Cybersecurity Maturity Model Certification · DFARS 252.204-7021 / 32 CFR Part 170

Cybersecurity Maturity Model Certification (CMMC) Program

Also known as: CMMC 2.0, cybersecurity maturity model certification

What you do here: Achieve the CMMC level the contract requires — self-assessment or a third-party (C3PAO) certification

At a Glance

Who it applies to
DoD contractors and subcontractors — the required level is set by the sensitivity of the FCI/CUI they handle
What it obligates
Achieve and maintain the contract's CMMC level; Level 2 generally requires a C3PAO third-party assessment
Governing authority
32 CFR Part 170 (the program rule) and DFARS 252.204-7021 (the contract clause / acquisition rule)
The three levels
L1: 15 FCI controls (self); L2: NIST SP 800-171 (usually C3PAO); L3: NIST SP 800-172 subset (government-led)
The stakes
As it phases in, the required CMMC level becomes a condition of award — no certification, no contract

What It Is

The Cybersecurity Maturity Model Certification (CMMC) program is DoD's framework for verifying — not just trusting — that contractors have implemented the cybersecurity their contracts require. It responds to the weakness of pure self-attestation: under DFARS 7012/7019 a contractor scored itself, and DoD found that self-reported scores often overstated reality. CMMC (in its streamlined '2.0' form, finalized in the 32 CFR Part 170 program rule) sets three levels tied to the sensitivity of the information a contractor handles. Level 1 covers contractors that handle only Federal Contract Information (FCI); it requires the 15 basic safeguarding controls from FAR 52.204-21 and is met by an annual self-assessment and affirmation. Level 2 covers contractors that handle Controlled Unclassified Information (CUI); it requires the full NIST SP 800-171 control set and, for most contracts, a triennial assessment by an accredited third party — a Certified Third-Party Assessment Organization (C3PAO) — with senior-official affirmations (a small subset of Level 2 contracts may allow self-assessment). Level 3 covers the most sensitive programs; it adds a subset of enhanced requirements from NIST SP 800-172 and is assessed by the government (DCMA's DIBCAC). The program is implemented in contracts through the DFARS 252.204-7021 clause and is being phased in over several years, so the CMMC level and assessment type will appear as a requirement in solicitations on a rolling schedule. In plain terms: CMMC takes the existing FCI and CUI safeguarding obligations and turns them into a verified certification you must hold — at the level the contract demands — to be eligible for award.

When It Applies

  • On DoD solicitations as CMMC phases in — the required level and assessment type are stated in the solicitation.
  • At Level 1 for contractors handling only FCI — an annual self-assessment and affirmation.
  • At Level 2 for contractors handling CUI — generally a triennial C3PAO third-party assessment.
  • At Level 3 for the most sensitive programs — a government-led (DIBCAC) assessment adding NIST SP 800-172 requirements.

Key Features

FeatureWhat It Means
Three levels by data sensitivityLevel 1 (FCI, 15 controls), Level 2 (CUI, NIST SP 800-171), Level 3 (most sensitive, adds NIST SP 800-172) — the contract sets the required level.
Verified, not just self-attestedLevel 2 generally requires a Certified Third-Party Assessment Organization (C3PAO); Level 3 is assessed by the government (DIBCAC).
Built on existing requirementsIt doesn't invent new controls — it verifies FAR 52.204-21 (L1) and NIST SP 800-171 (L2), so 7012/7019 work carries over.
Senior-official affirmationA senior company official must affirm continued compliance in SPRS — creating personal accountability and False Claims Act exposure.
Phased rolloutImplemented via DFARS 252.204-7021 on a multi-year schedule; watch each solicitation for the level and assessment type it requires.

The SDVOSB Angle

CMMC is simultaneously the biggest cybersecurity barrier and the biggest potential moat for a small SDVOSB in the defense market. The barrier: a Level 2 C3PAO assessment plus the remediation to pass it can cost tens of thousands of dollars and months of lead time — for some small firms, more than the margin on an early contract, which makes the bid/no-bid decision a real one. The moat: because many small competitors won't invest early, an SDVOSB that achieves the required level ahead of the phase-in becomes eligible for a set of set-asides its competitors are locked out of. Practical guidance: figure out early whether your target work is FCI-only (Level 1, self-assessment, cheap) or CUI (Level 2, C3PAO, expensive), because the difference drives your whole compliance budget; shrink your CUI system boundary (enclave the CUI) so a Level 2 assessment covers a small, cheaper footprint; and take the senior-official affirmation seriously — it puts a named person's signature behind the compliance claim, with False Claims Act consequences for signing off on a posture you don't actually have. And don't forget the flow-down: subcontractors handling CUI need their own appropriate CMMC level.

How to Comply

  1. Determine whether your target contracts involve only FCI (Level 1) or CUI (Level 2) — it sets the level and cost.
  2. For Level 1, perform the annual self-assessment against the 15 FAR 52.204-21 controls and affirm it in SPRS.
  3. For Level 2, fully implement NIST SP 800-171, scope a small CUI enclave, and schedule a C3PAO assessment early (there's a waitlist).
  4. Have the required senior official affirm compliance in SPRS and keep the SSP/evidence current.
  5. Confirm subcontractors handling CUI hold the appropriate CMMC level before you team or flow down the work.

