CMMC Compliance Reference for US Defense Contractors
The Cybersecurity Maturity Model Certification (CMMC) program establishes mandatory cybersecurity requirements for organizations seeking or holding contracts within the US Department of Defense (DoD) industrial base. This reference covers the program's structure, compliance levels, assessment mechanics, regulatory basis, and the classification boundaries that determine which contractors bear which obligations. It serves defense industry professionals, compliance officers, legal counsel, and researchers navigating the DoD contracting landscape.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
CMMC is a DoD-administered framework that conditions contract eligibility on verified cybersecurity posture. The program is codified at 32 CFR Part 170, published by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The final rule implementing CMMC 2.0 was published in the Federal Register on October 15, 2024, with a phased rollout that introduces CMMC requirements into Defense Federal Acquisition Regulation Supplement (DFARS) clauses beginning in 2025.
CMMC applies to the Defense Industrial Base (DIB), which the DoD estimates at approximately 300,000 companies (DoD CMMC Program Overview). The framework covers contractors who handle two categories of sensitive federal information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FCI is defined under 48 CFR § 52.204-21 as information provided by or generated for the government under contract, not intended for public release. CUI is governed by the National Archives and Records Administration (NARA) CUI Registry (archives.gov/cui) and encompasses a broad set of unclassified but sensitive categories including export-controlled technical data, privacy-protected information, and law enforcement-sensitive material.
The framework is explicitly not self-contained — CMMC references and maps to NIST SP 800-171 Rev 2 (protecting CUI in non-federal systems) and, at the highest level, to NIST SP 800-172 (enhanced requirements for critical programs). Practitioners working with the Infosec Providers on this provider network can cross-reference CMMC-capable assessment organizations against these underlying standards.
Core mechanics or structure
CMMC 2.0 organizes the compliance landscape into three levels, each corresponding to a distinct set of practices and assessment types.
Level 1 — Foundational: Covers 17 practices drawn directly from 48 CFR § 52.204-21. Applies to contractors handling FCI only. Assessment is conducted through annual self-assessment with results affirmed by a senior company official.
Level 2 — Advanced: Covers 110 practices aligned precisely to the 110 security requirements in NIST SP 800-171 Rev 2, organized across 14 control families. Most Level 2 contractors are required to undergo a triennial third-party assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO) accredited by the CMMC Accreditation Body (The Cyber AB). A subset of Level 2 contractors — those on non-prioritized acquisition programs — may use annual self-assessment with senior official affirmation.
Level 3 — Expert: Covers a superset of Level 2 requirements plus an additional set of practices drawn from NIST SP 800-172. Assessment is conducted by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Level 3 is reserved for contractors operating on DoD's highest-priority programs involving the most sensitive CUI.
Assessment results feed into the Supplier Performance Risk System (SPRS), where contractors submit their System Security Plan (SSP) scores. SPRS scores, calculated per the methodology in NIST SP 800-171 DoD Assessment Methodology, range from -203 (all practices failing) to 110 (full compliance).
Causal relationships or drivers
CMMC's originating driver is a documented pattern of cyber intrusions against DIB contractors that compromised sensitive defense technical data. DoD attributed a significant share of these incidents to adversary exploitation of weak cybersecurity practices at subcontractor levels, where prior self-attestation under DFARS clause 252.204-7012 provided no independent verification mechanism.
The DFARS 252.204-7012 clause, effective 2017, required contractors to implement NIST SP 800-171 and report cyber incidents to the DoD Cyber Crime Center (DC3) — but compliance was unverified. The DoD Inspector General and the Government Accountability Office (GAO) issued reports documenting widespread non-compliance: a 2019 DoD OIG report (DODIG-2019-105) found that DoD had not ensured contractor compliance with cybersecurity requirements in a sample of DFARS contracts.
