What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a DoD program that requires defense contractors to implement and, in many cases, have independently verified cybersecurity practices before they can be awarded or continue performing on federal contracts that involve sensitive defense information.
CMMC 2.0 — the current version — was codified by the CMMC Final Rule (32 CFR Part 170), published in the Federal Register on October 15, 2024 and effective December 16, 2024. The companion DFARS Final Rule (DFARS Case 2019-D041, updating 252.204-7021) was published September 10, 2025, with phased applicability to solicitations beginning November 10, 2025. Together they consolidate cybersecurity requirements previously scattered across multiple clauses (DFARS 252.204-7012, DFARS 252.204-7020) into a single, tiered certification framework.
Bottom line: If your organization handles federal contract information or controlled unclassified information for the DoD, CMMC will eventually apply to your contracts. The sooner you understand what's required, the more time you have to close gaps.
Who Needs Certification?
CMMC applies to any organization in the Defense Industrial Base (DIB) — the network of companies that supply goods and services to the DoD. This includes:
- Prime contractors and direct DoD suppliers
- Subcontractors at any tier who receive or handle CUI or FCI
- Manufacturers, software developers, logistics firms, and professional service providers
- Cloud service providers that store or process CUI on behalf of a contractor
CMMC requirements flow down the supply chain. If a prime contractor handles CUI, they are required to ensure their subcontractors do too — and contractually obligate them accordingly. Being a subcontractor does not exempt you. See the dedicated guide on DFARS 252.204-7012(m) flow-down obligations for the operational details on both sides of that relationship.
Check your contracts: Look for DFARS clauses 252.204-7012, 252.204-7019, and 252.204-7021 in your existing contracts. Their presence signals what level of compliance is already expected of you today.
Understanding CUI
Controlled Unclassified Information (CUI) is government-created or government-owned information that requires safeguarding but is not classified. It's the trigger for CMMC's most demanding requirements. The authoritative list of CUI categories is maintained by the National Archives in the NARA CUI Registry.
CUI categories relevant to DIB contractors include:
- Technical Data — engineering drawings, specifications, manufacturing processes
- Export Controlled — information subject to ITAR or EAR
- Procurement and Acquisition — source selection information, contract data
- Military Operations — operational planning data, force protection information
Federal Contract Information (FCI) is a broader, less sensitive category — it's information provided by or generated for the government under a contract that is not intended for public release. FCI triggers Level 1 requirements; CUI triggers Level 2.
Practical step: Before you can assess your compliance posture, you need to know where your CUI lives — which systems store it, which applications process it, who can access it, and how it leaves your environment. This boundary-definition exercise is the foundation of your System Security Plan. Most small contractors compress scope by routing CUI into a dedicated CUI enclave rather than hardening every system in the organization.
The Three CMMC Levels
CMMC 2.0 has three certification levels, each building on the previous:
| Level | Name | Requirements | Assessment | Applies to |
|---|---|---|---|---|
| Level 1 | Foundational | 17 CMMC L1 practices (15 from FAR 52.204-21 + 2 additional) | Annual self-attestation by a senior company official | Contractors handling FCI only |
| Level 2 | Advanced | 110 practices (NIST SP 800-171 Rev 2) | Triennial third-party (C3PAO) assessment, or annual self-attestation for non-critical programs | Contractors handling CUI — the majority of DIB |
| Level 3 | Expert | 110+ practices (NIST SP 800-172 enhancements) | Government-led assessment by DCSA | Contractors on the most critical DoD programs |
The vast majority of DIB contractors will target Level 2. If you handle CUI — which includes most meaningful defense subcontracts — Level 2 is your target. For a more detailed walkthrough of how to read your contracts and determine which level applies to your work, see the Choosing Your CMMC Level guide.
NIST SP 800-171 Requirements
Level 2 is built entirely on NIST Special Publication 800-171 Revision 2, which contains 110 security requirements organized into 14 control families:
| Family | Abbrev. | Requirements | Focus |
|---|---|---|---|
| Access Control | AC | 22 | Who can access what, and under what conditions |
| Awareness & Training | AT | 3 | Security training requirements for all personnel |
| Audit & Accountability | AU | 9 | Logging, log review, and accountability for actions |
| Configuration Management | CM | 9 | Secure baselines, change control, software inventory |
| Identification & Authentication | IA | 11 | Unique IDs, passwords, MFA |
| Incident Response | IR | 3 | Detecting, reporting, and recovering from incidents |
| Maintenance | MA | 6 | Secure maintenance practices |
| Media Protection | MP | 9 | Protecting and sanitizing media containing CUI |
| Personnel Security | PS | 2 | Screening, termination, and transfer procedures |
| Physical Protection | PE | 6 | Physical access controls to CUI systems |
| Risk Assessment | RA | 3 | Identifying and managing risk to CUI |
| Security Assessment | CA | 4 | SSP, POA&M, and control monitoring |
| System & Comms. Protection | SC | 16 | Network segmentation, encryption, boundary controls |
| System & Info. Integrity | SI | 7 | Patching, malware protection, security monitoring |
Each requirement has associated assessment objectives — specific, testable conditions that an assessor verifies. NIST 800-171A Rev 2 defines 320 assessment objectives across the 110 requirements (NIST SP 800-171A Rev 3 increased this to 422 objectives, though Rev 3 is not yet adopted by CMMC). The companion NIST SP 800-171A publication defines the assessment procedures assessors use.
