CMMC 2.0
Cybersecurity Maturity Model Certification — Defense Industrial Base Cybersecurity Standard
Standard Introduction
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a U.S. Department of Defense program that verifies the cybersecurity practices of defense contractors and subcontractors. The final rule, effective December 2024, establishes three maturity levels to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base.
CMMC 2.0 aligns closely with NIST SP 800-171 requirements and introduces mandatory third-party assessments for contractors handling sensitive CUI. With phased enforcement beginning in November 2025, an estimated 220,000+ defense contractors must achieve the appropriate certification level to remain eligible for DoD contracts.
Three Maturity Levels
Streamlined from five to three levels: Level 1 (Foundational, 17 practices), Level 2 (Advanced, 110 practices aligned with NIST SP 800-171), and Level 3 (Expert, NIST SP 800-172 controls).
Third-Party Assessment
Level 2 requires assessment by Certified Third-Party Assessment Organizations (C3PAOs), while Level 1 allows annual self-assessment. Level 3 requires government-led assessment.
CUI Protection
Specifically designed to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within the Defense Industrial Base supply chain.
list_alt CMMC Domains
- Access Control — limit system access to authorized users
- Identification & Authentication — verify user identities
- Media Protection — protect CUI on digital and physical media
- Physical Protection — limit physical access to systems
- System & Communications Protection — monitor and protect communications
- System & Information Integrity — identify and manage flaws
- Incident Response — establish operational incident handling
- Risk Assessment — identify and evaluate risk to CUI
Who Needs to Comply?
All contractors and subcontractors in the U.S. Defense Industrial Base (DIB) who process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of DoD contracts.
Key Requirements
Self-Assessment (Level 1)
Complete an annual self-assessment against 17 basic safeguarding requirements from FAR 52.204-21. Affirm compliance through the Supplier Performance Risk System (SPRS).
NIST SP 800-171 Compliance (Level 2)
Implement all 110 security requirements from NIST SP 800-171 Rev 2. Submit to assessment by a C3PAO and achieve a passing score. Maintain a System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
Plans of Action & Milestones
Document any unmet requirements with specific remediation plans, responsible parties, and target completion dates. POA&Ms must be resolved within 180 days of assessment.
Continuous Compliance Affirmation
Senior officials must annually affirm their organization's continued compliance status in SPRS. Certification is valid for three years with annual affirmation required.
Implementation Roadmap
Prepare scope, data types & level
Identify contracts, clauses, systems, suppliers, and enclaves that handle FCI or CUI. Determine the required CMMC level, define the assessment boundary, assign a senior accountable official, and establish where SPRS scoring and affirmations will be managed.
Gap analysis against required practices
Assess Level 1 practices for FCI or the 110 NIST SP 800-171 requirements for Level 2 CUI environments. Build or refresh the System Security Plan, calculate the SPRS score, identify unmet requirements, and determine which gaps are eligible for POA&M treatment.
Implement safeguards & prepare assessment
Remediate priority gaps in access control, MFA, logging, vulnerability management, media protection, incident response, and configuration management. Collect objective evidence, train control owners, close POA&M items where required, and schedule the self-assessment or C3PAO assessment.
Audit, affirm & maintain eligibility
Submit assessment results and required affirmations in SPRS, maintain evidence between assessment cycles, and monitor suppliers that receive CUI. Reassess after major architecture, contract, or boundary changes and keep POA&M remediation on schedule.
Compliance Checklist
checklist Scope & assessment readiness
checklist Controls & evidence
checklist Reporting & maintenance
CMMC Levels at a glance
The level depends on the type and sensitivity of DoD information handled by the contractor.
| Aspect | Level 1 | Level 2 | Level 3 |
|---|---|---|---|
| Information type | FCI | CUI | High-priority CUI |
| Control basis | FAR 52.204-21 basic safeguarding | NIST SP 800-171 requirements | Selected NIST SP 800-172 enhanced requirements |
| Assessment model | Annual self-assessment | Self-assessment or C3PAO certification, depending on contract | Government-led assessment |
| Typical evidence | Policies, screenshots, and practice evidence | SSP, objective evidence, SPRS score, assessment results | Level 2 certification plus enhanced protection evidence |
Common Misconceptions
CMMC is only an IT department project.
CMMC affects contracts, legal representations, supplier flow-down, engineering, facilities, HR, and executive affirmations, not just technical controls.
A POA&M can cover any missing requirement.
Only eligible items can be placed on a POA&M, and required high-value safeguards must be implemented before certification or conditional status.
Subcontractors are automatically covered by a prime contractor's certification.
Subcontractors that receive FCI or CUI must meet the applicable requirements for their own environment and contract flow-down.
Penalties & Enforcement
Contractors that fail to meet required CMMC levels are ineligible for DoD contract awards. False compliance claims expose contractors to liability under the False Claims Act, with penalties of up to three times the government's damages plus per-claim penalties.
Frequently Asked Questions
Who must comply with CMMC?
expand_more
CMMC applies to Defense Industrial Base contractors and subcontractors that handle Federal Contract Information or Controlled Unclassified Information under DoD contracts. The required level depends on the sensitivity of information and the contract requirements.
What are the three CMMC levels?
expand_more
Level 1 covers basic safeguarding for FCI. Level 2 aligns to the 110 NIST SP 800-171 requirements for CUI and may require either self-assessment or C3PAO certification depending on the contract. Level 3 adds enhanced protections for higher-risk CUI programs and involves government assessment.
What is the difference between FCI and CUI?
expand_more
Federal Contract Information is non-public information provided by or generated for the government under a contract. Controlled Unclassified Information is information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. CUI generally triggers the more demanding Level 2 requirements.
What is an SSP?
expand_more
A System Security Plan describes the system boundary, environment, responsible roles, and how each required security requirement is implemented. For CMMC Level 2, a clear and current SSP is essential evidence for both self-assessments and C3PAO assessments.
Can POA&Ms be used for CMMC?
expand_more
Limited POA&M use is allowed for certain unmet requirements under defined conditions, but some high-value requirements must be fully met before a conditional status can be granted. POA&M items must be remediated within the allowed period, commonly 180 days.
How long is a CMMC certification valid?
expand_more
CMMC certifications are generally valid for three years, but organizations must submit annual affirmations and maintain compliance continuously. Material changes to systems, boundaries, or contracts may require reassessment or updated evidence.
How does CMMC relate to NIST SP 800-171?
expand_more
CMMC Level 2 is built around the 110 security requirements in NIST SP 800-171. CMMC adds assessment, scoring, affirmation, and contractual enforcement mechanisms so DoD can verify that contractors protect CUI.
What happens if a contractor falsely claims compliance?
expand_more
False or unsupported cybersecurity representations can create contract risk and potential False Claims Act exposure. Organizations should keep evidence, assessments, SPRS entries, and executive affirmations aligned with the actual control environment.
Official Documentation
CMMC 2.0 Documentation
PDF • defense.gov • Program Documentation
CMMC Program Portal
External Link • dodcio.defense.gov • Official Program Information
NIST SP 800-171 Rev 3
PDF • nist.gov • CUI Protection Requirements