CMMC's third-party assessment mandate at Level 2 is a direct structural response to that verification gap. The requirement for C3PAO accreditation through The Cyber AB introduces an independent credentialing layer absent from prior frameworks. Simultaneously, the False Claims Act (31 U.S.C. §§ 3729–3733) applies to CMMC self-assessments — contractors who knowingly misrepresent their cybersecurity posture in SPRS or in contract representations face civil liability, including treble damages and civil penalties between $13,946 and $27,894 per false claim (DOJ FCA Civil Penalties Adjustment, 2023).
Classification boundaries
The primary classification boundary within CMMC is the FCI/CUI distinction, which determines applicable level.
FCI-only environments trigger Level 1 obligations. These typically include contractors providing commercial off-the-shelf (COTS) products or straightforward support services where no technical design, specification, or sensitive program data changes hands.
CUI environments trigger Level 2 at minimum. CUI category designation is the responsibility of the contracting agency, not the contractor. Contractors must review contract documentation — including DD Form 254 (Contract Security Classification Specification) and Statement of Work language — to identify CUI obligations. Not all CUI is equal: CMMC distinguishes between standard CUI (Level 2) and CUI associated with critical programs or advanced capabilities (Level 3).
Subcontractor flow-down is a critical boundary: prime contractors are required under DFARS to flow CMMC requirements down to subcontractors who handle FCI or CUI. A subcontractor handling only non-sensitive portions of a prime contract may not be in scope. The scope boundary analysis must be documented in the contractor's SSP.
Assessment scope is a separate but related boundary. The CMMC assessment scope includes all assets that process, store, or transmit CUI — as well as assets that provide security functions (such as multi-factor authentication systems) for those environments. The Cyber AB publishes a CMMC Scoping Guide that defines five asset categories: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets.
Tradeoffs and tensions
The verification mandate introduced at Level 2 resolves the attestation credibility problem but introduces significant cost pressures on small and mid-sized DIB contractors. C3PAO assessment fees are not capped by regulation. DoD's own regulatory impact analysis published in the 2023 proposed rule estimated average assessment costs of approximately $105,000 for a medium-sized organization (88 FR 89058, December 26, 2023), though actual costs vary substantially by organizational complexity and existing security posture.
Plan of Action and Milestones (POA&M) flexibility represents another tension point. CMMC 2.0 permits conditional certification with limited POA&Ms for Level 2, allowing contractors with minor deficiencies to receive a conditional certification while remediating gaps within 180 days. Critics argue this creates a pathway for persistent non-compliance; proponents argue it reflects operational realism for DIB companies with limited security staff. The final rule at 32 CFR Part 170 restricts which practices may appear on a POA&M — practices in specific high-priority control families (including access control and incident response) are not eligible for POA&M deferral.
A third tension involves assessment reciprocity. Contractors who have completed a DIBCAC High assessment under DFARS 252.204-7020 may be eligible for CMMC Level 2 credit, but the equivalency determination is not automatic and depends on assessment documentation quality and recency.
Common misconceptions
Misconception: ISO 27001 certification satisfies CMMC Level 2.
ISO/IEC 27001 and NIST SP 800-171 are structurally distinct frameworks. ISO 27001 requires organizations to define and apply controls within a management system context; NIST SP 800-171 specifies 110 discrete security requirements. There is no recognized equivalency pathway. A contractor certified to ISO 27001 must still achieve all 110 NIST SP 800-171 requirements to meet Level 2. The CMMC Model documentation does not reference ISO 27001 as an accepted alternative.
Misconception: Cloud service providers are out of scope if FedRAMP authorized.
FedRAMP authorization addresses the cloud platform's own security posture, not the contractor's use of that platform. A DIB contractor using a FedRAMP-authorized cloud environment must still configure and manage their own systems, access controls, and data handling practices in accordance with NIST SP 800-171. The platform's authorization does not transfer to the tenant's CMMC assessment.
Misconception: CMMC certification belongs to a company.
Under CMMC 2.0, certification applies to a specific assessed environment — the scope defined in the contractor's SSP. A company operating multiple business units or enclaves may need separate assessments for each in-scope environment. The Cyber AB's scoping guidance explicitly addresses multi-enclave scenarios.
