Cybersecurity Maturity Model Certification (CMMC) Program
Also known as: CMMC 2.0, cybersecurity maturity model certification
What you do here: Achieve the CMMC level the contract requires — self-assessment or a third-party (C3PAO) certification
At a Glance
- Who it applies to
- DoD contractors and subcontractors — the required level is set by the sensitivity of the FCI/CUI they handle
- What it obligates
- Achieve and maintain the contract's CMMC level; Level 2 generally requires a C3PAO third-party assessment
- Governing authority
- 32 CFR Part 170 (the program rule) and DFARS 252.204-7021 (the contract clause / acquisition rule)
- The three levels
- L1: 15 FCI controls (self); L2: NIST SP 800-171 (usually C3PAO); L3: NIST SP 800-172 subset (government-led)
- The stakes
- As it phases in, the required CMMC level becomes a condition of award — no certification, no contract
What It Is
The Cybersecurity Maturity Model Certification (CMMC) program is DoD's framework for verifying — not just trusting — that contractors have implemented the cybersecurity their contracts require. It responds to the weakness of pure self-attestation: under DFARS 7012/7019 a contractor scored itself, and DoD found that self-reported scores often overstated reality. CMMC (in its streamlined '2.0' form, finalized in the 32 CFR Part 170 program rule) sets three levels tied to the sensitivity of the information a contractor handles. Level 1 covers contractors that handle only Federal Contract Information (FCI); it requires the 15 basic safeguarding controls from FAR 52.204-21 and is met by an annual self-assessment and affirmation. Level 2 covers contractors that handle Controlled Unclassified Information (CUI); it requires the full NIST SP 800-171 control set and, for most contracts, a triennial assessment by an accredited third party — a Certified Third-Party Assessment Organization (C3PAO) — with senior-official affirmations (a small subset of Level 2 contracts may allow self-assessment). Level 3 covers the most sensitive programs; it adds a subset of enhanced requirements from NIST SP 800-172 and is assessed by the government (DCMA's DIBCAC). The program is implemented in contracts through the DFARS 252.204-7021 clause and is being phased in over several years, so the CMMC level and assessment type will appear as a requirement in solicitations on a rolling schedule. In plain terms: CMMC takes the existing FCI and CUI safeguarding obligations and turns them into a verified certification you must hold — at the level the contract demands — to be eligible for award.
When It Applies
- On DoD solicitations as CMMC phases in — the required level and assessment type are stated in the solicitation.
- At Level 1 for contractors handling only FCI — an annual self-assessment and affirmation.
- At Level 2 for contractors handling CUI — generally a triennial C3PAO third-party assessment.
- At Level 3 for the most sensitive programs — a government-led (DIBCAC) assessment adding NIST SP 800-172 requirements.
Key Features
| Feature | What It Means |
|---|---|
| Three levels by data sensitivity | Level 1 (FCI, 15 controls), Level 2 (CUI, NIST SP 800-171), Level 3 (most sensitive, adds NIST SP 800-172) — the contract sets the required level. |
| Verified, not just self-attested | Level 2 generally requires a Certified Third-Party Assessment Organization (C3PAO); Level 3 is assessed by the government (DIBCAC). |
| Built on existing requirements | It doesn't invent new controls — it verifies FAR 52.204-21 (L1) and NIST SP 800-171 (L2), so 7012/7019 work carries over. |
| Senior-official affirmation | A senior company official must affirm continued compliance in SPRS — creating personal accountability and False Claims Act exposure. |
| Phased rollout | Implemented via DFARS 252.204-7021 on a multi-year schedule; watch each solicitation for the level and assessment type it requires. |
The SDVOSB Angle
CMMC is simultaneously the biggest cybersecurity barrier and the biggest potential moat for a small SDVOSB in the defense market. The barrier: a Level 2 C3PAO assessment plus the remediation to pass it can cost tens of thousands of dollars and months of lead time — for some small firms, more than the margin on an early contract, which makes the bid/no-bid decision a real one. The moat: because many small competitors won't invest early, an SDVOSB that achieves the required level ahead of the phase-in becomes eligible for a set of set-asides its competitors are locked out of. Practical guidance: figure out early whether your target work is FCI-only (Level 1, self-assessment, cheap) or CUI (Level 2, C3PAO, expensive), because the difference drives your whole compliance budget; shrink your CUI system boundary (enclave the CUI) so a Level 2 assessment covers a small, cheaper footprint; and take the senior-official affirmation seriously — it puts a named person's signature behind the compliance claim, with False Claims Act consequences for signing off on a posture you don't actually have. And don't forget the flow-down: subcontractors handling CUI need their own appropriate CMMC level.
