Glossary · Frameworks & standards
What is CMMC?
Also known as: Cybersecurity Maturity Model Certification, CMMC 2.0
CMMC (Cybersecurity Maturity Model Certification) is a US Department of Defense program that verifies defense contractors and subcontractors have adequate cybersecurity to protect sensitive government information. CMMC 2.0 defines three levels and is built largely on NIST SP 800-171, protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Key takeaways
- Applies to companies in the US Defense Industrial Base (DIB) handling FCI or CUI.
- CMMC 2.0 streamlines the model into three levels.
- Built primarily on NIST SP 800-171 (and NIST SP 800-172 at the highest level).
- Verifies protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
- Will be required in applicable DoD contracts, making it a gate to defense work.
Who must comply with CMMC?
CMMC applies to organizations in the Defense Industrial Base — prime contractors and subcontractors that handle Federal Contract Information or Controlled Unclassified Information as part of DoD work. The required level depends on the sensitivity of the information involved in a given contract.
Federal Contract Information is information provided by or generated for the government under a contract that is not intended for public release. Controlled Unclassified Information is more sensitive government information that requires safeguarding under specific rules. Handling CUI generally triggers a higher CMMC level than FCI alone.
What are the three CMMC 2.0 levels?
CMMC 2.0 consolidated the original five-level model into three:
- Level 1 (Foundational) — basic safeguarding of FCI, aligned to the 15 requirements in FAR 52.204-21, verified by annual self-assessment.
- Level 2 (Advanced) — protection of CUI based on the 110 controls of NIST SP 800-171, verified by self-assessment or by a third-party (C3PAO) assessment depending on the data.
- Level 3 (Expert) — for the highest-priority programs, adding controls from NIST SP 800-172 and assessed by the government.
The level invoked in a contract determines both the controls required and how compliance is verified, from self-attestation up to government-led assessment.
How does CMMC relate to NIST SP 800-171 and FedRAMP?
CMMC does not invent a new control set; Level 2 maps directly to NIST SP 800-171, which many defense contractors were already contractually required to follow under DFARS. CMMC adds a verification and certification layer on top so the DoD can confirm — not just trust — that controls are in place.
CMMC differs from FedRAMP, which authorizes cloud services for general federal use; CMMC certifies the contractor's own environment handling defense information. A contractor using a cloud service may rely on FedRAMP-authorized infrastructure while still needing its own CMMC certification.
A common pitfall is treating CMMC as a paperwork exercise; the underlying SP 800-171 controls require real technical implementation, including access control, audit logging, and incident response.
Frequently asked questions
- What is the difference between FCI and CUI?
- FCI is non-public information created or provided under a federal contract, while CUI is more sensitive government information requiring specific safeguarding. CUI handling generally requires a higher CMMC level.
- Do all defense contractors need third-party certification?
- No. Level 1 and some Level 2 cases allow self-assessment, while higher-risk Level 2 and Level 3 require independent or government assessment depending on the contract.
- What is a C3PAO?
- A Certified Third-Party Assessment Organization authorized to conduct CMMC Level 2 certification assessments of defense contractors.
- How is CMMC 2.0 different from the original model?
- CMMC 2.0 reduced the five levels to three, removed CMMC-unique practices in favor of established NIST standards, and reintroduced self-assessment for lower-risk levels.