CMMC is a framework created by the U.S. Department of Defense (DoD) that requires defense contractors to demonstrate that they protect federal contract information (FCI) and Controlled Unclassified Information (CUI) on their systems.
Once fully implemented, certain DoD contractors that handle these types of sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
That means if your organization works in the Defense Industrial Base (DIB), it's essential you understand what CMMC is, which level applies to you, and when you need to complete an assessment by.

What does CMMC stand for?
CMMC stands for Cybersecurity Maturity Model Certification. Each word is important:
- Cybersecurity emphasizes that the primary goal of CMMC is to enhance DIB cybersecurity to meet evolving threats, not to force contractors to meet a compliance checkbox.
- Maturity model reflects the program's tiered approach: cybersecurity requirements scale with the type and sensitivity of the data you handle, from basic cyber hygiene for companies handling only FCI up to stringent controls for those working with the most sensitive CUI.
- Certification refers to another primary goal of the program: ensuring accountability. Both CMMC's assessment requirements and implementation through contracts ensures that the DoD and prime contractors verify the implementation of required cybersecurity standards before awarding them a contract.
The program is managed by the DoD and administered through the Cyber Accreditation Body (CyberAB), which accredits the C3PAOs that conduct third-party assessments.
Why was CMMC created?
CMMC was not created to introduce new cybersecurity requirements to defense contractors. It was created to add a verification component to previous standards and self-attestation regimes, including FAR Clause 52.204-21, NIST 800-171, and DFARS 252.204-7012, to actually reduce the risk to the DoD, DIB, or defense information flowing throughout the supply chain.
Let's take a closer look at the three primary reasons CMMC was created:
1. To meet an increasingly sophisticated national security and threat landscape
The DIB, which is basically the network of organizations that supply products, services, and technology to the military, has been a prime target for a rise in cyber attacks.
Adversaries seek to exploit vulnerabilities to steal sensitive information and intellectual property. Compromised data can have severe implications, including undermining military operations and technological advantages.
2. To standardize inconsistent cybersecurity practices
Prior to the CMMC, information security practices across the DIB varied widely. Many contractors did not have adequate measures in place to protect sensitive information, leading to breaches and compromised data.
By enforcing cybersecurity requirements consistently and uniformly across the entire defense sector, from large prime contractors to small subcontractors, CMMC ensures that all entities within this supply chain meet a baseline level of security. This reduces overall risk across the DoD and ultimately for national security.
CMMC requirements also align with broader regulatory efforts to enhance cybersecurity, including other federal initiatives and policies designed to protect critical infrastructure and sensitive information such as:
- NIST standards,
- the Federal Acquisition Regulation (FAR),
- the Defense Federal Acquisition Regulation Supplement (DFARS),
- various Executive Orders, and
- national cybersecurity initiatives.
3. To increase oversight and accountability of DIB
Unlike prior self-attestation regimes, CMMC 2.0 introduces third-party assessment and certification requirements for most companies handling CUI.
But CMMC also increases oversight in the self-attestation process by requiring a high-level company officer to sign off and affirm compliance when uploading Level 1 and Level 2 self-assessments. Executive affirmations of compliance are also required annually for Level 2 and 3 contractors with triennial third-party assessment requirements to ensure ongoing compliance throughout the contract period.
Additionally, CMMC is a pre-award requirement. Meaning, verification of current CMMC assessment results and scores is required as a condition of contract award. This pre-award verification ensures higher accountability than previous regulations, under which verification happened after award (if at all) under the False Claims Act.
Recommended reading
Why is CMMC Important? Benefits for DoD Contractors
Read MoreWhat's the history of CMMC?
CMMC wasn’t built overnight. It’s the result of years of policy evolution to reduce risk across the DIB and protect critical government data from falling into the wrong hands.
Below are some key dates in the history of CMMC 2.0's development:
- 2016: DFARS 7012 introduced requirement for contractors handling CUI to self-attest to NIST 800-171 implementation by December 31, 2017.
- 2020: The DoD launched CMMC 1.0 with five levels of maturity and mandatory third-party audits for all.
- 2021: In response to industry feedback, DoD made revisions and released CMMC 2.0.