SPRS Scoring
The Supplier Performance Risk System (SPRS) is the DoD database where contractors self-report their NIST 800-171 implementation score. Contracting officers check this score during source selection. Scoring weights are defined in the DoD Assessment Methodology v1.2.1.
The scoring methodology works as follows:
- You start with a baseline of 110 points
- Each unimplemented requirement subtracts a weighted point value (1, 3, or 5 points)
- The minimum possible score is −203 per the DoD Assessment Methodology v1.2.1; the maximum is +110
- A perfect score means all 110 requirements are fully implemented
High-value requirements: Requirements in Access Control (AC), Identification & Authentication (IA), and System & Communications Protection (SC) carry higher point weights. Closing gaps in these families improves your SPRS score most efficiently.
Your SPRS score must be submitted by a senior company official and is legally attested. Submitting a materially inaccurate score exposes your organization to False Claims Act liability. Don't guess — assess properly.
Your SSP and POA&M
Two documents are central to CMMC compliance:
System Security Plan (SSP)
The SSP is the governing document for your CMMC program. It describes:
- The authorization boundary — which systems are in scope
- CUI data flows — how CUI enters, moves through, and exits your environment
- How your organization implements each of the 110 requirements
- Roles and responsibilities for security
- Interconnections to external systems
The SSP must be specific to your environment. Generic, boilerplate SSPs are a leading cause of C3PAO assessment failures — assessors verify that what you've written matches what they observe.
Plan of Action and Milestones (POA&M)
The POA&M documents all requirements you have not yet fully implemented. For each open item it must include:
- The specific requirement and why it is not yet met
- The compensating controls currently in place
- The responsible owner and target completion date
- Milestones tracking progress toward remediation
A POA&M is not a weakness — it demonstrates that you know what's missing and have a credible plan to fix it. Assessors expect to see one; what they don't want to see is surprises.
The C3PAO Assessment
For Level 2 contracts requiring a third-party assessment, you'll work with a Certified Third-Party Assessment Organization (C3PAO) — an accredited firm authorized by the Cyber AB to conduct CMMC assessments. Authorized C3PAOs can be found in the Cyber AB Marketplace. For practical guidance on selecting one, see Choosing a C3PAO; for what actually happens during the assessment itself, see the Assessment Day Playbook.
The typical assessment process:
- Pre-assessment — You submit your SSP and supporting documentation. The C3PAO reviews it and schedules an on-site or remote assessment.
- Assessment — Assessors conduct interviews with system owners and users, observe technical controls in action, and review evidence. This typically takes 3–5 days for a mid-size organization.
- Findings & adjudication — The C3PAO produces findings. You can contest factual errors. Remaining deficiencies become POA&M items.
- Certification decision — The Cyber AB reviews the assessment package and issues a CMMC certificate if criteria are met. Certificates are valid for 3 years.
Conditional certification: You may receive a conditional CMMC Level 2 certificate if you have a limited number of open POA&M items with credible remediation plans. Not all deficiencies prevent certification — but high-weighted requirements generally must be addressed first.
Common Gap Areas
Based on assessment data across DIB organizations, these control families have the highest rate of deficiency findings:
- Audit & Accountability (AU) — Many organizations lack centralized log management or haven't configured logging on all CUI systems.
- Identification & Authentication (IA) — MFA is required for privileged and remote access; many organizations have partial or no MFA implementation.
- Configuration Management (CM) — Secure baseline configurations are often undocumented; unauthorized software is common.
- Risk Assessment (RA) — Vulnerability scanning is either absent or not performed at the required frequency.
- System & Communications Protection (SC) — Network segmentation between CUI and general-use systems is frequently incomplete.
- Incident Response (IR) — IR plans exist but haven't been tested; reporting procedures for CUI incidents aren't documented.
Primary Sources
The authoritative documents underlying every CMMC Level 2 requirement:
Getting Started
The path to CMMC Level 2 follows a predictable sequence. Here's where to begin:
- Define your CUI boundary. Identify every system that creates, processes, stores, or transmits CUI. This scoping decision drives everything else.
- Conduct a gap assessment. Evaluate your current practices against all 110 NIST 800-171 requirements. Calculate your current SPRS score honestly.
- Build your POA&M. Prioritize gaps by SPRS impact and effort. Assign owners and realistic timelines.
- Draft your SSP. Document how you implement each requirement, even partially-met ones. Be accurate — don't describe what you aspire to, describe what you actually do.
- Remediate systematically. Work through your POA&M, closing gaps in priority order and gathering evidence as you go.
- Prepare for assessment. When your POA&M is largely closed, conduct an internal pre-assessment walkthrough before engaging a C3PAO.
Use our resources. Browse the full resource library for control family guides, SSP templates, and more — all free.