How to Comply
- Determine whether your target contracts involve only FCI (Level 1) or CUI (Level 2) — it sets the level and cost.
- For Level 1, perform the annual self-assessment against the 15 FAR 52.204-21 controls and affirm it in SPRS.
- For Level 2, fully implement NIST SP 800-171, scope a small CUI enclave, and schedule a C3PAO assessment early (there's a waitlist).
- Have the required senior official affirm compliance in SPRS and keep the SSP/evidence current.
- Confirm subcontractors handling CUI hold the appropriate CMMC level before you team or flow down the work.
Watch Out For
- Assuming CMMC is a paperwork exercise — Level 2 requires a real third-party assessment with lead time and cost.
- Waiting until a solicitation requires it — remediation and C3PAO scheduling take many months.
- Scoping your whole enterprise instead of a CUI enclave, ballooning the assessment cost.
- Signing the senior-official affirmation on a posture you can't support — it carries personal and False Claims Act exposure.
Run the Numbers
Frequently Asked
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a DoD program that verifies contractors have implemented required cybersecurity, moving beyond self-attestation. In its 2.0 form (the 32 CFR Part 170 program rule, implemented in contracts by DFARS 252.204-7021), it has three levels: Level 1 for contractors handling Federal Contract Information (15 basic controls, annual self-assessment), Level 2 for Controlled Unclassified Information (the NIST SP 800-171 control set, usually a third-party C3PAO assessment), and Level 3 for the most sensitive programs (government-led assessment adding NIST SP 800-172 requirements).
Do I need CMMC to win a DoD contract?
As CMMC phases in, yes — for DoD contracts that involve FCI or CUI, the solicitation will state a required CMMC level, and holding that certification becomes a condition of award. The level depends on the data you handle: Level 1 (self-assessed) if you handle only Federal Contract Information, Level 2 (usually a C3PAO third-party assessment) if you handle Controlled Unclassified Information. Because assessments and remediation take months, small businesses should determine their required level and start early rather than waiting for a solicitation to require it.
What is the difference between CMMC Level 1 and Level 2?
CMMC Level 1 applies to contractors that handle only Federal Contract Information (FCI). It requires the 15 basic safeguarding controls from FAR 52.204-21 and is met by an annual self-assessment and affirmation — low cost. CMMC Level 2 applies to contractors that handle Controlled Unclassified Information (CUI). It requires the full NIST SP 800-171 control set and, for most contracts, a triennial assessment by a Certified Third-Party Assessment Organization (C3PAO) — a much larger cost and lead time. The data you handle, not your size, determines the level.
Primary Sources
- 32 CFR Part 170 — Cybersecurity Maturity Model Certification (CMMC) Program
- DFARS 252.204-7021 — Cybersecurity Maturity Model Certification Requirements
- DoD CIO — CMMC program resources
Plain-English reference, not legal advice. Cybersecurity and information-safeguarding rules are fact-specific and change often — the FAR, DFARS, NIST publications, and the CMMC program rule are amended and phased in over time. Always read the current FAR/DFARS text and the safeguarding clauses in your specific contract, check the version of NIST SP 800-171 your contract requires, confirm the SPRS and CMMC requirements with the contracting officer, and consult qualified counsel or a cybersecurity professional before relying on a compliance position or making a certification.
Change log (1)
- LaunchedPublished the federal contract cybersecurity & information safeguarding requirements reference covering the obligations an SDVOSB takes on across a federal (especially DoD) set-aside — basic safeguarding of Federal Contract Information (FAR 52.204-21), the Section 889 covered-telecom prohibition (FAR 52.204-25), the DoD safeguarding of Covered Defense Information and 72-hour cyber-incident reporting (DFARS 252.204-7012), the NIST SP 800-171 control set with its System Security Plan and POA&M, the SPRS self-assessment score (DFARS 252.204-7019 / -7020), the CMMC program and its three levels (DFARS 252.204-7021 / 32 CFR Part 170), Controlled Unclassified Information marking and handling (32 CFR Part 2002 / EO 13556), and the emerging governmentwide FAR CUI rule — each with an at-a-glance quick-facts card, a when-it-applies list, a key-features table, an SDVOSB-specific angle, a how-to-comply checklist, watch-outs, FAQPage, Article, Dataset, and BreadcrumbList structured data, primary-source FAR/DFARS/CFR/NIST citations, and cross-links into the glossary, contracting systems (SPRS, SAM.gov), clauses, forms, contract types, how-to guides, FAQ, and the price-to-win and win-probability calculators.