CMMC is required of any individual in the DOD supply chain, including contractors who interact exclusively with the Department of Defense and any and all subcontractors.
According to the DOD, the CMMC requirements will affect over 300,000 organizations. Fortunately, most businesses will require only a Level 1 to Level 3 certification. The CMMC Accreditation Body (CMMC-AB) establishes a process to qualify private third-party assessment organizations (C3PAO) and assessors to determine CMMC levels.
The precise level of certification a business needs to be granted a federal contract will be defined in the RFP.