DoD requirement
Cybersecurity Maturity Model Certification
DoD requirement

Cybersecurity Maturity Model Certification

All frameworks

What it is

A U.S. Department of Defense certification program (CMMC 2.0) that verifies defense contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) implement required NIST SP 800-171 controls.

Who uses it

Companies in the Defense Industrial Base — primes and subs handling FCI or CUI.

Why it matters

Required to bid on most DoD contracts. Level 2 requires a third-party assessment for prioritized acquisitions.

Structure

Level 1 (Foundational)

17 basic safeguarding requirements for FCI — annual self-assessment.

Level 2 (Advanced)

110 NIST SP 800-171 controls for CUI — self-assessment or C3PAO third-party assessment depending on contract.

Level 3 (Expert)

All Level 2 plus a subset of NIST SP 800-172 — government-led assessment for the most sensitive programs.

Terminology

FCI
Federal Contract Information — info not for public release, generated for or provided under a federal contract.
CUI
Controlled Unclassified Information — requires safeguarding per law/regulation/government-wide policy.
C3PAO
Certified Third-Party Assessor Organization — authorized to perform Level 2 certification assessments.
SPRS score
Self-assessment score (-203 to 110) submitted to the Supplier Performance Risk System.

Beginner explanation

CMMC is the DoD's way of making sure its suppliers actually do the security they claim to do. It rides on NIST SP 800-171.

Practical examples

  • A 50-person manufacturer of aerospace parts pursues Level 2 self-assessment to keep bidding on Air Force contracts.

Advanced notes

CMMC 2.0 rule (32 CFR Part 170) became effective December 16, 2024; phased contract inclusion began in 2025.