Misconception: Passing SPRS score of 110 is required before bidding.
The threshold for contract award varies by acquisition program and contracting officer. CMMC Level 1 requires a passing self-assessment with senior official affirmation. Level 2 contracts requiring third-party assessment require a conditional or final certification. A SPRS score below 110 does not automatically disqualify a contractor if a POA&M is in place and the contract's CMMC requirements permit conditional status.
Further context on how compliance frameworks intersect with security service categories appears in the network purpose and scope reference.
Checklist or steps (non-advisory)
The following sequence reflects the structural phases of CMMC compliance preparation as described in DoD program documentation and The Cyber AB's published guidance:
- Identify contract data scope — Review the contract, DD Form 254, and performance work statement to classify data as FCI, CUI, or neither.
- Determine applicable CMMC level — Map data classification and program designation to Level 1, 2, or 3 per 32 CFR Part 170.
- Define assessment boundary — Categorize all assets per the five-category Cyber AB scoping model (CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, Out-of-Scope Assets).
- Conduct gap assessment against NIST SP 800-171 — Identify deficiencies across all 14 control families using the DoD Assessment Methodology scoring model.
- Document System Security Plan (SSP) — Produce an SSP describing the environment, control implementation status, and responsible parties.
- Develop Plan of Action and Milestones (POA&M) — For any non-compliant practices eligible for POA&M, document remediation timelines and responsible owners.
- Submit SPRS score — Enter the self-assessment score into the Supplier Performance Risk System at sprs.pmrt.navy.mil.
- Engage C3PAO (Level 2 third-party required) — Select an accredited C3PAO from The Cyber AB marketplace and schedule an assessment.
- Undergo formal assessment — C3PAO conducts documentation review, interviews, and technical testing against all 110 NIST SP 800-171 requirements.
- Receive certification outcome — Final certification, conditional certification (with POA&M), or non-compliance finding submitted to DoD through The Cyber AB.
- Maintain and renew — Level 2 certifications require triennial third-party reassessment; annual self-affirmation continues between assessments.
Professionals researching how this certification process maps to available service providers can consult the Infosec Providers section of this provider network.
Reference table or matrix
| CMMC Level | Data Type in Scope | Practice Count | Underlying Standard | Assessment Type | Assessment Body | Frequency |
|---|---|---|---|---|---|---|
| Level 1 — Foundational | FCI only | 17 | 48 CFR § 52.204-21 | Self-assessment + senior affirmation | Contractor | Annual |
| Level 2 — Advanced (prioritized) | CUI | 110 | NIST SP 800-171 Rev 2 | Third-party assessment | C3PAO (Cyber AB accredited) | Triennial |
| Level 2 — Advanced (non-prioritized) | CUI | 110 | NIST SP 800-171 Rev 2 | Self-assessment + senior affirmation | Contractor | Annual |
| Level 3 — Expert | CUI (critical programs) | 110 + (subset of 800-172) | NIST SP 800-171 + SP 800-172 | Government-led assessment | DIBCAC | Triennial |
| Control Family (NIST SP 800-171) | Requirement Count | POA&M Eligible at Level 2 |
|---|---|---|
| Access Control (AC) | 22 | Restricted |
| Awareness and Training (AT) | 3 | Yes |
| Audit and Accountability (AU) | 9 | Yes |
| Configuration Management (CM) | 9 | Yes |
| Identification and Authentication (IA) | 11 | Restricted |
| Incident Response (IR) | 3 | Restricted |
| Maintenance (MA) | 6 | Yes |
| Media Protection (MP) | 9 | Yes |
| Personnel Security (PS) | 2 | Yes |
| Physical Protection (PE) | 6 | Yes |
| Risk Assessment (RA) | 5 | Yes |
| Security Assessment (CA) | 4 | Yes |
| System and Communications Protection (SC) | 16 | Restricted |
| System and Information Integrity (SI) | 7 | Yes |
*Practice counts per [NIST SP 800-171 Rev 2](https://csrc.nist.gov/publications/