Are telecom providers in CMMC scope?

If you transmit or store a DoD customer's CUI, or provide security-protection capabilities for it, the relevant services are in scope as an External Service Provider.

What level do we need?

Handling CUI points to Level 2 as the minimum; the self-assessment versus C3PAO question depends on the CUI category.

How do we limit scope?

Segregate the services and systems that carry CUI and document the boundary; assets with no CUI and proper separation can be Out-of-Scope.

industry

SPRS Score Calculator for Telecommunications & Network Providers

Score CMMC / NIST SP 800-171 readiness for SPRS — for telecom and network providers in the defense supply chain.

Start free assessment How scoring works →

Telecommunications and network providers that transmit or store a DoD customer's CUI — or provide security-protection capabilities for it — are pulled into assessment scope as External Service Providers. Segregating the services that carry CUI is the key to a manageable scope.

What you need to know

Your SPRS score starts at a baseline of 110 and subtracts a weighted value (5, 3, or 1) for each unimplemented requirement — it can go negative (as low as −203).
A score of 110 is a Final self-assessment; 88–109 is Conditional with a POA&M; below 88 you can't affirm a Conditional or Final status.
A Conditional Level 2 self-assessment is valid 180 days to close your POA&M; a Final self-assessment is valid 3 years with annual affirmations.

Read the full walkthrough

Clauses that likely apply to you

DFARS 252.204-7012

DFARS 252.204-7019

DFARS 252.204-7021

DFARS 252.204-7020

See what each clause requires

Know your score before you submit

Run a full 110-requirement self-assessment free — no account required to see your score.

Start free assessment

Free tools

Control Mapper800-171 ↔ CMMC cross-walk for all 110 requirementsOpen →DFARS ReferenceKey DFARS/FAR clauses, obligations, and effective datesOpen →Incident Timer72-hour DFARS cyber-incident reporting countdownOpen →

Frequently asked questions

Are telecom providers in CMMC scope?: If you transmit or store a DoD customer's CUI, or provide security-protection capabilities for it, the relevant services are in scope as an External Service Provider.
What level do we need?: Handling CUI points to Level 2 as the minimum; the self-assessment versus C3PAO question depends on the CUI category.
How do we limit scope?: Segregate the services and systems that carry CUI and document the boundary; assets with no CUI and proper separation can be Out-of-Scope.

Related guides

Go deeper on scoring, levels, and POA&Ms.

How to Calculate Your SPRS Score (NIST SP 800-171)A step-by-step guide to the SPRS score: the DoD Assessment Methodology, how the 1/3/5 point weights work, why your score can go negative, and how MFA and FIPS partial credit are scored.Read guide CMMC Level 1 vs Level 2: Which Do You Need?FCI vs CUI, FAR 52.204-21 vs NIST SP 800-171, and the NARA Registry / DoD OIG test that decides whether Level 2 needs a self-assessment or a C3PAO certification.Read guide What Is a POA&M? (And Which Gaps Are Eligible)A Plan of Action and Milestones lets you reach a Conditional Level 2 status with a few open gaps — but not every gap qualifies. Here are the 32 CFR 170.21 eligibility rules and the 180-day clock.Read guide How to Prepare for a CMMC / SPRS Self-AssessmentA practical, in-order walkthrough: define your scope, confirm your SSP, assess at the objective level, build your POA&M, affirm, and enter your summary in SPRS.Read guide