The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense framework that requires contractors and subcontractors to meet specific cybersecurity standards before they can win or keep DoD contracts. The program has three levels, each tied to the sensitivity of the data you handle, ranging from 17 basic security practices at Level 1 to more than 130 combined requirements at Level 3.
What CMMC Is and Who Needs It
CMMC applies to any company in the defense industrial base that processes, stores, or transmits federal information as part of a DoD contract. That includes prime contractors, subcontractors, and suppliers at every tier of the supply chain. If your contract involves government data that isn’t publicly available, CMMC applies to you.
The program exists because the DoD found that many contractors were self-reporting compliance with cybersecurity standards but weren’t actually meeting them. CMMC adds verification to the process, requiring either formal self-assessments or independent third-party audits depending on the level. The specific CMMC level your company needs will be spelled out in the solicitation for each contract.
Two Data Types That Determine Your Level
Your required CMMC level depends on which type of information flows through your systems:
- Federal Contract Information (FCI) is any information provided by or generated for the government under a contract that isn’t intended for public release. Think of it as routine contract data: delivery schedules, performance reports, or project specifications that aren’t classified but also aren’t public. FCI triggers Level 1.
- Controlled Unclassified Information (CUI) is a step up. It includes unclassified data that laws or government-wide policies require you to protect because of its potential impact on national security. Technical drawings for a weapons system, for example, or test data from defense research. CUI triggers Level 2 or Level 3.
If your contract only involves FCI, you’ll need Level 1. If it involves CUI, expect Level 2 at minimum. Contracts involving CUI that faces threats from advanced persistent threats (sophisticated, state-sponsored attackers) will require Level 3.
Level 1: Basic Safeguarding of FCI
Level 1 covers foundational cybersecurity hygiene. It includes 15 security requirements drawn from FAR clause 52.204-21, the federal regulation that has governed basic safeguarding of contractor information systems for years. These are practices most businesses with reasonable IT management already follow: limiting system access to authorized users, authenticating user identities, sanitizing media before disposal, and monitoring who accesses your systems.
The assessment process at Level 1 is straightforward. You perform an annual self-assessment and submit an annual affirmation confirming you meet all 15 requirements. No outside auditor is involved. You enter your results into the Supplier Performance Risk System (SPRS), a DoD database that tracks contractor compliance scores.
Level 2: Broad Protection of CUI
Level 2 is where the requirements expand significantly. It aligns with NIST SP 800-171 Revision 2, a publication from the National Institute of Standards and Technology that lays out 110 security requirements across 14 control families. Those families cover areas like access control, incident response, risk assessment, system and communications protection, and audit and accountability.
In practical terms, Level 2 means your company needs capabilities like multi-factor authentication, encrypted communications, regular vulnerability scanning, documented incident response plans, and audit logs that track who did what on your systems. You also need a System Security Plan (SSP) that documents how your environment meets each of the 110 requirements, along with a Plan of Action and Milestones (POA&M) for any gaps you’re working to close.
The assessment method at Level 2 depends on what the contract solicitation specifies. Some contracts allow a self-assessment every three years with an annual affirmation. Others require an independent assessment conducted by an authorized CMMC Third-Party Assessment Organization, known as a C3PAO. These are companies accredited by the Cyber AB (the CMMC accreditation body) to perform official certification assessments. Only authorized C3PAOs can conduct assessments that result in CMMC certification. Contracts involving more sensitive CUI will typically require the C3PAO route.
Level 3: Protection Against Advanced Threats
Level 3 builds on top of Level 2 and adds 24 requirements drawn from NIST SP 800-172, a companion standard focused on enhanced security measures to defend against advanced persistent threats. Before you can pursue Level 3, you must first achieve a final Level 2 certification.
The assessment process is more rigorous. Every three years, your company undergoes an evaluation conducted by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a government-run assessment body rather than a private third party. You also provide an annual affirmation verifying ongoing compliance with all 24 additional requirements. Level 3 applies to a relatively small number of contractors handling the most sensitive unclassified defense information.
