The Cybersecurity Maturity Model Certification (CMMC) 2.0 is now a contractual requirement for organizations in the US defense industrial base. Here’s what you need to know to maintain your eligibility for DoD contracts.
What Is CMMC?
CMMC is the Department of Defense’s framework for verifying that contractors adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It establishes cybersecurity requirements as a contract prerequisite — not just a best practice. Organizations that cannot demonstrate compliance risk losing existing contracts and eligibility for new ones.
The Three Levels
Level 1 (Foundational): 17 practices covering basic cybersecurity hygiene. Applies to contractors who handle FCI but not CUI. Self-assessment is permitted.
Level 2 (Advanced): 110 practices aligned with NIST SP 800-171. Applies to contractors who handle CUI. Most contractors fall here. Third-party assessment (C3PAO) is required for critical programs; self-assessment is permitted for non-critical.
Level 3 (Expert): 110+ practices from NIST SP 800-172. Applies to contractors on the most sensitive DoD programs. Government-led assessment required.
The Assessment and Certification Process
Organizations seeking Level 2 certification must engage a CMMC Third Party Assessment Organization (C3PAO). The assessment evaluates your implementation of all 110 NIST SP 800-171 practices and produces a certification score. Conditional certification is possible if you have a plan of action and milestones (POA&M) for open items. Certification is valid for three years.
Start With a Gap Assessment
Most organizations pursuing CMMC have some of the required controls in place and gaps in others. A structured gap assessment against NIST SP 800-171 tells you exactly where you stand and what remediation is required before a formal assessment.