What is CMMC?
The Cybersecurity Maturity Model Certification is the DoD's framework for verifying that defense contractors can protect sensitive government information. Here's everything you need to know.
CMMC at a Glance
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard established by the U.S. Department of Defense (DoD) to protect the Defense Industrial Base (DIB) from increasingly sophisticated cyber threats.
Before CMMC, defense contractors were expected to self-attest their compliance with NIST SP 800-171 security requirements. However, audits revealed that many organizations overstated their compliance posture, leaving critical defense information vulnerable. CMMC addresses this gap by requiring independent, third-party verification of cybersecurity controls.
🔑 Key Takeaway
CMMC doesn't introduce entirely new security requirements — it primarily adds a verification mechanism to the existing NIST SP 800-171 framework that defense contractors were already expected to follow under DFARS 252.204-7012.
The Three CMMC Levels
CMMC 2.0 streamlined the original five-level model into three levels, each designed for different types of information sensitivity:
| Level | Name | Controls | Assessment | Protects |
|---|---|---|---|---|
| Level 1 | Foundational | 15 practices | Annual self-assessment | FCI |
| Level 2 | Advanced | 110 practices (NIST 800-171) | Self or C3PAO (triennial) | CUI |
| Level 3 | Expert | 110+ practices (+ NIST 800-172) | Government-led (DIBCAC) | Critical CUI |
Most defense contractors handling technical data will need Level 2 certification. See the full Level 2 requirements breakdown →
Who Needs CMMC Certification?
CMMC applies to all organizations in the Defense Industrial Base (DIB) supply chain that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI):
Prime Contractors
Large defense primes like Lockheed Martin, Raytheon, and Northrop Grumman — and their direct contract operations.
Subcontractors
Any subcontractor at any tier that processes, stores, or transmits FCI/CUI as part of a DoD contract.
Small Manufacturers
Small and mid-size manufacturers supplying parts, components, or services to defense programs.
IT & MSP Providers
Managed service providers and IT companies that support DIB organizations' infrastructure and data.
CMMC Implementation Timeline
CMMC is being rolled out in phases through the DFARS rulemaking process:
Phase 1 — 2025
Level 1 and Level 2 self-assessments begin appearing in new DoD contract solicitations. Organizations must submit scores to SPRS.
Phase 2 — 2026
Level 2 C3PAO assessments become required for contracts involving critical CUI programs. Third-party certification becomes mandatory.
Phase 3 — 2027
Level 3 government-led assessments (DIBCAC) begin for the most sensitive defense programs.
Phase 4 — 2028
Full CMMC implementation across all applicable DoD contracts. CMMC certification becomes a standard contract requirement.
How to Prepare for CMMC
Whether you're just learning about CMMC or ready to start your certification journey, here are the key steps:
- Determine your required level — Review your DoD contracts to identify whether you handle FCI (Level 1) or CUI (Level 2/3)
- Conduct a gap assessment — Compare your current cybersecurity posture against NIST SP 800-171 requirements
- Define your CUI boundary — Identify where CUI flows in your organization and consider creating a CUI enclave
- Remediate gaps — Implement missing controls, update policies, and deploy required security technologies
- Create your SSP and POA&M — Document your security system plan and any remaining items needing remediation
- Schedule your assessment — Engage a C3PAO or complete your self-assessment
🤖 Get Instant CMMC Answers
ChatCMMC is trained on official DoD CIO, NIST, and Cyber AB documentation. Ask any question about CMMC compliance and get accurate, sourced answers instantly. Try ChatCMMC free →