The Cybersecurity Maturity Model Certification is a Department of Defense program that makes cybersecurity compliance a verifiable condition of doing business with the federal government. Here is what it requires and why it matters.
CMMC stands for Cybersecurity Maturity Model Certification. It is the Department of Defense's mechanism for ensuring that defense contractors protect sensitive information. Before CMMC, contractors were required to implement cybersecurity controls under DFARS 252.204-7012, but compliance was self-reported and unverified. The result was widespread noncompliance across the Defense Industrial Base, with contractors self-reporting scores that did not reflect their actual security posture.
CMMC changes this by requiring independent verification. Contractors must demonstrate that their cybersecurity controls are actually implemented, not just documented, and that demonstration is validated by certified third-party assessors. The program makes cybersecurity compliance an enforceable condition of contract award rather than an honor-system obligation.
CMMC 2.0 establishes three certification levels, each corresponding to the sensitivity of the information a contractor handles.
Level 1 covers Federal Contract Information (FCI) and requires 15 basic safeguarding practices drawn from FAR 52.204-21. Verification is through annual self-attestation. Most organizations that do any business with the federal government will need at least Level 1.
Level 2 covers Controlled Unclassified Information (CUI) and requires all 110 security requirements from NIST SP 800-171 Rev 2. Verification is through a triennial third-party assessment conducted by a C3PAO (CMMC Third-Party Assessment Organization). This is the level that applies to the majority of defense contractors who handle technical data, engineering drawings, or other CUI. For a detailed comparison, see CMMC Level 1 vs Level 2.
Level 3 covers the most sensitive CUI programs and adds requirements from NIST SP 800-172. Assessment is conducted by the government (DIBCAC). Level 3 applies to a smaller subset of contractors working on the most critical defense programs.
The "2.0" designation refers to the streamlined version of CMMC that replaced the original five-level model. CMMC 2.0 consolidated the framework to three levels, aligned Level 2 directly with NIST SP 800-171, eliminated CMMC-unique practices that existed in version 1.0, and introduced a phased enforcement timeline. The underlying security requirements for Level 2 are not new. They are the same 110 requirements from NIST SP 800-171 that have been contractually required since 2017 under DFARS 252.204-7012. What CMMC 2.0 adds is the verification and enforcement mechanism.
CMMC enforcement is already underway. Phase 1 took effect in November 2025, requiring self-attestation for Level 1 and the posting of SPRS scores for Level 2. Phase 2 begins November 10, 2026, when C3PAO third-party assessments become a condition of contract award for contracts that include the CMMC Level 2 clause. By November 10, 2027, the requirement extends across all applicable DoD contracts.
The practical implication is that contractors who have not achieved CMMC certification by the time their contracts require it will be ineligible to bid on or receive those awards. There is no waiver, no extension, and no exemption based on company size or contract value.
For most defense contractors, CMMC means three things. First, the cybersecurity requirements that have been in their contracts since 2017 are now being enforced. Second, compliance is no longer self-reported but independently verified. Third, the cost and effort of achieving compliance are real and must be planned for, particularly for small and mid-sized manufacturers that have not previously invested in formal cybersecurity programs.
The contractors who will navigate this transition successfully are those who begin early, scope their CUI environment carefully, and build a compliance program based on operational reality rather than paper documentation. For executives making strategic decisions about CMMC, The CMMC Decision provides the framework for evaluating the program's impact on contract strategy, resource allocation, and organizational readiness.
This is one of the most frequently misunderstood aspects of the program. NIST SP 800-171 is the set of 110 security requirements. CMMC is the verification framework built around those requirements. Before CMMC, contractors were required to implement 800-171 but there was no independent check. CMMC adds the assessment process, the certification credential, and the enforcement consequence. The requirements themselves are the same. What has changed is that someone now verifies whether you actually did the work.
Side-by-side comparison of requirements, assessment methods, costs, and which level applies to your contracts.
What small defense manufacturers and machine shops need to know about compliance, cost control, and the enforcement timeline.
Individual reference cards for all 110 CMMC Level 2 security requirements with implementation guidance.
Practitioner research on assessment capacity, CUI scope reduction, artifact integrity, and more.
The strategic and executive-level guide to the decisions that determine whether a CMMC engagement succeeds.
Readiness, CUI scope reduction, pre-award due diligence, SSP review, and executive strategy.
A focused conversation to review your contract landscape and determine what CMMC requires for your organization.
Schedule a Consultation →