What Is CMMC?
CMMC (Cybersecurity Maturity Model Certification) is the DoD’s framework for verifying that defense contractors protect Controlled Unclassified Information (CUI). It replaces the previous self-attestation model with verified assessments.
Three Levels
Section titled “Three Levels”Level 1 — Foundational. 15 basic safeguarding requirements from FAR 52.204-21. Self-assessment only. Covers Federal Contract Information (FCI).
Level 2 — Advanced. 110 security requirements from NIST SP 800-171 Rev 2. Can be self-assessed or assessed by a C3PAO (third-party assessment organization). Covers CUI. This is what this reference covers.
Level 3 — Expert. 110 requirements from Level 2 plus additional requirements from NIST SP 800-172. Assessed by DIBCAC (government assessors). Covers the most sensitive CUI.
Who It Applies To
Section titled “Who It Applies To”Any organization in the Defense Industrial Base (DIB) that handles CUI under DoD contracts. This includes prime contractors, subcontractors, and any company in the supply chain that processes, stores, or transmits CUI.
The required CMMC level will be specified in the contract solicitation (Section L) and evaluation criteria (Section M).
Why It Exists
Section titled “Why It Exists”Before CMMC, contractors self-attested to NIST 800-171 compliance. Many claimed compliance without actually meeting the requirements. CMMC adds verification — either through self-assessment with senior official affirmation (Level 2 self) or through independent third-party assessment (Level 2 certification).