- 2024: The final rule for CMMC 2.0 was published in October and became effective in December.

In 2016, the DoD released DFARS 7012, which required contractors to implement NIST SP 800-171 security controls for protecting CUI. But because it relied on self-attestation, many companies either misunderstood or fell short of fully implementing the framework.
In fact, in 2020, the DoD performed a review of the DIB that uncovered widespread noncompliance with NIST 800-171, including many contractors with Plans of Action and Milestones that wouldn’t have brought them into full compliance until 2099.
In 2021, the DoD introduced the first version of the Cybersecurity Maturity Model Certification, CMMC 1.0. It had five certification levels and mandatory third-party assessments. But the framework proved too rigid and overly complex, and industry pushback led to its revision.
That brings us to CMMC 2.0, announced in late 2021. It simplified the model, reducing five levels to three and offering more flexibility for meeting security and assessment requirements. In December 2024, the final rule was published, making CMMC 2.0 official policy.
However, contract enforcement of CMMC requirements flows through another rule, the 48 CFR Part 204 (DFARS).
If you're in the DIB, your next question is not whether CMMC applies to you. It's at which level and when.
Recommended reading
The Urgency Behind Pentagon CMMC Enforcement Is Not Contract Eligibility. It’s National Security.
Read MoreWhat's the CMMC 2.0 Model? An overview of the major changes from CMMC 1.0
Announced in November 2021, CMMC 2.0 (now known simply as CMMC) introduced significant changes from the previous version, CMMC 1.0.
These changes were designed to simplify the certification process, align more closely with existing cybersecurity standards, and reduce the compliance burden on small businesses. The goal was to make CMMC more practical and accessible while maintaining robust cybersecurity practices to protect sensitive information.

Let’s overview the major framework updates:
1. Reduced number of levels
CMMC 2.0 reduced the number of certification levels from five to three:
These three levels of CMMC compliance represent progressively advanced requirements, depending on the type of information the organization handles.
- Level 1: Foundational ensures that companies implement basic cybersecurity practices from FAR Clause 52.204-21 to protect FCI.
- Level 2: Advanced aligns with NIST SP 800-171 Rev 2 and is designed for organizations handling CUI.
- Level 3: Expert incorporates additional NIST SP 800-172 controls to protect against Advanced Persistent Threats (APTs). APTs are highly sophisticated and targeted cyberattacks designed to infiltrate a network, remain undetected for extended periods, and systematically extract valuable data.
2. Closer alignment with National Institute of Standards and Technology (NIST) Standards
CMMC 2.0 removed some unique CMMC requirements that were not aligned with existing standards. These were known as the Delta 20 under CMMC 1.0. The streamlined levels and requirements of CMMC 2.0 also focus more precisely on protecting CUI, which is a primary concern for the DoD.
The practices required for Level 2 and Level 3 compliance now align closely with the existing NIST SP 800-171 Revision 2 and NIST SP 800-172 standards, making it easier for organizations already following these frameworks to comply with the CMMC.
3. Self-assessments for certain levels and contract types
Organizations can now perform annual self-assessments for Level 1 compliance instead of requiring third-party assessments.
Level 2 assessments are now split into two categories. Critical contracts still require third-party assessments by a certified third-party assessment organization (C3PAO) every three years. For certain non-critical contracts, Level 2 compliance can be achieved through annual self-assessments rather than third-party assessments, with an affirmation by a senior company official.
Level 3 requires an assessment conducted by the DoD. Organizations seeking Level 3 certification should have first received a Level 2 final certification assessment.
By allowing self-assessments for Level 1 and certain Level 2 contracts, CMMC 2.0 aims to reduce the compliance burden and associated costs, particularly for small and medium-sized businesses.
However, organizations performing self-assessments must have a senior company official affirm the assessment results, which provides stronger accountability.
4. Increased flexibility
CMMC 2.0 also increases the flexibility of implementing requirements. Most notably, under certain limited circumstances, it allows companies to make 180-day Plans of Action & Milestones (POA&Ms) to achieve conditional certification.
It also allows the government to waive inclusion of CMMC requirements, but CMMC waivers are rare and often misunderstood.
