Skip to main content
Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
Compliance guide · ~12 min read · Updated June 2026

What is CMMC?

CMMC (Cybersecurity Maturity Model Certification) is a US Department of Defense program that verifies defense contractors protect sensitive government information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 has three levels, builds on NIST SP 800-171, and ties cybersecurity to the ability to win DoD contracts.

Owner
US DoD
Version
CMMC 2.0
Levels
3
Protects
FCI · CUI
See CMMC compliance softwareNIST 800-171 explained
01 · Definition

What is CMMC?

CMMC is the Cybersecurity Maturity Model Certification, a US Department of Defense program that verifies the companies in its supply chain protect sensitive government information. It exists to confirm that defense contractors and subcontractors, collectively the Defense Industrial Base, actually meet the cybersecurity standards their contracts require, rather than simply claiming to.

The current program, CMMC 2.0, has three levels of increasing rigor and is built on existing NIST standards, principally NIST SP 800-171 for protecting Controlled Unclassified Information. The CMMC Program rule took effect in December 2024, and the requirement is being phased into DoD contracts. Once it appears in a contract, meeting the specified CMMC level becomes a condition of award.

"The CMMC program enforces protection of sensitive unclassified information shared by the Department with its contractors and subcontractors."

US DoD Chief Information Officer
02 · Origin

Why CMMC exists

For years, defense contractors were required by the DFARS clause 252.204-7012 to implement NIST SP 800-171 and to self-attest to their compliance. The problem was verification: self-attestation meant the DoD had little assurance that the controls were actually in place, and adversaries were successfully targeting the supply chain to steal sensitive defense information.

CMMC was created to close that gap by adding assessment and, for sensitive contracts, independent certification. The original 2020 model had five levels; the streamlined CMMC 2.0, announced in 2021, reduced that to three and re-anchored the program on NIST standards to reduce duplication. The result ties a measurable, verified cybersecurity posture directly to eligibility for DoD work.

03 · The data

FCI and CUI: the data CMMC protects

CMMC exists to protect two categories of government information. The data you handle determines the level you need.

Federal Contract Information (FCI)

Information provided by or generated for the government under a contract that is not intended for public release. Lower sensitivity. Protecting FCI maps to CMMC Level 1.

Controlled Unclassified Information (CUI)

More sensitive government information that requires safeguarding under law, regulation, or policy, such as controlled technical data. Protecting CUI maps to CMMC Levels 2 and 3.

04 · The model

The three CMMC levels

CMMC 2.0 defines three levels of increasing rigor. The level a contract requires depends on the sensitivity of the information involved.

Level 1

Foundational

Basic safeguarding of FCI, aligned to the 15 requirements of FAR 52.204-21. Assessed by the contractor itself each year, with a senior official affirming compliance.

Protects:
Federal Contract Information (FCI)
Practices:
17 practices
Assessment:
Annual self-assessment + affirmation

Level 2

Advanced

Protection of CUI, aligned to the 110 security requirements of NIST SP 800-171. Most CUI contracts require a third-party (C3PAO) assessment every three years; some lower-criticality contracts allow self-assessment.

Protects:
Controlled Unclassified Information (CUI)
Practices:
110 practices (NIST SP 800-171)
Assessment:
Self or C3PAO assessment every 3 years

Level 3

Expert

The highest level, for the most sensitive programs. Adds enhanced requirements from NIST SP 800-172 on top of 800-171, and is assessed by the government (DIBCAC) rather than a third party.

Protects:
CUI against advanced persistent threats
Practices:
110 + a subset of NIST SP 800-172
Assessment:
Government-led assessment
05 · Assessment

How CMMC certification works

How you demonstrate compliance depends on your level. Level 1 and some Level 2 contracts allow an annual self-assessment, with a senior company official affirming the results in the government's system.

Most Level 2 contracts that involve CUI require a third-party assessment by a C3PAO(a CMMC Third-Party Assessment Organization) every three years. Level 3 is assessed by the government itself. Across all levels, contractors must maintain a System Security Plan, and a Plan of Action and Milestones (POA&M) is permitted only for a limited set of requirements, with firm closeout timelines.

The requirement reaches subcontractors too. A prime contractor must flow the appropriate CMMC level down its supply chain, so the obligation applies to many small and mid-size suppliers, not just large primes.

06 · Comparison

CMMC vs NIST 800-171

These two are constantly confused. The simplest way to hold them apart: NIST SP 800-171 is the standard (the 110 requirements for protecting CUI), and CMMC is the program that verifies you meet it.

Contractors handling CUI have been required to implement 800-171 under DFARS for years and to self-score it. CMMC Level 2 takes those same 110 requirements and adds assessment and, for most CUI contracts, independent third-party certification. So implementing 800-171 well is the bulk of the work; CMMC is the proof. For the full breakdown of the standard, see our guide to NIST 800-171.

07 · Preparation

How to prepare for CMMC

Six steps that take a contractor from uncertain to assessment-ready. Scoping the CUI environment tightly (step 2) is the biggest lever on cost and timeline.

