CMMC Compliance Reference for Defense Contractors

The Cybersecurity Maturity Model Certification (CMMC) framework governs the cybersecurity requirements imposed on contractors and subcontractors operating within the U.S. Department of Defense (DoD) supply chain. Administered by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S), CMMC establishes a tiered certification structure that determines which organizations may compete for and perform on DoD contracts involving Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This reference covers the framework's structure, regulatory basis, classification logic, and the mechanics of third-party assessment — for defense contractors, subcontractors, and the consultants serving them.

• Definition and Scope
• Core Mechanics or Structure
• Causal Relationships or Drivers
• Classification Boundaries
• Tradeoffs and Tensions
• Common Misconceptions
• Checklist or Steps
• Reference Table or Matrix

Definition and Scope

CMMC is a DoD-mandated cybersecurity framework that applies to all organizations — prime contractors and lower-tier subcontractors alike — that handle FCI or CUI in the performance of DoD contracts. The framework was first announced in 2019 and underwent a substantial revision with CMMC 2.0, which the DoD formally published as a proposed rule under 32 CFR Part 170 in December 2023 (Federal Register, 32 CFR Part 170).

The scope of CMMC extends beyond prime contractors. Any organization in the defense industrial base (DIB) that processes, stores, or transmits CUI — even if that organization is a cloud service provider, managed service provider, or lower-tier supplier — falls within the certification requirement. The DoD estimates the DIB comprises approximately 300,000 companies (DoD CMMC Program Overview).

CMMC draws its technical requirements from two primary federal standards:
- NIST SP 800-171 — Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171), which defines 110 security requirements across 14 domains.
- NIST SP 800-172 — an enhanced subset applicable to the highest CMMC level, addressing advanced persistent threats.

The regulatory home for CUI itself is the National Archives and Records Administration (NARA) CUI Registry (NARA CUI Registry), which defines what categories of information trigger CMMC obligations.

Core Mechanics or Structure

CMMC 2.0 operates across three certification levels, each with distinct assessment mechanisms and technical requirements. The level required for a given contract is determined by the sensitivity of the information involved and is specified in the solicitation.

Level 1 — Foundational covers 17 practices drawn from FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). Assessment is performed through an annual self-assessment with an affirmation submitted to the Supplier Performance Risk System (SPRS).

Level 2 — Advanced aligns to the full 110 security requirements of NIST SP 800-171. For contracts involving CUI, most Level 2 assessments require a triennial third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) accredited by the CMMC Accreditation Body (The Cyber AB, formerly CMMC-AB). A subset of Level 2 contracts may permit self-assessment at the DoD's discretion.

Level 3 — Expert adds requirements from NIST SP 800-172 on top of the 110 NIST SP 800-171 controls. Assessments at Level 3 are conducted by the Defense Contract Management Agency's (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

SPRS scores, which range from -203 to +110 (NIST SP 800-171 DoD Assessment Methodology), serve as a running indicator of compliance posture. A perfect score of +110 reflects full implementation of all 110 practices. Each unimplemented control reduces the score by a defined weighted value.

Plan of Action and Milestones (POA&Ms) — formal remediation plans — are permitted at Level 2 for a defined subset of practices that are not fully implemented at the time of assessment, subject to DoD-specified conditions in the final rule.

Causal Relationships or Drivers

The CMMC framework was created in direct response to documented exfiltration of sensitive technical data from DIB contractors. The DoD attributed a pattern of supply chain compromises — including incidents involving CUI in unclassified contractor systems — to adversarial nation-state actors. Prior to CMMC, contractor compliance with DFARS clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) was required but relied entirely on contractor self-attestation, creating an enforcement gap.

CMMC's third-party assessment requirement for Level 2 and Level 3 addresses that gap directly by removing the unverified self-certification model for higher-risk contracts. The DoD also incorporated CMMC requirements into the DFARS through proposed rules (DFARS Case 2019-D041), making compliance a contractual prerequisite rather than a voluntary program.

The mandatory flow-down provision — which requires prime contractors to impose equivalent CMMC requirements on subcontractors handling the same categories of information — is a structural driver ensuring the requirement propagates through multi-tier supply chains. The cyber-safety-providers resource identifies the service providers operating across this compliance ecosystem.

Classification Boundaries

CMMC level assignment depends on the classification of information handled, not the size or type of the contractor organization. The operative boundary is between FCI and CUI.

FCI is defined under FAR 52.204-21 as information provided by or generated for the government under a contract to develop or deliver a product or service. Handling FCI alone triggers Level 1 requirements.

CUI is defined by Executive Order 13556 (2010) and further specified in 32 CFR Part 2002 and the NARA CUI Registry. CUI encompasses a wide range of categories including export-controlled technical data, nuclear information, privacy data, and law enforcement sensitive information. The presence of CUI in a contract or subcontract triggers Level 2 requirements at minimum.