The 14 Control Families at Level 2
Since most contractors handling CUI will need Level 2, it helps to understand what the 110 requirements actually cover. NIST SP 800-171 organizes them into 14 families:
- Access Control: Limiting who can access systems and data, and under what conditions.
- Awareness and Training: Ensuring employees understand cybersecurity risks and their responsibilities.
- Audit and Accountability: Logging system activity and being able to trace actions to individual users.
- Configuration Management: Maintaining secure baseline configurations for hardware and software.
- Identification and Authentication: Verifying the identity of users and devices before granting access.
- Incident Response: Detecting, reporting, and responding to cybersecurity incidents.
- Maintenance: Performing system maintenance securely.
- Media Protection: Controlling and securing digital and physical media containing CUI.
- Personnel Security: Screening individuals before granting access to CUI systems.
- Physical Protection: Restricting physical access to systems and equipment.
- Risk Assessment: Identifying and evaluating cybersecurity risks to your operations.
- Security Assessment: Periodically reviewing and testing your security controls.
- System and Communications Protection: Protecting data in transit and at system boundaries.
- System and Information Integrity: Identifying and correcting system flaws and monitoring for threats.
Each family contains anywhere from two to more than 20 individual requirements. Access control is the largest family, while some like personnel security have just a handful of controls.
How Assessments Work
For Level 1, the process is entirely internal. You review your own practices against the 15 requirements, document your compliance, and submit your score and affirmation annually.
For Level 2 with a C3PAO assessment, expect a more involved process. The assessor will review your System Security Plan, interview key personnel, examine technical evidence (configuration screenshots, policy documents, log samples), and test whether your controls actually work as described. The assessment results in a score and a certification status. If you have gaps documented in a POA&M, you may receive conditional certification with a deadline to close those gaps.
For Level 3, the DIBCAC assessment follows a similar pattern but is conducted by government assessors with deeper scrutiny of the enhanced controls from NIST SP 800-172.
What Compliance Typically Costs
Costs vary widely depending on the size of your organization, the complexity of your IT environment, and how far you are from meeting the requirements today. Small contractors pursuing Level 1 may need little more than documentation time if their basic security practices are already in place. Level 2 is where costs climb. Companies often need to invest in new security tools (endpoint detection, SIEM platforms for log management, encrypted email), hire or contract cybersecurity staff, and pay for the C3PAO assessment itself. Assessment fees from C3PAOs vary by scope but typically run into the tens of thousands of dollars for a mid-sized organization.
Many small and mid-sized contractors use managed service providers or managed security service providers to fill capability gaps rather than building everything in-house. Some also limit the scope (and cost) of their compliance effort by isolating CUI into a defined enclave, a separate network segment with tighter controls, so the full 110-requirement standard only applies to that smaller environment rather than the entire company network.
Phased Rollout Into Contracts
The DoD is rolling CMMC requirements into contracts through updated DFARS (Defense Federal Acquisition Regulation Supplement) clauses. The rollout is phased, meaning not every contract will require CMMC certification on day one. The requirement will appear in individual solicitations, so you’ll know your obligation before you bid. Over time, CMMC clauses will become standard in contracts involving FCI or CUI, making certification a prerequisite for competing in the defense market.
If you’re a subcontractor, pay close attention: prime contractors are required to flow CMMC requirements down to their subcontractors based on the type of information those subcontractors handle. Even if you’re several tiers removed from the DoD, you may still need certification if CUI or FCI passes through your systems.
Steps to Prepare
Start by identifying what type of data you handle. If you’re not sure whether your contract involves FCI, CUI, or both, your contracting officer or prime contractor can clarify. Once you know your required level, perform a gap assessment against the relevant standard. For Level 2, that means walking through all 110 NIST SP 800-171 requirements and documenting where you comply, where you fall short, and what it will take to close each gap.
Build your System Security Plan and POA&M early. These documents are central to every CMMC assessment, and creating them forces you to map your actual security posture against the requirements in detail. Budget for both the technical remediation (new tools, configurations, training) and the assessment itself. For Level 2 C3PAO assessments, plan several months of lead time, as scheduling availability with accredited assessors can be limited.