  1. 1

    Determine your level

    Identify whether your contracts involve FCI (Level 1) or CUI (Level 2, occasionally Level 3). Your contract language and the data you handle drive the answer.

  2. 2

    Scope your environment

    Define the assets that store, process, or transmit FCI or CUI, and separate them where possible. A tight scope is the single biggest lever on cost and effort.

  3. 3

    Run a NIST 800-171 self-assessment

    For Level 2, assess against all 110 requirements, calculate your SPRS score using the DoD Assessment Methodology, and identify the gaps.

  4. 4

    Remediate and build a POA&M

    Close gaps, and for the limited items where a Plan of Action and Milestones is permitted, document them with owners and dates. A System Security Plan (SSP) is mandatory.

  5. 5

    Gather objective evidence

    Assessors want artifacts, not assertions: policies, configurations, logs, and records that show each practice is implemented and operating.

  6. 6

    Self-attest or engage a C3PAO

    Submit your self-assessment and affirmation, or schedule a certified third-party assessment (C3PAO) for the contracts that require one, then maintain the posture between cycles.

Get to an assessment faster
Run CMMC and 800-171 as one scored assessment.

RiskWatch ships pre-built CMMC and NIST 800-171 assessments on a shared control library, calculates your posture, tracks remediation and POA&M items to closure, and keeps the System Security Plan and evidence an assessor expects.

CMMC compliance softwareFree 800-171 checklist
08 · Frequently asked

CMMC, answered

The questions defense contractors ask most as the requirement rolls out.

What is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. It is a US Department of Defense program that verifies defense contractors and subcontractors have adequate cybersecurity to protect sensitive government information, specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It applies across the Defense Industrial Base (DIB) and ties a company's ability to win and keep DoD contracts to meeting a defined cybersecurity standard.
What is CMMC 2.0?
CMMC 2.0 is the streamlined version of the program announced in late 2021, which reduced the original five maturity levels to three and aligned them with existing NIST standards. The CMMC Program rule (32 CFR) took effect in December 2024, and the requirement is rolling out into DoD contracts in phases. CMMC 2.0 relies on NIST SP 800-171 for Level 2 and adds NIST SP 800-172 requirements at Level 3.
What are the three levels of CMMC?
Level 1 (Foundational) covers basic protection of FCI with 17 practices and an annual self-assessment. Level 2 (Advanced) covers CUI with the 110 requirements of NIST SP 800-171, assessed by a third party (C3PAO) every three years for most contracts. Level 3 (Expert) covers the most sensitive CUI, adding a subset of NIST SP 800-172 requirements on top of 800-171, and is assessed by the government.
What is the difference between FCI and CUI?
Federal Contract Information (FCI) is information provided by or generated for the government under a contract that is not intended for public release, but is not especially sensitive. Controlled Unclassified Information (CUI) is more sensitive government information that requires safeguarding under law, regulation, or government-wide policy, such as technical data or controlled technical information. FCI maps to CMMC Level 1; CUI maps to Levels 2 and 3.
Who needs CMMC certification?
Any company in the DoD supply chain that handles FCI or CUI, including prime contractors and their subcontractors, will need to meet the CMMC level specified in their contracts. This reaches well beyond traditional defense primes to manufacturers, IT providers, and service firms anywhere in the supply chain. The required level and assessment type are stated in the contract.
What is a C3PAO?
A C3PAO is a CMMC Third-Party Assessment Organization, an entity authorized to conduct CMMC Level 2 certification assessments. For contracts that require third-party certification (rather than self-assessment), a contractor engages an authorized C3PAO to evaluate its implementation of the NIST SP 800-171 requirements and issue a certification. The ecosystem is overseen by the Cyber AB and the DoD.
What is the difference between CMMC and NIST 800-171?
NIST SP 800-171 is the underlying set of 110 security requirements for protecting CUI in non-federal systems. CMMC is the DoD's certification program that verifies a contractor actually meets those requirements. In short, 800-171 is the standard and CMMC Level 2 is the assessment and certification of that standard. Many contractors were already required to implement 800-171 under DFARS; CMMC adds the verification and, for many, third-party assessment.
How long does CMMC certification take?
It depends on your starting posture and scope. Organisations that already implement NIST SP 800-171 well may need only a few months to gather evidence and schedule an assessment; those starting from a low SPRS score often need 9 to 18 months to remediate, document a System Security Plan, and prepare. Scoping the CUI environment tightly is the most effective way to shorten and de-risk the timeline.
Primary references
From the rule to a certifiable posture

Get CMMC-ready with one scored assessment.

Pre-built CMMC and NIST 800-171 assessments, SPRS scoring, POA&M and SSP support, and a timestamped evidence trail your C3PAO expects. 30-day free trial, no credit card.

See CMMC compliance softwareNIST 800-171 explained

No credit card required · 30-day free trial · Cancel anytime

Request a Demo