A waiver exempts entire contract programs, not individual businesses. Meaning:
- Program management offices can waive requirements for low-risk programs, such as a contract for non-sensitive manufactured goods with no CUI involvement.
- Individual contractors cannot self-apply for waivers.
Recommended reading
The Myth of CMMC Waivers: 7 Misconceptions that Are Putting Your Contracts and Information at Risk
Read MoreWhat are the CMMC requirements?
CMMC requirements split into two categories: security requirements (the controls you implement) and assessment requirements (how those controls are evaluated and scored to prove you implemented them).

Security requirements
CMMC requirements are cumulative. Each higher level includes all the practices from the level below.
- Level 1 consists of 15 foundational practices drawn from FAR 52.204-21, covering basic cyber hygiene across six of the 14 CMMC domains.
- Level 2 adds 95 on top of the 15 for a total of 110 requirements that align fully with NIST SP 800-171 Rev 2 across all 14 domains.
- Level 3 adds 24 practices from NIST SP 800-172 on top of the 110 for a total of 134, providing enhanced protection for CUI that's part of the DoD's most critical programs.
The table below shows how Level 1, Level 2, and Level 3 practices stack across all 14 domains:
| Domain | Level 1 practices | Level 2 additional practices | Level 3 additional practices |
|---|---|---|---|
| Access Control | 4 | 18 | 2 |
| Audit & Accountability | — | 9 | — |
| Awareness & Training | — | 3 | 2 |
| Configuration Management | — | 9 | 3 |
| Identification & Authentication | 2 | 9 | 2 |
| Incident Response | — | 3 | 2 |
| Maintenance | — | 6 | — |
| Media Protection | 1 | 8 | — |
| Personnel Security | — | 2 | 1 |
| Physical Protection | 4 | 2 | — |
| Risk Assessment | — | 3 | 7 |
| Security Assessment | — | 4 | 1 |
| System & Communications Protection | 2 | 14 | 1 |
| System & Information Integrity | 2 | 5 | 3 |
| Total | 15 | 110 | 134 |
Assessment requirements
How your compliance gets verified depends on your CMMC level. The three levels require different types of assessments, described below.
However, each level requires an annual affirmation from a named senior company official submitted into the Supplier Performance Risk System (SPRS).
Level 1: Annual self-assessment
Companies handling only FCI conduct and document their own assessment against the 15 Level 1 practices each year and post results to SPRS. No third party is involved.
Level 2: Self-assessment or third-party C3PAO assessment
Most contractors in the DIB fall here. For Level 2, which assessment type applies depends on the contract and the CUI category involved.
- Self-assessment: Some Level 2 contracts allow contractors to self-assess against all 110 NIST SP 800-171 practices and post results to SPRS annually.
- Third-party assessment: Contracts involving higher-sensitivity CUI categories (including controlled technical information) require a formal assessment by an accredited C3PAO. The C3PAO team evaluates conformity against NIST SP 800-171A, the companion assessment procedures document to NIST 800-171 which defines 320 discrete assessment objectives across the 110 controls. Failing any single objective marks the entire control as not met.
At the end of a third-party assessment, there are two possible outcomes: a Final Certificate (all controls met) or a Conditional Certificate (at least 88 of 110 controls met, with no prohibited controls unmet), which gives you 180 days to close remaining POAMs before upgrading to Final status. Certificates are valid for three years.
Level 3: Government-led DIBCAC assessment
Level 3 requires holding a Final Level 2 C3PAO status first (meaning a perfect SPRS score of 110 and all POA&M items closed) before requesting a government-led assessment from the DCMA Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The DIBCAC assessment covers all 24 NIST SP 800-172 practices plus spot-checks of the 110 Level 2 controls.
Is CMMC required?
CMMC is required for any organization in the defense supply chain that handles FCI or CUI. This includes prime contractors and subcontractors alike.
