CMMC Compliance Reference for Defense Contractors
The Cybersecurity Maturity Model Certification (CMMC) program establishes mandatory cybersecurity standards for organizations seeking or holding contracts with the United States Department of Defense. This page covers CMMC's regulatory structure, the three certification levels, the assessment and accreditation process, and the compliance landscape facing prime contractors and subcontractors in the defense industrial base. Understanding the mechanics of this program is essential for any organization that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under DoD contracts.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Checklist or Steps
- Reference Table or Matrix
Definition and Scope
CMMC is a DoD-administered framework that certifies whether defense contractors and subcontractors have implemented cybersecurity practices sufficient to protect FCI and CUI. The program is governed by 32 CFR Part 170, published by the Office of the Under Secretary of Defense for Acquisition and Sustainment (DoD OUSD(A&S)) and finalized through the CMMC 2.0 rulemaking process. The final rule under 32 CFR Part 170 was published in December 2024 and governs how CMMC requirements flow into defense acquisition contracts.
The scope of CMMC extends across the entire defense industrial base (DIB), which the DoD estimates includes approximately 300,000 companies (DoD CMMC Program Overview). This includes large prime contractors, small and medium-sized businesses, cloud service providers, and managed service providers whose offerings touch DoD contract data. A contractor need not hold a prime contract to be subject to CMMC — any subcontractor that receives, processes, stores, or transmits FCI or CUI in the performance of a DoD contract falls within scope. The breadth of this definition means supply chain participants at multiple tiers are subject to assessment.
The regulatory basis for protecting CUI specifically flows from Executive Order 13556 (2010) and the National Archives and Records Administration's (NARA) CUI Registry, which defines categories and subcategories of controlled information. CMMC operationalizes these requirements by tying them to measurable technical controls drawn from NIST SP 800-171 and, at the highest level, NIST SP 800-172.
Core Mechanics or Structure
CMMC 2.0 consolidates the original five-level model into three certification levels, each aligned to specific NIST standards and assessment methods.
Level 1 — Foundational applies to contractors handling only FCI. It requires implementation of 17 practices derived from FAR clause 52.204-21, covering basic safeguarding measures such as limiting system access, screening individuals, and maintaining physical protections. Level 1 allows annual self-assessment with senior official attestation — no third-party assessment is required.
Level 2 — Advanced applies to contractors handling CUI. It requires implementation of all 110 security requirements specified in NIST SP 800-171 Rev. 2. For most contracts, Level 2 requires a triennial assessment by a Certified Third-Party Assessment Organization (C3PAO) accredited by the Cyber AB (formerly the CMMC Accreditation Body). Certain Level 2 contracts designated as lower risk may permit annual self-assessment with affirmation.
Level 3 — Expert applies to contractors handling CUI on DoD's highest-priority programs. It adds 24 practices from NIST SP 800-172 beyond the Level 2 baseline and requires triennial government-led assessments conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
The assessment ecosystem requires contractors to engage with several accredited entities. C3PAOs conduct Level 2 third-party assessments. Certified Assessors (CAs) and Certified CMMC Professionals (CCPs) are credentialed individuals who perform or support assessments. The Cyber AB maintains the marketplace of accredited organizations and individuals at cyberab.org.
Assessment results are recorded in the Supplier Performance Risk System (SPRS), a DoD platform where contractors post self-assessment scores and where C3PAO assessment outcomes are logged. SPRS scores range from -203 to 110, with 110 representing full implementation of all NIST SP 800-171 requirements.
Causal Relationships or Drivers
CMMC emerged from documented failures in the defense contractor community to protect sensitive program information. Between 2014 and 2018, a series of intrusions — including the breach of contractor networks supporting the F-35 program attributed to Chinese state-sponsored actors by reporting from the Wall Street Journal — demonstrated that self-reported cybersecurity compliance under DFARS clause 252.204-7012 was insufficient. That clause required contractors to implement NIST SP 800-171 but relied entirely on self-attestation with no verification mechanism.
The DFARS interim rule (DFARS Case 2019-D041, effective November 2020) introduced SPRS score reporting as an interim measure, requiring contractors to calculate and post their own NIST SP 800-171 implementation scores. The DoD Inspector General's 2023 audit (DoD IG Report DODIG-2023-047) found that DoD components did not consistently verify contractor SPRS scores, confirming the limitations of self-assessment. CMMC's third-party assessment requirement was designed specifically to close this verification gap.
The broader geopolitical driver is persistent adversarial targeting of the DIB. CISA and the NSA have jointly documented campaigns targeting defense contractors, with the NSA/CISA Cybersecurity Advisory AA22-047A identifying tactics used against cleared defense contractors. This pattern of targeting CUI held by smaller subcontractors — which typically lack the cybersecurity maturity of large primes — drives the policy logic of extending CMMC requirements down supply chains. Contractors involved in supply chain cybersecurity risks are directly implicated by this threat model.
Classification Boundaries
CMMC level applicability is determined by the type of information a contractor handles, not by company size or contract value.
FCI alone triggers Level 1. FCI is defined under FAR 4.1901 as information provided by or generated for the government under a contract to develop or deliver a product or service — but it excludes information provided to the public or simple transactional data (such as billing information).
