cyber Analysis & Engagement Branch

An opportunity for industry to engage directly with Transcom's Cyber Branch on CMMC questions.
Send Email
Link

DoD-Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE)

DoD program that shares cybersecurity information and collaboration resources for defense industry partners.
Access Resource
Link

NSA Central Security Service/ DIB Cybersecurity Services

NSA program offering cybersecurity services and collaboration support to defense industry contractors.
Access Resource
Link

Cybersecurity & Infrastructure Security Services

Federal resource offering no-cost cybersecurity services and tools to help organizations improve their cyber defenses.
Access Resource
PDF

Defense Criminal Investigation Services Cyber Field Office

Overview of the DoD’s DCIS Cyber Field Office and its role investigating cyber crimes affecting the defense industrial base.
Access Resource
Link

Cybersecurity Maturity Model Certification

Official program and resource hub for understanding CMMC requirements and compliance for defense contractors.
Access Resource
PDF

The Supplier Performance Risk System

Official DoD guide explaining the SPRS system and how it’s used to record and evaluate contractor cybersecurity assessments.
Access Resource
Link

SPRS - Online Traning

Online training portal for learning how to use the SPRS system for cybersecurity assessment reporting and compliance.
Access Resource
Link

Project Spectrum | Cybersecurity Readiness & Compliance

A free resource for small to medium businesses (SMBs) looking to become CMMC Compliant, supported by the DoD Office of Small Business Programs.  
Access Resource

Welcome to the IAM CMMC Resource Center

The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) requirements are a central part of doing business within the Defense Personal Property Program (DP3). Understanding and preparing for these requirements is essential, not only for compliance, but for maintaining partnership eligibility within the DP3 program.
The International Association of Movers (IAM) created this resource center to provide plain-language explanations, verified links to official DoD and PCS JTF resources, and general guidance related to CMMC requirements, all designed to meet the needs of a diverse, multi-tiered transportation network.

Accuracy and Limitation of Liability

This resource page is intended solely to provide general guidance and reference materials related to the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) requirements as they pertain to the household goods moving industry.
Informational Use Only: All materials, links, summaries, and guidance provided on this page are for informational purposes only. They do not constitute legal advice, regulatory interpretation, compliance certification, or an official position of IAM. Users should consult qualified professionals for specific legal, technical, or compliance-related advice.
No Warranty of Accuracy: IAM makes no representations or warranties regarding the accuracy, completeness, timeliness, or reliability of any information or third-party materials referenced on this page. CMMC requirements, interpretations, and implementation guidance may evolve, and content on this page may not reflect the most current updates.
Limitation of Liability: To the fullest extent permitted by law, IAM shall not be liable for any direct, indirect, incidental, consequential, special, or punitive damages arising from the use of, reliance on, or inability to use any information or resources provided on this page. Users access and apply this information at their own risk.
This acknowledgement is required to access the IAM CMMC Resource Center.