CMMC Compliance: What Repair Firms Need to Know

by ROBERT WRIGHT, Claims Director – Suddath Government Services

Starting May 15, 2026, all repair firms performing work for Department of War (DoW) Transportation Service Providers (TSPs) must comply with Cybersecurity Maturity Model Certification (CMMC) Level 1 requirements.

By May 15, 2027, these firms will need to meet CMMC Level 2 assessment requirements for any systems that process or store Federal Contract Information (FCI)[1] or Personally Identifiable Information (PII) categorized as Controlled Unclassified Information (CUI). Failure to comply will result in ineligibility for DoW-related contracts and could trigger penalties under DFARS and the False Claims Act. [2026 Tende...25) Final | PDF], [dodcio.defense.gov], [thecgp.org]

Why This Matters

The DoW is enforcing CMMC to protect sensitive data across its supply chain. Furniture repair firms often handle FCI and CUI through work orders, invoices, and customer records. These data points—such as service details, addresses, and PII—must be safeguarded under federal cybersecurity standards. [dodcio.defense.gov]

Phase 1: CMMC Level 1 by May 15, 2026

Scope: Systems that process or store Federal Contract Information (FCI).

Requirements:

• Implement 15 basic safeguarding practices from FAR 52.204-21 (e.g., unique user IDs, secure passwords, physical access controls).

• Complete an annual self-assessment and upload results to the Supplier Performance Risk System (SPRS).

• Submit an executive affirmation of compliance in SPRS. [thecgp.org], [squaredcompass.com]

Action Steps for Repair Firms:

1. Identify FCI systems (billing software, scheduling tools, email).

2. Document policies for access control, media sanitization, and incident response.

3. Train staff on basic cyber hygiene (passwords, phishing awareness).

4. Perform self-assessment and post score in SPRS before the deadline. [compliance...vanced.com], [squaredcompass.com]

Phase 1: CMMC Level 2 by May 15, 2027

Scope: Systems handling Controlled Unclassified Information (CUI), including PII.

Requirements:

• Implement 110 security controls from NIST SP 800-171 (e.g., encryption, multi-factor authentication, audit logging).

• Undergo a third-party assessment (C3PAO) for most contracts involving CUI.

• Maintain continuous compliance and update SPRS annually. [thecgp.org], [govconwire.com]

Action Steps for Repair Firms:

1.    Map CUI data flows (claims documents, repair estimates, customer PII). 

2. Develop a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M) for gaps.

3. Segment networks or use a secure enclave for CUI systems.

4. Schedule a C3PAO audit well before the 2027 deadline. [compliance...vanced.com], [summit7.us]

SPRS Compliance

All assessments and affirmations must be posted in SPRS. Without a current SPRS record, firms cannot receive DoW work orders. False reporting can lead to suspension or debarment. [sprs.csd.disa.mil], [secureframe.com]

Practical Tips for Furniture Repair Firms

• Start Now: Waiting until 2026 or 2027 will create bottlenecks and risk losing contracts.

• Leverage Managed Service Providers (MSPs): They can help implement NIST controls and prepare for audits. [sync-resource.com]

• Budget for Compliance: Costs include policy development, secure IT tools, and third-party assessments.

• Train Employees: Human error is the top cause of breaches—make cybersecurity part of daily operations.

Bottom Line

Compliance with CMMC is not optional. It’s a contractual requirement that ensures data security and continued eligibility for DoW TSP work. Firms that act early will avoid last-minute disruptions and position themselves as trusted partners in the defense supply chain.

·         [1] Federal Contract Information (FCI): As defined in section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, excluding information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”

·         Controlled Unclassified Information (CUI): As outlined in Title 32 CFR 2002.4(h), CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” For more information regarding specific CUI categories and subcategories, see the DoD CUI Registry website.