The data you handle determines your level, including security and assessment requirements:
| CMMC level | Data type handled | Security requirements | Assessment trigger criteria | Assessment type | Assessment frequency | Applicable to % of DIB |
|---|---|---|---|---|---|---|
| Level 1 | FCI | 15 basic safeguarding practices required by FAR 52.204-21 | Handle FCI only | Self-assessment | Annual | ~63% |
| Level 2 (Self) | CUI | 110 requirements specified in NIST 800-171 Rev 2 and required by DFARS 7012 | Handle CUI in non-Defense categories of NARA CUI registry | Self-assessment | Every 3 years | ~2% |
| Level 2 (C3PAO) | CUI | 110 requirements specified in NIST 800-171 Rev 2 and required by DFARS 7012 | Handle CUI in Defense categories of NARA CUI registry (e.g., Controlled Technical Information) | C3PAO assessment | Every 3 years | ~35% |
| Level 3 | CUI | 134 requirements (110 from NIST 800-171 Rev 2 and 24 enhanced requirements from NIST 800-172) | Handle CUI associated with "High Priority" programs subject to APTs | DIBCAC assessment | Every 3 years | ~1% |
When is CMMC required?
CMMC is currently required. However, level and assessment requirements are flowing out in a phased implementation plan that will conclude on November 10, 2028.
To understand the timeline and phased rollout of CMMC 2.0, you have to understand the CMMC rulemaking process.
There are two rules behind CMMC:
- 32 CFR Part 170, which took effect December 16, 2024, established the CMMC program across the DoD.
- 48 CFR Part 204 (DFARS), which went into effect November 10, 2025, triggering the actual enforcement of CMMC in contracts by the DoD. This is happening in four phases, which are described below.
| Phase | Start date | What changes |
|---|---|---|
| Phase 1 | November 10, 2025 | Level 1 self-assessment and Level 2 self-assessment required as a condition of contract award for all applicable solicitations and contracts. DoD may also include Level 2 C3PAO assessment at its discretion in place of Level 2 self-assessment. |
| Phase 2 | November 10, 2026 | Level 2 C3PAO assessment may be required as a condition of contract award for applicable contracts. DoD may delay the requirement to an option period rather than initial contract award. Level 3 may be required at DoD's discretion for applicable contracts. |
| Phase 3 | November 10, 2027 | Level 2 C3PAO assessment required as a condition of contract award for all applicable solicitations and contracts. Level 3 continues to be phased in at DoD's discretion. |
| Phase 4 | November 10, 2028 | Full CMMC implementation across all applicable contracts, including Level 3 for contracts involving critical DoD programs subject to advanced persistent threats. |
Critical note: The government phased rollout described above applies only to prime contractors that work directly with the DoD. If you are a subcontractor, your CMMC deadline is set by your prime. And many primes have already begun enforcing these requirements across their own supply chains and favoring subcontractors who are proactively prepared.
Boeing, Elbit Systems of America, and L3 Harris have already issued supplier notices requiring their suppliers to achieve CMMC Level 2 (C3PAO) certification or proof of readiness ahead of Phase 2. L3 Harris Missible Systems even set a supplier deadline of July 30, 2025.
In other words, the DoD's phased implementation of CMMC began on November 10, 2025 and while it is primarily limited to self-assessments, third-party assessment requirements for Level 2 are already appearing in solicitations and contracts.
So even if these requirements aren't in your organization’s DoD contract by a certain date, it's important to start your CMMC readiness work now to remain competitive within the DoD marketplace.
Recommended reading
Why Prime Contractors Are Enforcing CMMC Level 2 (C3PAO) Ahead of DoD & What It Means For Subcontractors
Read MoreWhat is CMMC certification?
CMMC certification technically refers to the result of a Level 2 certification assessment conducted by a C3PAO or a Level 3 certification assessment conducted by the DIBCAC.
The term is often used when referring to an organization has met the stringent cybersecurity standards of any CMMC level required by the DoD for handling FCI and CUI. However, the CMMC Program Rule makes a distinction between a CMMC self-assessment and CMMC certification.
For example, here's the DoD's response to one comment received during the rulemaking process:
"The Department remains committed to implementing the CMMC program to require compliance assessment against applicable security requirements in all DoD contracts involving FCI or CUI. Some such contracts will require only a CMMC self-assessment, while others will require a certification assessment."
Below we briefly explain the benefits of completing a CMMC certification assessment over a self-assessment if you handle CUI.
Benefits of CMMC certification
- Demonstrated cybersecurity posture: CMMC certification provides third-party verification that an organization has a robust cybersecurity framework in place and follows best practices to protect sensitive information.
