What is CMMC?
The CMMC Program is designed to enforce protection of sensitive unclassified information shared by the DoD with its contractors and subcontractors. It builds on existing security requirements (e.g. DFARS 252.204-7012) by introducing a verification component (C3PAO) to ensure contractors actually implement the required cybersecurity practices.
Historical/Legal Context
2002 Federal Information Security Management Act (FISMA)
This law required federal agencies to develop cost effective security programs based on risk impact levels. It created a risk based policy for protecting information in the Federal supply chain and led to the NIST Risk Management Framework. FISMA’s modernization amendments in 2014 continued to emphasize the need for secure IT systems.
Executive Order 13556 (November 2010)
This order defined the program for Controlled Unclassified Information (CUI) and directed that such information be protected and consistently marked. CUI policies are implemented through 32 CFR Part 2002, which stipulates requirements, governance and management of CUI and designates the National Archives and Records Administration (NARA) as the CUI Executive Agent.
NIST Special Publication 800 171 (2015)
This publication set the baseline security requirements for protecting CUI in non-federal systems and organizations. DFARS clause 252.204 7012 requires contractors to implement the NIST 800 171 controls.
Development of CMMC (2019 2021)
The DoD announced the CMMC program in 2019 to address persistent cyber theft from the defense industrial base. CMMC 1.0 (February 2020) introduced a five level model; it was implemented as an interim rule requiring contractors to upload a Supplier Performance Risk System (SPRS) score based on NIST 800 171compliance. CMMC 2.0 was announced in November 2021 and streamlined the framework to three maturity levels: foundational, advanced and expert. It removed transitional levels and aligned Level 2 practices directly with NIST800 171.
Formal Rulemaking
In December 2023 the DoD began formal rulemaking. A program rule in 32 CFR Part 170 was finalized on 15 October 2024 (effective 16 December 2024) and defines the CMMC program requirements. A complementary acquisition rule in 48 CFR (DFARS) was issued on 10 September 2025 (effective 10 November 2025) and inserts CMMC requirements into DoD contracts. Together these rules establish CMMC as a regulatory program and trigger the phased rollout.
CMMC Levels, Certification Requirements and Self‑Attestation
Level 1 – Foundational
Designed for contracts where systems will process, store or transmit FCI only. It comprises 15 basic safeguarding requirements from FAR 52.204‑21 and focuses on basic cyber hygiene (e.g., limiting system access, controlling visitor activity, patching vulnerabilities).
Assessment Types: Contractors perform an annual self‑assessment and post the score in the Supplier Performance Risk System (SPRS). Under the final acquisition rule, Level 1 self‑assessments will be required as a condition of award beginning 10 November 2025.
Level 2 – Advanced
Applies when systems handle CUI. Level 2 includes 110 security requirements from NIST SP 800‑171 which translates to 320 assessment objectives, focusing on access control, incident response, configuration management and many other domains.
Assessment Types: Most Level 2 contracts will require a third‑party assessment conducted by a Certified Third‑Party Assessment Organization (C3PAO). A small subset of lower‑risk Level 2 contracts may allow self‑assessment, but contractors still must report scores in SPRS. The final DFARS rule clarifies that DoD will specify whether Level 2 (Self) or Level 2 (C3PAO) applies in the solicitation, this will appear under DFARS 252.204-7025.
Frequency & Conditional Status: Third‑party assessments remain valid for three years. If an organization has outstanding POA&M items after the initial assessment, it receives a conditional Level 2 status. All unmet requirements must be remedied within 180 days, and the organization must pass a POA&M close‑out assessment to achieve a final Level 2. Contractors must also submit annual affirmations of continuous compliance.
Level 3 – Expert
Reserved for the DoD’s most critical programs and technologies. Level 3 includes the 110 requirements of NIST SP 800‑171 plus 24 additional controls from NIST SP 800‑172.
Assessment types: Contractors seeking Level 3 certification must first achieve a Level 2 (C3PAO) certification and then undergo a government‑led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Like Level 2, Level 3 certifications may start as conditional; any unmet requirements must be closed out within 180 days.
Practical Guidance for Organizations Seeking Certification
Determine the Data You Handle
Start by identifying what types of information your organization receives, creates, or stores under DoD contracts. Ask whether it includes Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or both.
FCI is information not intended for public release that’s provided by or generated for the government under a contract.
Examples include: contract statements of work, project schedules, pricing details, supplier contact lists, or non-public design specifications.
CUI is more sensitive — information the government requires to be protected according to specific laws, regulations, or policies.
Examples include: technical drawings with export-controlled details (ITAR/EAR), system schematics tied to defense programs, maintenance manuals for controlled equipment, or data marked as CUI.
If you’re a subcontractor, confirm the type of information you’ll handle with your prime contractor. If you’re a prime, verify the determination with your contracting officer. Once the final rule goes into effect on November 10th, these responsibilities and references will be reflected in DFARS 252.204-7025.
Map and Scope Your Systems – Document the systems, assets, processes, vendors and data flows that handle FCI or CUI. Accurate scoping is essential for both self‑assessments and third‑party assessments.
Implement Required Controls – For Level 1, implement the 15 basic safeguarding requirements from FAR 52.204‑21. For Level 2, implement all 110 controls and 320 assessment objectives from NIST SP 800‑171. Level 3 organizations must additionally implement the relevant NIST SP 800‑172 controls.
Develop Documentation – Prepare a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) that describe control implementation, gaps and remediation plans. DFARS 252.204‑7012 requires contractors to maintain these documents.
Perform Self‑Assessment and Submit Scores – Conduct the required self‑assessment and post the score in SPRS. Ensure an “affirming official” signs the annual affirmation of compliance as required by the program.
Prepare for Third‑Party or Government Assessments – If your contract is Level 2 (C3PAO) or Level 3, engage with an authorized C3PAO well in advance. Plan for on‑site interviews, evidence collection and remediation of nonconformities. The Lead Assessor will coordinate the assessment phases: planning, on‑site assessment and reporting.
Monitor the Rulemaking Timeline – Because DoD may include CMMC requirements on contracts awarded prior to the 48 CFR rule becoming effective, organizations should stay current with DoD announcements and prepare for earlier adoption. Subcontractors should also be prepared since prime contractors may require their compliance.