verified_user
Standardful
Homechevron_rightStandardschevron_rightCMMC 2.0
ActiveInternational Standardupdate Standard Updated: Dec 2024fact_check Fact checked: Jun 28, 2026

CMMC 2.0

Cybersecurity Maturity Model Certification — Defense Industrial Base Cybersecurity Standard

apartmentPublishing Organization:U.S. Department of Defense (DoD)

Standard Introduction

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a U.S. Department of Defense program that verifies the cybersecurity practices of defense contractors and subcontractors. The final rule, effective December 2024, establishes three maturity levels to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base.

CMMC 2.0 aligns closely with NIST SP 800-171 requirements and introduces mandatory third-party assessments for contractors handling sensitive CUI. With phased enforcement beginning in November 2025, an estimated 220,000+ defense contractors must achieve the appropriate certification level to remain eligible for DoD contracts.

military_tech

Three Maturity Levels

Streamlined from five to three levels: Level 1 (Foundational, 17 practices), Level 2 (Advanced, 110 practices aligned with NIST SP 800-171), and Level 3 (Expert, NIST SP 800-172 controls).

assignment_ind

Third-Party Assessment

Level 2 requires assessment by Certified Third-Party Assessment Organizations (C3PAOs), while Level 1 allows annual self-assessment. Level 3 requires government-led assessment.

shield

CUI Protection

Specifically designed to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within the Defense Industrial Base supply chain.

list_alt CMMC Domains

  • Access Control — limit system access to authorized users
  • Identification & Authentication — verify user identities
  • Media Protection — protect CUI on digital and physical media
  • Physical Protection — limit physical access to systems
  • System & Communications Protection — monitor and protect communications
  • System & Information Integrity — identify and manage flaws
  • Incident Response — establish operational incident handling
  • Risk Assessment — identify and evaluate risk to CUI

Who Needs to Comply?

groups

All contractors and subcontractors in the U.S. Defense Industrial Base (DIB) who process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of DoD contracts.

Key Requirements

1

Self-Assessment (Level 1)

Complete an annual self-assessment against 17 basic safeguarding requirements from FAR 52.204-21. Affirm compliance through the Supplier Performance Risk System (SPRS).

2

NIST SP 800-171 Compliance (Level 2)

Implement all 110 security requirements from NIST SP 800-171 Rev 2. Submit to assessment by a C3PAO and achieve a passing score. Maintain a System Security Plan (SSP) and Plan of Action & Milestones (POA&M).

3

Plans of Action & Milestones

Document any unmet requirements with specific remediation plans, responsible parties, and target completion dates. POA&Ms must be resolved within 180 days of assessment.

4

Continuous Compliance Affirmation

Senior officials must annually affirm their organization's continued compliance status in SPRS. Certification is valid for three years with annual affirmation required.

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Prepare scope, data types & level

Identify contracts, clauses, systems, suppliers, and enclaves that handle FCI or CUI. Determine the required CMMC level, define the assessment boundary, assign a senior accountable official, and establish where SPRS scoring and affirmations will be managed.

2
Phase 2schedule Duration: 4-8 weeks

Gap analysis against required practices

Assess Level 1 practices for FCI or the 110 NIST SP 800-171 requirements for Level 2 CUI environments. Build or refresh the System Security Plan, calculate the SPRS score, identify unmet requirements, and determine which gaps are eligible for POA&M treatment.

3
Phase 3schedule Duration: 8-20 weeks

Implement safeguards & prepare assessment

Remediate priority gaps in access control, MFA, logging, vulnerability management, media protection, incident response, and configuration management. Collect objective evidence, train control owners, close POA&M items where required, and schedule the self-assessment or C3PAO assessment.

4
Phase 4schedule Duration: Ongoing

Audit, affirm & maintain eligibility

Submit assessment results and required affirmations in SPRS, maintain evidence between assessment cycles, and monitor suppliers that receive CUI. Reassess after major architecture, contract, or boundary changes and keep POA&M remediation on schedule.