- Contract eligibility: Certification is a requirement for organizations wishing to bid on and participate in DoD contracts involving most types of CUI. Without CMMC certification, companies cannot compete for contracts that involve this sensitive information.
- Competitive advantage: Achieving CMMC certification can provide a competitive edge in the market, as it demonstrates a commitment to cybersecurity and compliance, which can be attractive to other potential clients and partners.
- Risk management: The certification process helps organizations identify and mitigate cybersecurity risks, leading to improved overall security and reduced likelihood of data breaches.
- Regulatory compliance: CMMC certification ensures compliance with DoD requirements, which can also help in meeting complementary regulatory and security standards such as NIST CSF, FedRAMP, SOC 2, and NIST SP 800-53.
Recommended reading
Is CMMC Worth It? How to Calculate the ROI for Your Business
Read MoreUnderstanding the CMMC Assessment Process (CAP)
A CMMC Level 2 third-party assessment is conducted by an accredited C3PAO and follows four phases defined by the CyberAB's CMMC Assessment Process (CAP) document. Below is a brief overview.
Note that these subheadings do not use the official naming convention used in the CAP for each phase.
Phase 1: Pre-assessment
This phase consists of many steps, including but not limited to:
- The C3PAO reviews your System Security Plan (SSP), policies, procedures, and supporting artifacts.
- The assessment team confirms your scope. They don't define it for you. This includes checking that external cloud service providers are FedRAMP Moderate Authorized (listed on the FedRAMP Marketplace) or meet FedRAMP Moderate equivalency standards.
- At the end of this phase, the team makes a go / no-go decision on whether you're ready for the next phase of the assessment.
- Either way, they are required to upload your pre-assessment form into the CMMC version of eMASS, which immediately makes your organization visible to the DoD.
Roughly 25–30% of assessments encounter false starts at Phase 1, according to Fernando Machado, Managing Principal and CISO at the C3PAO Cybersec Investments, who spoke at the Secureframe National Cybersecurity Summit 2026. The most common causes:
- Organizations haven't heard of 800-171A
- Their managed service provider can't produce a shared responsibility matrix
- They're processing CUI in a non-compliant cloud, like Microsoft 365 Commercial
Recommended reading
CMMC in the Cloud: How a Government Cloud Environment Accelerates CUI Compliance
Read MorePhase 2: The Actual Assessment
Assessors evaluate conformity with NIST SP 800-171 / 800-171A across a structured schedule, typically spanning several days to cover all 14 control families. At the end of each day, the lead assessor provides a daily checkpoint to present controls flagged as currently:
- MET
- NOT MET,
- NOT APPLICABLE, or
- pending additional evidence.
If a control is marked "not met" during the assessment, you have until 10 business days after assessment completion to provide additional evidence, as long as it doesn't affect already-met controls and precedes the submission of the assessment findings report.
Phase 3: Reporting
The lead assessor delivers an out-brief with final MET / NOT MET / NOT APPLICABLE determinations. The CCA in the quality assurance individual reviews and uploads everything to the CMMC version of eMASS. SPRS pulls from eMASS daily, so results typically appear in SPRS the following morning.
Phase 4: Certification
This phase brings the CMMC Level 2 certification assessment to its formal conclusion. There are three possible outcomes:
- No Certificate (Failed): Score fell below 88/110 or a control that could not be put on the POA&M was not met.
- CMMC Level 2 Final Certificate: All 110 controls and 320 assessment objectives were met.
- CMMC Level 2 Conditional Certificate: Score ≥ 88/110, no controls with a point value greater than 1 are unmet, and specific 1-value controls are not on the POAM list. You then have 180 days to close remaining POAMs and upgrade to a Final Certificate.
Certificates are valid for three years. A named senior company official must formally affirm compliance by providing their name, title, and contact information and attesting that CMMC compliance will be maintained for the full three-year lifecycle. This is the person the DoD holds accountable if compliance lapses.
Recommended reading
The 7 Biggest CMMC Implementation Mistakes C3PAOs Are Seeing in Real Assessments
Read MoreCMMC checklist: How to get CMMC certification
This is a starting-point checklist to assess Level 2 readiness for a CMMC certification assessment. Find the complete control-by-control version of any CMMC level compliance checklist here.
