What are CMMC Waivers? (And Why They're So Rare)

CMMC (Cybersecurity Maturity Model Certification) waivers have become a point of confusion for many organizations in the Defense Industrial Base (DIB). The reality is they’re very rare and any organization being granted a waiver is the exception, not the rule.

I can see the appeal of a waiver getting your organization out of working through the full CMMC process. But viewing a waiver as Plan B to CMMC certification is like planning to win the lottery to pay off your mortgage — technically possible, but not a real strategy.

In this guide, we’ll clear up what CMMC waivers are, in which cases they may be applicable, and why you shouldn’t be thinking about using them to skip CMMC requirements.

What are CMMC Waivers?

A CMMC waiver is a temporary, time-bound authorization that allows a specific contract to proceed despite the contractor not meeting the required CMMC certification level.

It is critical to understand who the waiver is actually for. A waiver applies to a contract, not a contractor. So you could technically be awarded a contract with a waiver attached to it but it’s not a blanket waiver saying your organization is eligible to work on any DoD contracts without the relevant CMMC certification.

Waivers were introduced in the 32 CFR rule and it’s specified in 32 CFR 170.5(d) that they will be used extremely sparingly and can only be applied in very limited circumstances where it’s believed that mission-critical work would be delayed without them in place:

“In very limited circumstances, and in accordance with all applicable policies, procedures, and requirements, a Service Acquisition Executive or Component Acquisition Executive in the DoD, or as delegated, may elect to waive inclusion of CMMC Program requirements in a solicitation or contract. In such cases, contractors and subcontractors will remain obligated to comply with all applicable cybersecurity and information security requirements.”

The Waiver process was also clarified by the DoW in January 2025.

The Purpose of Waivers

Waivers exist solely to protect national security interests. The DoW recognizes that in rare scenarios pausing a contract could have negative repercussions. Waivers provide a pressure valve for these mission-critical emergencies.

What Waivers Do

A CMMC waiver means that a contract can be awarded to a contractor if there are no contractors with the relevant CMMC certification able to fulfil that work. A waiver allows a chosen contractor to work on a select contract for a period of time bound to that project. It’s a last report when the awarding agency has no other viable options.  

What Waivers Don’t Do

As we mentioned earlier, waivers apply to the contract, not the contractor. So a waiver only applies to the contract it was written for, not your organization, meaning you can’t transfer it to another project. Waivers also don’t remove the obligation to become CMMC compliant in order to continue working on DoW contracts in the future.

A waiver also doesn’t absolve you of liability if a breach occurs and will still likely be contractually obligated to followthe required cybersecurity standards like NIST SP 800-171 under DFARS 7012.

Why are CMMC Waivers So Rare?

The DoW memo says that: “SAEs and CAEs must carefully weigh the risk of potential loss of CUI (Controlled Unclassified Information) associated with mission critical capabilities before granting a waiver.”

SAEs (Senior Acquisition Executive) and CAEs (Component Acquisition Executive) are extremely high-level military acquisition leadership roles, managing multi-billion-dollar programs and ultimately control what forces get equipped with.

CMMC was implemented to put an end to self-attestation for organizations handling CUI (CMMC Level 1 — and in some rare cases Level 2 — can still be achieved through self-attestation). If it were to hand out waivers, easily, it would undermine the exact reasons the program was put into place.

The January 2025 memo also shares the situations in which a waiver can’t be granted:

1. Contracts requiring CMMC Level 1 and handling FCI (Federal Contract Information)
2. Contracts eligible for CMMC Level 2 self-attestation
3. Level 2 contracts handing classified work
4. Level 3 contracts if the work involves both unclassified and classified DoD information.
   

Prime contractors also have no authority to apply CMMC waivers to subcontractors due to flow-down requirements.

Overall, the chance of a contract being eligible for waivers is very limited. If you work on or have ambitions to work on contracts that involve CUI, the DoW expects your organization to have the relevant CMMC certification.

Final Thoughts: You Likely Won’t Get a Waiver

Waivers exist as a last resort to ensure paperwork doesn’t delay a mission-critical issue, they aren’t there to give organizations a free pass on CMMC compliance.

The chances of your organization being handed a CMMC-level government contract with a waiver applied are very, very slim. If you want to work with the DoW either as a prime contractor or subcontractor the only way forward is through CMMC.

If you’re a current defence contractor working towards CMMC or a contractor eyeing up expansion into the defense market, Workstreet can help support your journey. As the only AI powered CMMC Registered Provider Organizations (RPO) we can help you automate your CMMC Level 2 compliance, protect CUI, and win contracts.

Learn more about our CMMC work here or book a call with our team.