Understanding CMMC
in the DP3 Program

Next Major Deadline
March 15, 2026

Days
Hours
Minutes
Seconds

EST/UTC-5
Nov 2025 DoD Rule Effective
Today
Mar 2026 Level 1 Deadline
Mar 2027 Level 2 Deadline

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is DoD’s standardized framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) data when it resides in federal contractor and subcontractor systems. In DP3, the information handled by TSPs and their subcontractors includes such data.

Why It Applies To You

If your company receives, stores, processes, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) during the management or delivery of DP3 household goods shipments, you must comply with CMMC Level 1 by March 15, 2026, and CMMC Level 2 by March 15, 2027.
This applies to all TSPs, domestic and international agents, storage facilities, OA/DA and hauling agents, crating companies, IT vendors, subcontracted labor and service providers, freight forwarders, claims service providers, and any entity having access to FCI and CUI data in support of DP3. If you touch DP3 shipment information, you are part of the cybersecurity chain of custody.
FCI - Federal Contract Information (FCI) means information, not intended for public release, that is provided by or generated for the Government under the ToS to develop or deliver a service to the Government. It does not include information provided by the U.S. Government to the public, such as on public websites, or simple transactional information, such as information necessary to process payments.
CUI - Controlled Unclassified Information (CUI) means information the U.S. Government creates or possesses, or information an entity creates or possesses for or on behalf of the U.S. Government, that a law, regulation, or U.S. Government wide policy requires or permits an agency to handle using safeguarding or dissemination controls (32 CFR 2002.4(h)).

Helpful Resources

Curated guides, templates and official DoD documentation.
Link

Preparing for Certification

DoD system for managing NIST SP 800-171 assessment data for CMMC compliance.
Access Resource
PDF

CMMC Scoping Guide Level 1

Official guide that explains what’s in scope for CMMC Level 1 assessments.
Access Resource
PDF

CMMC Scoping Guide Level 2

Official guide that explains what’s in scope for CMMC Level 2 assessments.
Access Resource
PDF

CMMC Assessment Guide level 1

Official DoD guide for conducting your annual Level 1 self-assessment.
Access Resource
PDF

CMMC Assessment Guide level 2

Official DoD guide for conducting your annual Level 2 self-assessment.
Access Resource
Email

TCJ6 Cyber Analysis & Engagement Branch

An opportunity for industry to engage directly with Transcom's Cyber Branch on CMMC questions.
Send Email
Link

DoD-Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE)

DoD program that shares cybersecurity information and collaboration resources for defense industry partners.
Access Resource
Link

NSA Central Security Service/ DIB Cybersecurity Services

NSA program offering cybersecurity services and collaboration support to defense industry contractors.
Access Resource
Link

Cybersecurity & Infrastructure Security Services

Federal resource offering no-cost cybersecurity services and tools to help organizations improve their cyber defenses.
Access Resource
PDF

Defense Criminal Investigation Services Cyber Field Office

Overview of the DoD’s DCIS Cyber Field Office and its role investigating cyber crimes affecting the defense industrial base.
Access Resource
Link

Cybersecurity Maturity Model Certification

Official program and resource hub for understanding CMMC requirements and compliance for defense contractors.
Access Resource
PDF

The Supplier Performance Risk System

Official DoD guide explaining the SPRS system and how it’s used to record and evaluate contractor cybersecurity assessments.
Access Resource
Link

SPRS - Online Traning

Online training portal for learning how to use the SPRS system for cybersecurity assessment reporting and compliance.
Access Resource

Welcome to the IAM CMMC Resource Center

The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) requirements are a central part of doing business within the Defense Personal Property Program (DP3). Understanding and preparing for these requirements is essential, not only for compliance, but for maintaining partnership eligibility within the DP3 program.
The International Association of Movers (IAM) created this resource center to provide plain-language explanations, verified links to official DoD and PCS JTF resources, and general guidance related to CMMC requirements, all designed to meet the needs of a diverse, multi-tiered transportation network.

Accuracy and Limitation of Liability

This resource page is intended solely to provide general guidance and reference materials related to the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) requirements as they pertain to the household goods moving industry.
Informational Use Only: All materials, links, summaries, and guidance provided on this page are for informational purposes only. They do not constitute legal advice, regulatory interpretation, compliance certification, or an official position of IAM. Users should consult qualified professionals for specific legal, technical, or compliance-related advice.
No Warranty of Accuracy: IAM makes no representations or warranties regarding the accuracy, completeness, timeliness, or reliability of any information or third-party materials referenced on this page. CMMC requirements, interpretations, and implementation guidance may evolve, and content on this page may not reflect the most current updates.
Limitation of Liability: To the fullest extent permitted by law, IAM shall not be liable for any direct, indirect, incidental, consequential, special, or punitive damages arising from the use of, reliance on, or inability to use any information or resources provided on this page. Users access and apply this information at their own risk.
This acknowledgement is required to access the IAM CMMC Resource Center.