Cybersecurity Maturity Model Certification
What it is
A U.S. Department of Defense certification program (CMMC 2.0) that verifies defense contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) implement required NIST SP 800-171 controls.
Who uses it
Companies in the Defense Industrial Base — primes and subs handling FCI or CUI.
Why it matters
Required to bid on most DoD contracts. Level 2 requires a third-party assessment for prioritized acquisitions.
Structure
17 basic safeguarding requirements for FCI — annual self-assessment.
110 NIST SP 800-171 controls for CUI — self-assessment or C3PAO third-party assessment depending on contract.
All Level 2 plus a subset of NIST SP 800-172 — government-led assessment for the most sensitive programs.
Terminology
Beginner explanation
CMMC is the DoD's way of making sure its suppliers actually do the security they claim to do. It rides on NIST SP 800-171.
Practical examples
- A 50-person manufacturer of aerospace parts pursues Level 2 self-assessment to keep bidding on Air Force contracts.
Advanced notes
CMMC 2.0 rule (32 CFR Part 170) became effective December 16, 2024; phased contract inclusion began in 2025.