ICF Achieves Cybersecurity Maturity Model Certification (CMMC) Level 2

Rhea-AI Summary

ICF (NASDAQ:ICFI) announced it achieved Cybersecurity Maturity Model Certification (CMMC) Level 2 on Feb 5, 2026, validating controls to protect controlled unclassified information across its operations. The certification followed an assessment by a Certified Third Party Assessor Organization (C3PAO) and may reduce delays obtaining Authorizations to Operate.

This milestone supports ICF's ability to serve U.S. defense and civilian agencies with strengthened cybersecurity practices and faster program onboarding.

Positive

• Achieved CMMC Level 2, validating controls for controlled unclassified information
• Certified by a C3PAO, demonstrating third-party verification of cybersecurity practices
• May reduce ATO delays, enabling faster federal program launches and lower implementation risk

Negative

• None.

Key Figures

Q3 2025 Revenue: $465.4 million Prior-year Revenue: $517.0 million Net Income: $23.8 million +5 more

8 metrics

Q3 2025 Revenue $465.4 million Q3 2025 vs $517.0 million a year ago

Prior-year Revenue $517.0 million Q3 2024 revenue comparator

Net Income $23.8 million Q3 2025 net income

Diluted EPS $1.28 Q3 2025 diluted EPS

Long-term Debt $449.4 million Q3 2025 balance sheet

Unused Revolver Capacity $501.6 million On $600.0 million revolver in Q3 2025

Unfulfilled Performance Obligations $0.9 billion Q3 2025 vs $1.3 billion at prior year-end

Backlog Reduction $418.2 million Backlog change during nine months ended Sep 30, 2025

Market Reality Check

Price: $87.07 Vol: Volume 95,779 vs 20-day a...

normal vol

$87.07 Last Close

Volume Volume 95,779 vs 20-day average 133,257 indicates activity below recent norms ahead of this news. normal

Technical Price $90.82 is above the 200-day MA of $88.37 and about 22.99% below the 52-week high.

Peers on Argus

Peers show mixed moves: CRAI up 1.6%, FCN up 2.11%, while DGNX, HURN, and SBC ar...

Peers show mixed moves: CRAI up 1.6%, FCN up 2.11%, while DGNX, HURN, and SBC are down. With ICFI up 1.26% and no sector-wide momentum flags, this action appears stock-specific.

Historical Context

5 past events · Latest: Jan 22 (Positive)

Pattern 5 events

Date	Event	Sentiment	Move	Catalyst
Jan 22	Government contract win	Positive	+1.2%	Won $64M Pennsylvania data modernization recompete with long-term contract structure.
Jan 13	European contracts	Positive	+1.9%	Secured nearly $300M ceiling in new EU communication campaign contracts.
Dec 15	State contract vehicle	Positive	+1.1%	Named prime on Maryland’s $300M, nine-year digital experience IDIQ contract.
Dec 08	Workplace recognition	Positive	+0.8%	Recognized as a Best Company to Work For and innovative company in 2025.
Dec 03	Investor conference	Neutral	+1.9%	Participation in Sidoti virtual investor conference with executive fireside chat.

Pattern Detected

Recent contract and recognition news has consistently preceded modest positive 24-hour price reactions.

Recent Company History

Over the last few months, ICF reported multiple positive developments, including a $64M Pennsylvania data modernization contract (Jan 22, 2026), nearly $300M in new European contracts (Jan 13, 2026), and participation in a $300M Maryland digital experience vehicle (Dec 15, 2025). Employer recognition and investor conference participation also drew mild gains. Each of these news items saw a positive 24-hour reaction, suggesting the market has rewarded execution- and reputation-focused updates similar in tone to today’s certification announcement.

Market Pulse Summary

This announcement underscores ICF’s focus on cybersecurity capabilities, with CMMC Level 2 certifica...

Analysis

This announcement underscores ICF’s focus on cybersecurity capabilities, with CMMC Level 2 certification supporting work on controlled unclassified information for U.S. defense and civilian agencies. Recent history shows steady positive stock responses to contract wins and reputation-enhancing news. Filings also point to mixed fundamentals, including Q3 2025 revenue of $465.4M, long-term debt of $449.4M, and reduced unfulfilled obligations of $0.9B, which remain important context for evaluating future developments.

Key Terms

cybersecurity maturity model certification (cmmc) level 2, controlled unclassified information, authorizations to operate (ato), certified third party assessor organization (c3pao)

4 terms

cybersecurity maturity model certification (cmmc) level 2 technical

"announced that it has achieved Cybersecurity Maturity Model Certification (CMMC) Level 2."

A Cybersecurity Maturity Model Certification (CMMC) Level 2 is a government-backed standard that verifies an organization has implemented intermediate cybersecurity practices to protect controlled unclassified information, especially in defense-related supply chains. It matters to investors because achieving Level 2 reduces the risk of losing contracts, regulatory penalties, or reputational damage from data breaches, much like upgrading from basic locks to a monitored alarm system lowers the chance and cost of a break-in.

controlled unclassified information technical

"practices that safeguard controlled unclassified information across its operations."