The boundary between Level 2 and Level 3 is not determined solely by information type but also by the DoD's characterization of the acquisition as involving programs, technologies, or systems of particular criticality to national security. Level 3 is reserved for the highest-priority programs and is applied narrowly.

Importantly, cloud service providers used to process or store CUI must meet the requirements of FedRAMP Moderate baseline (FedRAMP) as a condition of use on CMMC contracts, introducing a parallel compliance obligation.

The section describes how this reference network structures coverage of the cybersecurity services landscape.

Tradeoffs and Tensions

The most operationally significant tension in CMMC implementation is cost versus participation. Independent analyses submitted to the DoD during the rulemaking process estimated that small businesses face disproportionate compliance costs relative to their contract volumes. The DoD's own regulatory impact analysis for the CMMC 2.0 proposed rule acknowledged average assessment costs for Level 2 C3PAO assessments ranging from approximately $30,000 to over $100,000 per assessment cycle, depending on organization size and scope.

A second tension exists between POA&M flexibility and security assurance. Allowing contractors to proceed with unresolved findings under a remediation plan creates a window during which CUI may reside on systems that do not yet meet all 110 NIST SP 800-171 requirements. The final rule limits the practices eligible for POA&M treatment and imposes closure timelines, but critics argue the residual flexibility undermines the framework's security assurance objectives.

Third-party assessor capacity is a structural constraint. The Cyber AB's pool of accredited C3PAOs and Certified Assessors (CAs) must scale to serve approximately 80,000 to 100,000 organizations estimated to require Level 2 C3PAO assessments (DoD CMMC Program FAQ), creating potential bottlenecks that could delay contract awards.

A related tension: the parallel DFARS 252.204-7021 clause (requiring CMMC certification as a contract condition) cannot be enforced until rulemaking is finalized and the clause is phased into new solicitations — creating a compliance limbo for contractors who invest early versus those who wait.

Common Misconceptions

Misconception: CMMC replaces DFARS 252.204-7012.
CMMC does not replace DFARS 252.204-7012. That clause — which requires covered contractors to implement NIST SP 800-171, report cyber incidents within 72 hours, and preserve images of compromised systems — remains independently in force. CMMC adds a certification and assessment layer on top of existing DFARS obligations.

Misconception: Self-assessment is sufficient for all Level 2 contracts.
The DoD retains authority to designate specific contracts as requiring C3PAO assessment at Level 2. Self-assessment at Level 2 applies only where the DoD makes an explicit determination that the program does not involve higher-sensitivity CUI. Contractors cannot elect self-assessment independently.

Misconception: A perfect SPRS score of +110 equals CMMC certification.
An SPRS score reflects a contractor's self-assessed implementation status against NIST SP 800-171. It is not equivalent to CMMC certification, which requires a formal assessment by a C3PAO or DIBCAC examiner and entry of results into eMASS (Enterprise Mission Assurance Support Service). SPRS scores remain relevant to current DFARS compliance obligations but do not substitute for CMMC certification under the new framework.

Misconception: CMMC applies only to prime contractors.
Flow-down requirements in DFARS 252.204-7021 mandate that prime contractors ensure subcontractors handling FCI or CUI at any tier hold the required CMMC level. A subcontractor at the fourth tier handling CUI must meet Level 2 requirements identically to the prime.

The how-to-use-this-cyber-safety-resource page describes how providers in this network are organized by service category, including assessment services.

Checklist or Steps

The following sequence reflects the standard CMMC compliance readiness and certification process for a Level 2 contractor seeking C3PAO assessment. This is a procedural reference, not professional advice.

1. Identify information types handled — Determine whether contracts involve FCI only or CUI (reference NARA CUI Registry categories).
2. Determine applicable CMMC level — Review solicitation language and DFARS clause 252.204-7021 for specified level requirements.
3. Conduct a gap assessment against NIST SP 800-171 — Map existing controls to all 110 security requirements across 14 practice domains.
4. Calculate and submit SPRS score — Report current self-assessed score to the Supplier Performance Risk System; submit senior official affirmation.
5. Develop a System Security Plan (SSP) — Document the contractor's information system environment, boundaries, and control implementations. SSP is a required artifact for C3PAO assessment.
6. Develop and execute a POA&M for gaps — For practices not yet implemented, create formal remediation plans with milestones.
7. Engage a Cyber AB-accredited C3PAO — Select from the Cyber AB's published marketplace of accredited organizations.
8. Complete the C3PAO assessment — The C3PAO conducts evidence review, interviews, and system testing; results are entered into eMASS.
9. Receive CMMC Level 2 certification — DoD issues certification based on DIBCAC review of assessment package.
10. Maintain continuous compliance — Triennial reassessment cycle; annual affirmation required between full assessments.

Reference Table or Matrix