Before you engage a C3PAO:
- Identify all locations where CUI enters, is stored, processed, or transmitted
- Evaluate whether an enterprise or enclave approach would best meet your needs
- Define your CMMC assessment scope and document it in your SSP
- Create other required policies and procedures like a Configuration Management and Incident Response Plan
- Conduct a CMMC gap analysis to understand how your current cybersecurity implementation compares to NIST 800-171 Rev 2
- Confirm all cloud service providers processing CUI are FedRAMP Moderate authorized or equivalent
- Stop using Microsoft 365 Commercial or any other non-compliant cloud offering for CUI, and migrate to GCC High or Google Workspace
- Implement FIPS 140-2 validated cryptography for CUI in transit
- Apply MFA to all endpoints, cloud services, firewalls, and servers that process or provide security protection for CUI
- Produce a shared responsibility matrix if you use a CSP or ESP, like a managed service provider (MSP)
- Use automation when possible to reduce the manual work, cost, and time-to-compliance and simplify continuous compliance
- Conduct a self-assessment using NIST SP 800-171A (not just 800-171)
- Identify and document any POA&Ms with remediation timelines
- Designate the senior official who will affirm compliance

CMMC Level 2 Compliance Checklist
Use this checklist listing all 110 CMMC Level 2 requirements and 320 assessment objectives to organize your compliance efforts, identify gaps, and implement controls in preparation for your certification assessment.
This post was originally published in September 2024 and has been updated on June 25, 2026 for accuracy and comprehensiveness.
FAQs
What does CMMC mean?
CMMC stands for Cybersecurity Maturity Model Certification. It is the DoD's mandatory cybersecurity framework for defense contractors and subcontractors that handle unclassified but sensitive defense information known as FCI or CUI.
Why was CMMC created?
The DoD works with approximately 200,000-300,000 contractors, subcontractors, and service providers, which are collectively referred to as the Defense Industrial Base (DIB). For years, these companies handled sensitive information daily, but many didn’t have consistent security practices. While the DoD released cybersecurity requirements under DFARS 7012, it didn’t have an external assessment or certification requirement to verify that companies were actually protecting sensitive data. This left the DoD exposed to cybersecurity risks and gaps, which adversaries could exploit to siphon off sensitive military data. So the DoD began to move from voluntary compliance under DFARS 7012 to a framework that requires proof of cybersecurity compliance through assessments, certifications, and scores as a condition of contract award. That framework is CMMC.
What is the purpose of CMMC?
The purpose of the Cybersecurity Maturity Model Certification (CMMC) is to enhance the cybersecurity posture of companies working with the U.S. Department of Defense by ensuring they implement standardized cybersecurity practices to protect sensitive information.
Who is required to have CMMC?
All contractors and subcontractors that work with the DoD and handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) are required to have a current CMMC status.
What are the 3 levels of CMMC?
The 3 levels of CMMC 2.0 are:
- Level 1: Foundational - Basic cyber hygiene practices.
- Level 2: Advanced - Intermediate cyber hygiene practices, aligned with NIST SP 800-171.
- Level 3: Expert - Advanced cybersecurity practices, aligned with a subset of NIST SP 800-172.
What is the control overlap between CMMC 2.0/NIST 800-171 and NIST 800-53?
All of the controls in CMMC/NIST 800-171 are derived from NIST 800-53, but not vice-versa. CMMC Level 2 makes up around half of the NIST 800-53 controls, mostly from the Moderate baseline. The other half of NIST 800-53 controls were eliminated during the tailoring process for 800-171 because they are:
- uniquely the responsibility of the federal government
- not directly related to the confidentiality of CUI
- expected to be routinely satisfied by nonfederal organizations
How often are CMMC 2.0 assessments required?
CMMC assessments are required every three years for Levels 2 and 3. Level 1 requires annual self-assessments.
What are the differences between CMMC 2.0 levels?
Level 1 (Foundational) is focused on protecting FCI. Level 2 (Advanced) and Level 3 (Expert) pertain to safeguarding CUI.