Watch Out For

  • Assuming CMMC is a paperwork exercise — Level 2 requires a real third-party assessment with lead time and cost.
  • Waiting until a solicitation requires it — remediation and C3PAO scheduling take many months.
  • Scoping your whole enterprise instead of a CUI enclave, ballooning the assessment cost.
  • Signing the senior-official affirmation on a posture you can't support — it carries personal and False Claims Act exposure.

Run the Numbers

Win Probability EstimatorPrice-to-Win Calculator

Frequently Asked

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a DoD program that verifies contractors have implemented required cybersecurity, moving beyond self-attestation. In its 2.0 form (the 32 CFR Part 170 program rule, implemented in contracts by DFARS 252.204-7021), it has three levels: Level 1 for contractors handling Federal Contract Information (15 basic controls, annual self-assessment), Level 2 for Controlled Unclassified Information (the NIST SP 800-171 control set, usually a third-party C3PAO assessment), and Level 3 for the most sensitive programs (government-led assessment adding NIST SP 800-172 requirements).

Do I need CMMC to win a DoD contract?

As CMMC phases in, yes — for DoD contracts that involve FCI or CUI, the solicitation will state a required CMMC level, and holding that certification becomes a condition of award. The level depends on the data you handle: Level 1 (self-assessed) if you handle only Federal Contract Information, Level 2 (usually a C3PAO third-party assessment) if you handle Controlled Unclassified Information. Because assessments and remediation take months, small businesses should determine their required level and start early rather than waiting for a solicitation to require it.

What is the difference between CMMC Level 1 and Level 2?

CMMC Level 1 applies to contractors that handle only Federal Contract Information (FCI). It requires the 15 basic safeguarding controls from FAR 52.204-21 and is met by an annual self-assessment and affirmation — low cost. CMMC Level 2 applies to contractors that handle Controlled Unclassified Information (CUI). It requires the full NIST SP 800-171 control set and, for most contracts, a triennial assessment by a Certified Third-Party Assessment Organization (C3PAO) — a much larger cost and lead time. The data you handle, not your size, determines the level.

Primary Sources

Plain-English reference, not legal advice. Cybersecurity and information-safeguarding rules are fact-specific and change often — the FAR, DFARS, NIST publications, and the CMMC program rule are amended and phased in over time. Always read the current FAR/DFARS text and the safeguarding clauses in your specific contract, check the version of NIST SP 800-171 your contract requires, confirm the SPRS and CMMC requirements with the contracting officer, and consult qualified counsel or a cybersecurity professional before relying on a compliance position or making a certification.

Last updated Update cadence: Quarterly, plus on FAR/DFARS amendment, a new NIST SP 800-171 revision, or CMMC phase-in changes
Change log (1)
  1. LaunchedPublished the federal contract cybersecurity & information safeguarding requirements reference covering the obligations an SDVOSB takes on across a federal (especially DoD) set-aside — basic safeguarding of Federal Contract Information (FAR 52.204-21), the Section 889 covered-telecom prohibition (FAR 52.204-25), the DoD safeguarding of Covered Defense Information and 72-hour cyber-incident reporting (DFARS 252.204-7012), the NIST SP 800-171 control set with its System Security Plan and POA&M, the SPRS self-assessment score (DFARS 252.204-7019 / -7020), the CMMC program and its three levels (DFARS 252.204-7021 / 32 CFR Part 170), Controlled Unclassified Information marking and handling (32 CFR Part 2002 / EO 13556), and the emerging governmentwide FAR CUI rule — each with an at-a-glance quick-facts card, a when-it-applies list, a key-features table, an SDVOSB-specific angle, a how-to-comply checklist, watch-outs, FAQPage, Article, Dataset, and BreadcrumbList structured data, primary-source FAR/DFARS/CFR/NIST citations, and cross-links into the glossary, contracting systems (SPRS, SAM.gov), clauses, forms, contract types, how-to guides, FAQ, and the price-to-win and win-probability calculators.

Related Safeguarding Requirements

Systems You’ll Use

SPRSSupplier Performance Risk System
SAM.govSystem for Award Management

Clauses That Apply

FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems

How It Plays by Contract Type

FFPFirm-Fixed-Price (FFP)
CPFFCost-Plus-Fixed-Fee (CPFF)

The Authorities Explained

13 CFR § 125.6Limitations on Subcontracting

Forms You’ll Use

SF 1408Preaward Survey of Prospective Contractor — Accounting System

Put It Into Practice

How to Find and Bid SDVOSB Set-Aside Contracts

Terms Used on This Page

FARSimilarly Situated EntityPast Performance

In the FAQ Knowledge Base

What VA IT contracts are available to SDVOSBs?
How does security clearance affect SDVOSB contracting?
← All Cybersecurity & Information Safeguarding Requirements