CMMC Dashboard Logo
Back to BlogCMMC Basics

Understanding the Cybersecurity Maturity Model Certification (CMMC)

JCJim Carlson (Co-Founder & CEO)
11 min read
What is CMMCCMMC 2.0NIST 800-171
Stacked blue shields representing multiple layers of cybersecurity protection for defense contractors under CMMC 2024 program rule.

Key Takeaways

  • The CMMC Program is DoD’s approach to enforce cybersecurity across the Defense Industrial Base (DIB).

  • Under the finalized rule, CMMC has three levels of maturity (Levels 1, 2, 3), each with distinct assessment and compliance obligations.

  • The CMMC Program rule (32 CFR Part 170) becomes effective December 16, 2024. (federalregister.gov)

  • A complementary DFARS (48 CFR) rule will embed contractual enforcement; that rule is expected to become effective in late 2025. (whitecase.com)

  • The CMMC model has been simplified: transitional levels and proprietary tiers have been removed, and the structure now aligns with NIST SP 800-171 and SP 800-172. (defense.gov)

Introduction

Cyber threats targeting the Defense Industrial Base (DIB) have grown in frequency and sophistication. The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program formalizes cybersecurity assurance expectations for contractors and subcontractors handling sensitive unclassified data. Entities must meet a specific CMMC level to be eligible for DoD contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Overview of the CMMC Program

CMMC does not impose brand-new cybersecurity controls; rather, it formalizes how compliance is evaluated and enforced. The rule integrates with existing DoD cybersecurity obligations (such as DFARS clauses and NIST SP 800-171), but introduces external verification, continuous compliance affirmations, and enforcement mechanisms. For deeper insight into regulatory changes impacting contractors, see CMMC changes from previous regulations, including the shift from self-attestation to verification and the alignment with DFARS and NIST SP 800-171.

Key Features of CMMC

  • Tiered Structure: Three levels, each corresponding to a higher maturity and risk sensitivity.

  • Assessment & Verification: Self-assessment, third-party assessment (C3PAO), or government assessment (DIBCAC), depending on level. (defense.gov)

  • Contractual Requirement: Once the DFARS clause rule is final, meeting a required CMMC level will be mandatory for contract award.

  • Governance & Oversight: DoD CIO, the CMMC Accreditation Body, DCSA/DIBCAC, and program offices share oversight.

  • Conditional Certification & POA&Ms: For Levels 2 and 3, limited conditional status (up to 180 days) is allowed while remediating deficiencies via approved POA&Ms.

Protected Information

Types of Information Covered

  • Federal Contract Information (FCI): Information provided by or generated for the Government under a contract that is not intended for public release, consistent with FAR 52.204-21.

  • Controlled Unclassified Information (CUI): Information requiring safeguarding per law, regulation, or government policy under Executive Order 13556 and 32 CFR Part 2002.

Exemptions & Scope Notes

The rule exempts contracts that consist exclusively of commercially available off-the-shelf (COTS) items. Some work, such as fundamental research, may be excluded if it does not involve FCI or CUI.

CMMC Assessment Levels

Level 1: Basic Safeguarding

  • Focus: Protecting FCI on unclassified systems.

  • Requirements: 17 security practices from FAR 52.204-21 (b)(1)(i)–(xv).

  • Assessment: Self-assessment attested annually by a senior official and posted to SPRS.

  • POA&Ms: Not allowed; all practices must be fully implemented.

Level 2: Advanced / General Protection

  • Focus: Protecting CUI.

  • Requirements: 110 controls from NIST SP 800-171 Rev. 2.

  • Assessment: Self-assessment or C3PAO third-party review as directed by DoD.

  • Conditional Status: Limited POA&M use allowed; certain controls cannot use POA&Ms.

  • Frequency: Every three years.

Level 3: Enhanced Protection

  • Focus: Defending against advanced persistent threats.

  • Requirements: All Level 1 and 2 controls plus 24 controls from NIST SP 800-172.

  • Assessment: Government-led assessment by DIBCAC.

  • Conditional Status: Up to 180 days to remediate approved POA&Ms.

  • Frequency: Every three years.

For detailed requirements by maturity level and assessment processes, refer to CMMC Certification Levels & Requirements.

Implementation Phases & Timeline

  • Phase 1: Begins when the DFARS clause rule takes effect; DoD may require Level 1 or 2 self-assessments for new awards or options.

  • Phase 2: One year after Phase 1; C3PAO assessments expand for Level 2.

  • Phase 3: Two years after Phase 1; Level 3 DIBCAC assessments begin.

  • Phase 4: Three years after Phase 1; all DoD solicitations and contracts include CMMC requirements.

CMMC Compliance & Certification Ecosystem

  • CMMC Accreditation Body (CyberAB): Accredits C3PAOs and trains assessors.

  • C3PAOs: Conduct Level 2 assessments and submit results to SPRS.

  • DIBCAC: Conducts Level 3 assessments and audits C3PAOs.

  • Affirming Official: Senior company official who attests to continued compliance annually.

  • CMMC Flowdown: Subcontractors handling FCI or CUI must meet the required CMMC level.

  • SPRS & UIDs: Assessment results are stored in SPRS using unique system identifiers.

Waivers, Exemptions & Conditional Status

  • Waivers: Only DoD program managers may request waivers; contractors cannot self-exempt.

  • Conditional Certification: Levels 2 and 3 may receive conditional status for up to 180 days under approved POA&Ms.

  • COTS Exemption: Contracts for COTS items are excluded from CMMC requirements.

Conclusion

CMMC is a major advancement in how DoD enforces cybersecurity within its supply chain. Contractors and subcontractors handling FCI or CUI must align with the required CMMC level, pass assessments or attestations, and maintain continuous compliance. Early preparation and engagement with accredited assessors are key to securing DoD business. To support your compliance efforts, consider signing up for the CMMC Dashboard free trial – a streamlined platform to manage assessments, POA&Ms, and continuous compliance efficiently.

Ready to streamline your CMMC journey?

Join our email list and we will notify you when our new portal is live—your simplified solution for tracking, managing, and accelerating CMMC compliance.

Get Started

Frequently Asked Questions

What is the difference between the CMMC Program rule (32 CFR) and the DFARS (48 CFR) rule?

The 32 CFR rule establishes the program framework and assessment requirements. The DFARS rule implements those requirements in contracts and makes them enforceable.

When does CMMC become effective?

The CMMC Program rule takes effect December 16, 2024. The DFARS clause rule is expected later in 2025.

Can contractors request an exemption?

No. Only DoD program officials may grant limited waivers under justified circumstances.

What is conditional certification?

Conditional status allows Levels 2 and 3 organizations up to 180 days to close approved POA&Ms after assessment.

Does CMMC add new controls beyond NIST SP 800-171 and SP 800-172?

No. CMMC formalizes assessment and verification of existing NIST controls rather than introducing new ones.

← All Blog Posts