CMMC Compliance Requirements
The Cybersecurity Maturity Model Certification (CMMC) program establishes binding cybersecurity requirements for contractors and subcontractors operating within the U.S. Department of Defense (DoD) industrial base. This page documents the regulatory structure, maturity levels, assessment mechanics, and compliance obligations that define participation in the Defense Industrial Base (DIB) supply chain. Understanding CMMC's architecture is essential for any organization handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under DoD contracts.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Checklist or Steps
- Reference Table or Matrix
- References
Definition and Scope
CMMC is a DoD-administered framework that conditions contract award on demonstrated cybersecurity posture rather than self-attested compliance. Codified under 32 CFR Part 170, the rule was published in final form in October 2024 and applies to all contractors and subcontractors in the DIB that process, store, or transmit FCI or CUI. The program supersedes earlier self-attestation models introduced under DFARS clause 252.204-7012, which required contractors to certify compliance with NIST SP 800-171 but did not mandate independent verification.
The scope of CMMC extends across the full supply chain. Prime contractors must flow down requirements to subcontractors whose work involves covered information. The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) estimated that approximately 220,000 entities in the DIB could be subject to CMMC requirements (DoD CMMC Program Final Rule, 32 CFR Part 170, 2024).
FCI is defined under FAR 52.204-21 as information provided by or generated for the government under a contract, not intended for public release. CUI is defined and managed under the National Archives and Records Administration (NARA) CUI Registry, governed by Executive Order 13556 and 32 CFR Part 2002. These definitional boundaries determine which CMMC level applies to a given contract.
Core Mechanics or Structure
CMMC 2.0 operates across three maturity levels, each mapped to a distinct set of practices and assessment requirements.
Level 1 — Foundational covers 17 practices derived directly from FAR 52.204-21. These apply to contractors handling FCI only. Assessment is conducted through annual self-attestation by a company official. No third-party assessment is required at this level.
Level 2 — Advanced covers 110 practices aligned to all requirements in NIST SP 800-171 Revision 2. This level applies to contractors handling CUI. Assessment requirements bifurcate: contracts involving "critical" national security programs require a triennial third-party assessment by a Certified Third-Party Assessment Organization (C3PAO); all other Level 2 contracts permit annual self-attestation with affirmation by a senior company official.
Level 3 — Expert covers 110+ practices from NIST SP 800-171 plus a subset drawn from NIST SP 800-172. Level 3 applies to contractors on programs with the highest CUI sensitivity. Assessment is conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) — a government-led body, not a third-party organization.
The CMMC Accreditation Body (Cyber AB) manages the accreditation ecosystem, including C3PAO certification, Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA) credentialing, and the CMMC marketplace registry. Assessment results are entered into the Supplier Performance Risk System (SPRS), where contracting officers can verify a contractor's compliance status at award time.
Causal Relationships or Drivers
The CMMC program emerged directly from documented breaches of defense contractor networks. The Defense Science Board's 2013 report on cyber-espionage identified pervasive exfiltration of controlled technical data from contractors lacking baseline cybersecurity. The F-35 program data theft incidents — traced partly to compromised supplier networks — accelerated the DoD's movement toward enforceable standards rather than voluntary guidance.
DFARS 252.204-7012, introduced in 2016, required contractors to implement NIST SP 800-171 and self-attest. Subsequent DoD Inspector General audits and Congressional Research Service assessments found widespread non-compliance and inaccurate self-assessments. The 2019 CMMC 1.0 framework introduced mandatory third-party verification; CMMC 2.0, announced in November 2021 and finalized in 2024, restructured the maturity levels from five to three while preserving independent assessment as the enforcement mechanism.
The supply chain cybersecurity compliance dimension of CMMC reflects a systemic driver: adversary targeting of Tier 2 and Tier 3 suppliers as lateral access points into prime contractor systems. Regulatory enforcement at the subcontractor level is a direct policy response to that attack pattern.
Classification Boundaries
CMMC level assignment is determined by contract-level determinations made by the requiring activity (the government program office), not by the contractor. The contracting officer specifies the required CMMC level in the solicitation under DFARS 252.204-7021.
Key classification thresholds:
- FCI only, no CUI: Level 1 applies.
- CUI, non-critical program: Level 2 with self-attestation pathway available.
- CUI, critical program (government-designated): Level 2 with mandatory C3PAO assessment.
- CUI, highest sensitivity / advanced persistent threat (APT) exposure: Level 3 with DIBCAC assessment.
Organizations operating across multiple contracts may need to comply with different levels for different business units. The CMMC framework does not permit a single enterprise-level certification to substitute for contract-specific compliance — each assessment covers a defined Assessment Scope (the set of assets, people, and technology that process CUI or FCI for a given engagement). This boundary structure is specified in the CMMC Assessment Process (CAP) documentation published by the Cyber AB.
Tradeoffs and Tensions
The shift from self-attestation to third-party assessment introduces cost and capacity friction. C3PAO assessments for Level 2 carry market rates that smaller contractors — the majority of the DIB — may find prohibitive relative to contract value. The DoD has not established a cost reimbursement mechanism for CMMC assessment costs in small business contracts, a point raised in public comments during the rulemaking period.
Assessment capacity is a structural constraint. As of the 2024 final rule, the Cyber AB had authorized a limited number of C3PAOs relative to the projected demand of tens of thousands of Level 2 assessments over the phased implementation period. Assessment backlogs could delay contract awards or force contractors into non-compliance periods.
The self-attestation pathway for non-critical Level 2 creates a tier of accountability that critics argue replicates the vulnerabilities of the pre-CMMC regime. The False Claims Act (31 U.S.C. §§ 3729–3733) applies to knowing misrepresentation in self-attestations submitted to the government — but enforcement depends on detection, which is inconsistent without mandatory third-party review.