Controlled unclassified information (CUI) is government or contract-related material that is not a classified secret but still requires restricted handling, storage, and sharing. Think of it as a sensitive file in a locked cabinet: it isn’t top secret, but mishandling can lead to legal, contractual, or reputational harm. For investors, CUI matters because failures to protect it can trigger fines, lost contracts, and increased compliance risk that may affect a company’s value.

authorizations to operate (ato) regulatory

"help federal clients mitigate potential delays in obtaining Authorizations to Operate (ATO)"

An authorization to operate (ATO) is an official regulatory or agency approval that allows a product, service, or system to be used in a regulated environment. Think of it like a building permit or driver's license: it signals that the offering meets required safety, security and compliance standards, and losing or lacking an ATO can block or delay revenue, increase legal risk, and affect a company’s valuation and investor confidence.

certified third party assessor organization (c3pao) regulatory

"following the completion of an in-depth review by a Certified Third Party Assessor Organization (C3PAO)"

A Certified Third Party Assessor Organization (C3PAO) is an independent, accredited firm that inspects and verifies a provider’s security and compliance controls for regulated cloud services, similar to a licensed building inspector checking a structure for safety. Investors care because a C3PAO’s stamp reduces uncertainty about data security and regulatory risk, which can affect a company’s costs, legal exposure, and reputation.

AI-generated analysis. Not financial advice.

Certification Shows Commitment to Safeguarding Sensitive National Security Data

RESTON, Va., Feb. 5, 2026 /PRNewswire/ -- ICF (NASDAQ:ICFI), a leading global solutions and technology provider, today announced that it has achieved Cybersecurity Maturity Model Certification (CMMC) Level 2. This certification confirms ICF's ability to meet stringent federal cybersecurity standards when supporting U.S. defense and civilian agency programs.

CMMC Level 2 certification reflects the adoption of cybersecurity practices that safeguard controlled unclassified information across its operations. Having received it, ICF can help federal clients mitigate potential delays in obtaining Authorizations to Operate (ATO), enabling faster program launches and reducing implementation risks.

ICF secured the certification following the completion of an in-depth review by a Certified Third Party Assessor Organization (C3PAO), having met required CMMC Level 2 controls and fulfilling all assessment objectives.

"Securing CMMC Level 2 certification is a significant milestone for ICF and reflects our dedication to maintaining the highest standards of cybersecurity in our operations to meet defense contract requirements," said Kyle Tuberson, ICF chief technology officer. "As cyber threats continue to evolve, we remain focused on providing advanced, highly effective data modernization solutions designed to safeguard federal systems in an increasingly complex digital environment."

As a trusted partner to government and a leader in technology solutions, ICF brings together deep domain expertise with leading-edge technologies and advanced analytics to help government and industry anticipate, withstand and recover from cyber and infrastructure risks. From strategy to execution, ICF supports public sector clients in reducing time-to-value, accelerating mission outcomes and transforming service delivery to help them achieve measurable results.

About ICF
ICF is a leading global solutions and technology provider with approximately 9,000 employees. At ICF, business analysts and policy specialists work together with digital strategists, data scientists and creatives. We combine unmatched industry expertise with cutting-edge engagement capabilities to help organizations solve their most complex challenges. Since 1969, public and private sector clients have worked with ICF to navigate change and shape the future. Learn more at icf.com. 

Caution Concerning Forward-looking Statements
Statements that are not historical facts and involve known and unknown risks and uncertainties are "forward-looking statements" as defined in the Private Securities Litigation Reform Act of 1995. Such statements may concern our current expectations about our future results, plans, operations and prospects and involve certain risks, including those related to the government contracting industry generally; our particular business, including our dependence on contracts with U.S. federal government agencies; our ability to acquire and successfully integrate businesses; and various risks and uncertainties related to health epidemics, pandemics, and similar outbreaks. These and other factors that could cause our actual results to differ from those indicated in forward-looking statements that are included in the "Risk Factors" section of our securities filings with the Securities and Exchange Commission. The forward-looking statements included herein are only made as of the date hereof, and we specifically disclaim any obligation to update these statements in the future.

Contact: Lauren Dyke, lauren.dyke@ICF.com, +1.571.373.5577

View original content to download multimedia:https://www.prnewswire.com/news-releases/icf-achieves-cybersecurity-maturity-model-certification-cmmc-level-2-302680371.html

SOURCE ICF

FAQ

What does ICF's CMMC Level 2 certification mean for federal contracts (ICFI)?

ICF's CMMC Level 2 certification confirms compliance with required cybersecurity controls for controlled unclassified information. According to the company, this should help reduce potential delays in obtaining Authorizations to Operate and speed federal program launches by meeting defense and civilian agency security expectations.

Who assessed ICF to grant the CMMC Level 2 certification (ICFI)?

A Certified Third Party Assessor Organization (C3PAO) completed the assessment and verified controls. According to the company, the C3PAO review confirmed ICF met all CMMC Level 2 assessment objectives and required security controls across its operations.

How will ICF's cybersecurity certification affect its ability to win defense work (ICFI)?

The certification strengthens ICF's qualification to support defense and civilian agency programs that handle controlled unclassified information. According to the company, achieving CMMC Level 2 reduces implementation risk and can enable faster onboarding for programs requiring rigorous cybersecurity standards.

Does ICF's CMMC Level 2 certification change its service offerings for government clients (ICFI)?

The certification reinforces ICF's existing cybersecurity and data modernization services for government clients. According to the company, it bolsters the firm's ability to protect federal systems and deliver mission outcomes with improved time-to-value and reduced security-related delays.

When was ICF's CMMC Level 2 certification announced and which stock symbol is affected (ICFI)?

ICF announced the certification on February 5, 2026, under the stock symbol ICFI. According to the company, the milestone reflects its commitment to cybersecurity and readiness to support defense and civilian agencies handling controlled unclassified information.