Home / Blog /

Understanding the Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity

Understanding the Cybersecurity Maturity Model Certification (CMMC)

Jim Carlson
Jim Carlson

2025-03-10 · 11 min read

Blog content

Key Takeaways

  • The CMMC Program is the Department of Defense’s (DoD) initiative to enhance cybersecurity across the Defense Industrial Base (DIB).
  • CMMC consists of three levels of cybersecurity maturity, requiring varying degrees of assessment and compliance.
  • The final implementation will roll out in phases over three years, affecting contractors and subcontractors handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
  • The new CMMC certification program took effect on December 16, 2024 and applies to all DoD contracts involving FCI/CUI on unclassified systems, with a limited exemption for contracts involving commercially available off-the-shelf items.
  • The CMMC model has been restructured, eliminating transitional levels and unique security requirements to streamline compliance.

Introduction

Cyber threats against the Defense Industrial Base (DIB) are increasingly frequent and complex, making robust cybersecurity practices a necessity. The Cybersecurity Maturity Model Certification (CMMC) was developed by the Department of Defense (DoD) to assess and ensure compliance with cybersecurity standards. This certification ensures that sensitive defense information is adequately protected throughout the supply chain. Contractors and subcontractors who handle CUI or FCI must achieve a specific CMMC level to be eligible for DoD contracts.

Overview of the CMMC Program

CMMC aligns with the DoD’s existing cybersecurity requirements, introducing a tiered model that mandates increasing levels of security controls based on the type of information being handled. The model provides assurance that contractors are meeting security standards through self-assessments, third-party audits, and government-led evaluations.

Curious about what’s new? Learn more about the key changes, including the shift from self‑attestation to verification, the introduction of new certification levels, and the relationship to DFARS and NIST SP 800‑171.

Key Features of CMMC

  • Tiered Model: Companies must implement security measures at progressively advanced levels based on data sensitivity.
  • Assessment Requirement: Contractors must undergo self-assessments or third-party audits depending on their required CMMC level.
  • Contractual Compliance: Achieving the appropriate CMMC level is a prerequisite for winning DoD contracts.
  • Implementation Authority: CMMC is implemented through the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7210.
  • Oversight and Accreditation: DoD CIO Office and Defense Counterintelligence and Security Agency (DCSA) oversee the program. CMMC Accreditation Body (AB) manages operations and ensures accreditation of Third-Party Assessment Organizations (C3PAOs). Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts Level 3 assessments and oversees C3PAO accreditation.

Protected Information

CMMC focuses on safeguarding two types of information:

  • Federal Contract Information (FCI): Government-provided or contractor-generated data that is not publicly available.
  • Controlled Unclassified Information (CUI): Information requiring safeguarding per government regulations, as outlined in Executive Order 13556 and 32 CFR 2002.

Looking for a more efficient path to CMMC compliance?

Sign up to be the first to know when our collaborative compliance tool goes live. It’s designed to keep you and your team organized, speed up your progress, and cut costs along the way.

Get Started

CMMC Assessment Levels

Level 1: Basic Safeguarding of FCI

  • Requirements: Self-assessment against 15 security practices from FAR clause 52.204-21.
  • Assessment: Conducted annually by the Organization Seeking Assessment (OSA).
  • Focus: Protecting Federal Contract Information (FCI).
  • POA&Ms: Not allowed, all security requirements must be met.

Level 2: Broad Protection of CUI

  • Requirements: 110 security controls from NIST SP 800-171 Rev. 2.
  • Assessment: Either self-assessed or conducted by a Certified Third-Party Assessor Organization (C3PAO) every three years.
  • Focus: Protecting Controlled Unclassified Information (CUI).
  • Scoring: The maximum score is 110 points, with deductions for non-compliance.
  • POA&Ms: Allowed for select requirements, but high-risk security gaps must be resolved within 180 days.

Level 3: Advanced Protection Against Cyber Threats

  • Requirements: 110+ controls from NIST SP 800-171 Rev. 2, plus 24 additional requirements from NIST SP 800-172.
  • Assessment: Triennial government-led assessments conducted by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
  • Focus: Enhanced protection against Advanced Persistent Threats (APTs).
  • Scoring: Maximum 24 points, with deductions for unfulfilled requirements.
  • POA&Ms: Allowed for select requirements, as identified in 32 CFR 170.21.

For a deeper dive into the certification process, read our detailed post on CMMC Certification Levels & Requirements to understand the differences between self‑assessments, third‑party assessments (C3PAOs), and government assessments (DIBCAC), along with what contractors need to know.

CMMC Implementation Timeline

  • Phase 1: Early adopters begin Level 1 and Level 2 self-assessments.
  • Phase 2: C3PAO assessments expand to more Level 2 contractors.
  • Phase 3: Level 3 assessments commence under DIBCAC.
  • Phase 4: Full program implementation, making CMMC a mandatory contract requirement.

CMMC Compliance & Certification Ecosystem

  • CMMC Assessor and Instructor Certification Organization (KO): Trains and certifies assessors.
  • C3PAOs: Conduct Level 2 assessments and issue certificates.
  • CMMC Enterprise Mission Assurance Support Service (eMASS): Stores assessment results and transmits scores to Supplier Performance Risk System (SPRS).
  • Senior Official Affirmations: Annual confirmation required for maintaining compliance.
  • CMMC Flowdown Requirements: CMMC obligations extend to all subcontractors handling FCI or CUI.

Find out how these changes will affect your business operations, read more on the impact of CMMC on defense contracts and the supply chain, including details on flow-down requirements to subcontractors.

Waivers and Exemptions

  • Waivers: Only government program managers can request waivers for CMMC requirements. Contractors cannot request exemptions.
  • Timing of CMMC Requirements: Initially required for contract option periods, becoming a prerequisite for new contracts over time.

Conclusion

The CMMC Program is a critical step toward strengthening cybersecurity across the Defense Industrial Base. Contractors must ensure they meet the necessary CMMC requirements to secure and protect sensitive government data. By achieving compliance, organizations can continue doing business with the DoD, safeguard national security interests, and enhance their cybersecurity resilience.

Ready to streamline your CMMC journey?

Join our email list, and we’ll notify you as soon as our new portal launches, your fast, cost‑effective solution for managing CMMC requirements.

Get Started

What is CMMC
CMMC 2.0
NIST 800-171