Tension also exists between the NIST SP 800-171 requirement set and operational realities in legacy manufacturing environments where operational technology systems cannot support modern authentication or encryption controls without significant capital investment.
Common Misconceptions
Misconception: CMMC certification is company-wide. CMMC assessments apply to a defined Assessment Scope — a bounded subset of an organization's systems. A company may be Level 2 compliant for one program and simultaneously non-compliant for another if the scopes are managed separately.
Misconception: Passing a CMMC assessment guarantees ongoing compliance. Certifications at Level 2 and Level 3 have fixed validity periods (three years for C3PAO assessments, annual affirmations for self-attestation). Continuous monitoring obligations under NIST SP 800-171 and SPRS score maintenance apply between assessments. The continuous monitoring compliance requirements remain active throughout the certification lifecycle.
Misconception: CMMC 2.0 replaced all DFARS cybersecurity obligations. DFARS 252.204-7012 remains in effect and is not superseded by CMMC. Contractors must satisfy both the existing DFARS clause and the new CMMC rule when both appear in a contract.
Misconception: A System Security Plan (SSP) alone satisfies CMMC requirements. An SSP is a documentation artifact required by NIST SP 800-171 (Requirement 3.12.4), but it is an input to assessment — not a compliance output. Assessors verify implementation, not documentation.
Misconception: Cloud systems are excluded from scope. Cloud service providers processing CUI must meet FedRAMP Moderate equivalency or be assessed as part of the contractor's Assessment Scope. The FedRAMP Moderate baseline maps to a large subset of Level 2 controls, but equivalency determinations require explicit documentation.
Checklist or Steps
The following sequence reflects the structural phases of CMMC compliance preparation and assessment as defined in the CMMC Assessment Process (CAP) and 32 CFR Part 170:
- Determine applicable CMMC level — Review contract solicitation language under DFARS 252.204-7021 and confirm the required level with the contracting officer.
- Define Assessment Scope — Identify all assets (hardware, software, people, external service providers) that process, store, or transmit FCI or CUI relevant to the contract.
- Conduct gap analysis against applicable practice set — Map current controls to NIST SP 800-171 Rev 2 (Level 2) or NIST SP 800-172 (Level 3) using the CMMC practice requirements.
- Develop or update System Security Plan (SSP) — Document the security architecture, control implementation status, and boundaries of the Assessment Scope.
- Create Plan of Action and Milestones (POA&M) — Document unimplemented controls and scheduled remediation timelines. At assessment time, open POA&Ms may disqualify certification unless conditional paths apply.
- Compute and submit SPRS score — Calculate the DoD assessment methodology score based on NIST SP 800-171 DoD Assessment Methodology (Version 1.2.1) and submit to the Supplier Performance Risk System.
- Engage a C3PAO (Level 2 critical or Level 3) — Select an accredited C3PAO from the Cyber AB marketplace for pre-assessment and formal assessment. DIBCAC conducts Level 3 assessments directly.
- Undergo formal assessment — The C3PAO or DIBCAC evaluates each practice against the Assessment Objectives in NIST SP 800-171A (the assessment procedures companion document).
- Receive assessment findings and certification decision — C3PAO submits findings to the Cyber AB; DIBCAC submits to CMMC program office. Certification status is recorded and made available to contracting officers.
- Maintain compliance and annual affirmation — Senior officials affirm compliance annually. C3PAO or DIBCAC reassessment occurs on the three-year cycle.
Reference Table or Matrix
| CMMC Level | Information Type | Practice Count | Assessment Method | Assessor | Validity |
|---|---|---|---|---|---|
| Level 1 — Foundational | FCI only | 17 | Self-attestation | Company official | Annual |
| Level 2 — Advanced (non-critical) | CUI | 110 | Self-attestation + senior affirmation | Company official | Annual |
| Level 2 — Advanced (critical) | CUI (critical programs) | 110 | Third-party assessment | C3PAO | Triennial |
| Level 3 — Expert | CUI (highest sensitivity) | 110+ (NIST 800-172 additions) | Government assessment | DCMA DIBCAC | Triennial |
| Key Document | Purpose | Source |
|---|---|---|
| NIST SP 800-171 Rev 2 | Protecting CUI in non-federal systems | NIST CSRC |
| NIST SP 800-171A | Assessment procedures for 800-171 | NIST CSRC |
| NIST SP 800-172 | Enhanced requirements for high-risk CUI | NIST CSRC |
| 32 CFR Part 170 | CMMC program final rule | eCFR |
| DFARS 252.204-7012 | Safeguarding covered defense information | acquisition.gov |
| DFARS 252.204-7021 | CMMC requirement clause | acquisition.gov |
| CMMC Assessment Process (CAP) | Assessment procedures and documentation | Cyber AB |
| FAR 52.204-21 | Basic safeguarding of FCI | acquisition.gov |
References
- CMMC Program Final Rule — 32 CFR Part 170 (Federal Register, 2024)
- NIST SP 800-171 Rev 2 — Protecting Controlled Unclassified Information in Nonfederal Systems
- NIST SP 800-171A — Assessing Security Requirements for Controlled Unclassified Information
- NIST SP 800-172 — Enhanced Security Requirements for Protecting CUI
- DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting
- DFARS 252.204-7021 — Cybersecurity Maturity Model Certification Requirements
- FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems
- DoD CMMC Program — Office of the Under Secretary of Defense for Acquisition and Sustainment
- CMMC Accreditation Body (Cyber AB)
- NARA CUI Registry — Executive Order 13556 / 32 CFR Part 2002
- [False Claims Act — 31 U.S.C. §§ 3729–3733](https://uscode.house.gov/view.xhtml?path=/prelim@title31/subtitle3/chapter37/subchapter3&edition=