Compliance Checklist

0 / 12

checklist Scope & assessment readiness

checklist Controls & evidence

checklist Reporting & maintenance

CMMC Levels at a glance

The level depends on the type and sensitivity of DoD information handled by the contractor.

AspectLevel 1Level 2Level 3
Information typeFCICUIHigh-priority CUI
Control basisFAR 52.204-21 basic safeguardingNIST SP 800-171 requirementsSelected NIST SP 800-172 enhanced requirements
Assessment modelAnnual self-assessmentSelf-assessment or C3PAO certification, depending on contractGovernment-led assessment
Typical evidencePolicies, screenshots, and practice evidenceSSP, objective evidence, SPRS score, assessment resultsLevel 2 certification plus enhanced protection evidence

Common Misconceptions

cancel
Myth

CMMC is only an IT department project.

check_circle
Reality

CMMC affects contracts, legal representations, supplier flow-down, engineering, facilities, HR, and executive affirmations, not just technical controls.

cancel
Myth

A POA&M can cover any missing requirement.

check_circle
Reality

Only eligible items can be placed on a POA&M, and required high-value safeguards must be implemented before certification or conditional status.

cancel
Myth

Subcontractors are automatically covered by a prime contractor's certification.

check_circle
Reality

Subcontractors that receive FCI or CUI must meet the applicable requirements for their own environment and contract flow-down.

Penalties & Enforcement

warning

Contractors that fail to meet required CMMC levels are ineligible for DoD contract awards. False compliance claims expose contractors to liability under the False Claims Act, with penalties of up to three times the government's damages plus per-claim penalties.

Frequently Asked Questions

Who must comply with CMMC?

expand_more

CMMC applies to Defense Industrial Base contractors and subcontractors that handle Federal Contract Information or Controlled Unclassified Information under DoD contracts. The required level depends on the sensitivity of information and the contract requirements.

What are the three CMMC levels?

expand_more

Level 1 covers basic safeguarding for FCI. Level 2 aligns to the 110 NIST SP 800-171 requirements for CUI and may require either self-assessment or C3PAO certification depending on the contract. Level 3 adds enhanced protections for higher-risk CUI programs and involves government assessment.

What is the difference between FCI and CUI?

expand_more

Federal Contract Information is non-public information provided by or generated for the government under a contract. Controlled Unclassified Information is information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. CUI generally triggers the more demanding Level 2 requirements.

What is an SSP?

expand_more

A System Security Plan describes the system boundary, environment, responsible roles, and how each required security requirement is implemented. For CMMC Level 2, a clear and current SSP is essential evidence for both self-assessments and C3PAO assessments.

Can POA&Ms be used for CMMC?

expand_more

Limited POA&M use is allowed for certain unmet requirements under defined conditions, but some high-value requirements must be fully met before a conditional status can be granted. POA&M items must be remediated within the allowed period, commonly 180 days.

How long is a CMMC certification valid?

expand_more

CMMC certifications are generally valid for three years, but organizations must submit annual affirmations and maintain compliance continuously. Material changes to systems, boundaries, or contracts may require reassessment or updated evidence.

How does CMMC relate to NIST SP 800-171?

expand_more

CMMC Level 2 is built around the 110 security requirements in NIST SP 800-171. CMMC adds assessment, scoring, affirmation, and contractual enforcement mechanisms so DoD can verify that contractors protect CUI.

What happens if a contractor falsely claims compliance?

expand_more

False or unsupported cybersecurity representations can create contract risk and potential False Claims Act exposure. Organizations should keep evidence, assessments, SPRS entries, and executive affirmations aligned with the actual control environment.

Official Documentation

View All

Implementation Timeline

new_releases
Jan 2020
CMMC 1.0 released with 5 maturity levels
update
Nov 2021
CMMC 2.0 announced, simplified to 3 levels
drafts
Dec 2023
Proposed rule published for public comment
gavel
Oct 2024
Final program rule published in Federal Register
check_circle
Dec 2024
CMMC 2.0 program rule goes into effect
event
Nov 2025
DFARS acquisition rule effective, phased rollout begins

Related Categories