CUI triggers Level 2 or Level 3. CUI categories are enumerated in the NARA CUI Registry and include subcategories such as Controlled Technical Information (CTI), Export Controlled information, and Privacy data. Contractors must determine which CUI categories apply to their specific contract performance to scope their assessment boundary correctly.
The concept of the CMMC Assessment Scope — defined in the CMMC Scoping Guidance published by the DoD — is critical. Only assets that process, store, or transmit CUI, or that provide security protection for such assets, fall within the assessment boundary. Assets that never contact CUI may be designated as "out of scope" if properly segmented. External service providers (ESPs), including cloud service providers, must be included in scope if they handle CUI, and must themselves meet applicable CMMC or FedRAMP requirements. This boundary determination directly affects cloud security standards relevant to contractors using cloud environments.
Tradeoffs and Tensions
Cost versus compliance reach. Third-party assessments impose significant financial burden on small businesses, which constitute a large fraction of the DIB. The DoD acknowledged this tension in the CMMC 2.0 rulemaking, allowing self-assessment for a subset of Level 2 contracts. Critics argue this carve-out undermines the program's verification objective by leaving lower-risk contracts without independent validation — yet mandating C3PAO assessments for all 300,000 DIB entities would create assessment capacity constraints given the limited pool of accredited C3PAOs.
Assessment capacity. As of 2024, the Cyber AB's marketplace listed a limited number of fully authorized C3PAOs capable of conducting certified assessments. Industry groups including the National Defense Industrial Association (NDIA) have raised concerns that assessment bottlenecks could delay contract awards or create a compliance backlog when CMMC requirements are fully incorporated into solicitations.
Plan of Action & Milestones (POA&M) allowance. The CMMC 2.0 framework permits contractors to receive conditional certification with open POA&Ms for a limited subset of requirements, provided the most critical controls are met. The tension here is between operational flexibility — allowing contractors to win contracts while remediating gaps — and the security intent of requiring complete implementation before certification.
Overlap with DFARS 252.204-7012. This existing DFARS clause requires contractors to implement NIST SP 800-171, report cyber incidents within 72 hours, and preserve media for 90 days. CMMC does not replace this clause but adds assessment verification atop it. Managing dual compliance obligations creates administrative complexity, particularly for contractors navigating government contractor cybersecurity requirements across multiple frameworks.
Common Misconceptions
Misconception: CMMC replaces DFARS 252.204-7012.
CMMC adds assessment verification to existing DFARS obligations. DFARS 252.204-7012 remains in force and continues to govern incident reporting, cloud service provider requirements, and media preservation. CMMC certification does not eliminate those obligations.
Misconception: Only prime contractors need CMMC.
The flow-down requirement in DFARS and CMMC policy mandates that prime contractors pass CMMC requirements to subcontractors who handle FCI or CUI. A subcontractor receiving only purchase orders for commercial off-the-shelf (COTS) items is exempt, but any subcontractor touching covered information is not.
Misconception: A high SPRS score equals CMMC certification.
SPRS scores reflect contractor self-reported implementation of NIST SP 800-171. A score of 110 in SPRS does not constitute CMMC certification — it is a self-assessment artifact. CMMC Level 2 certification for most contracts requires a C3PAO assessment recorded in a separate DoD certification system.
Misconception: Small businesses are exempt.
No company-size exemption exists within the CMMC framework. The DoD has published resources acknowledging the disproportionate burden on small businesses, and the small business cybersecurity requirements landscape reflects this tension, but the regulatory obligation applies regardless of employee count or revenue.
Misconception: CMMC 2.0 applies to all federal contracts.
CMMC applies specifically to DoD contracts. Civilian agency contracts are governed by separate frameworks, including FISMA, FedRAMP, and agency-specific requirements. Non-DoD federal contractors handling CUI are subject to NIST SP 800-171 via their own agency's DFARS-equivalent clauses but are not subject to CMMC assessment requirements.
Checklist or Steps
The following sequence reflects the documented CMMC compliance pathway as described in DoD and Cyber AB published guidance. This is a structural reference, not advisory.
Phase 1 — Scoping
- Identify all assets that process, store, or transmit FCI or CUI
- Categorize CUI by type using the NARA CUI Registry
- Determine applicable CMMC level from contract requirements
- Define the CMMC Assessment Boundary per DoD Scoping Guidance
- Identify all external service providers and cloud services within scope
Phase 2 — Gap Assessment
- Map current controls against all applicable NIST SP 800-171 Rev. 2 requirements (110 practices for Level 2)
- Calculate the SPRS score using the DoD assessment methodology
- Document all unmet requirements in a Plan of Action & Milestones (POA&M)
- Identify requirements addressed by ESPs and verify their CMMC or FedRAMP authorization status
Phase 3 — Remediation
- Implement missing controls in priority order based on SPRS point values
- Update system security plans (SSPs) to reflect the current environment
- Validate that POA&M items have defined completion dates
Phase 4 — Assessment
- For Level 1: Complete annual self-assessment and submit SPRS score with senior official affirmation
- For Level 2 (third-party required): Engage an accredited C3PAO through the Cyber AB Marketplace
- For Level 3: Coordinate with DCMA DIBCAC for government-led assessment
Phase 5 — Certification and Maintenance
- Receive and record assessment outcome in SPRS / DoD certification system
- Maintain continuous compliance — any change that expands the assessment boundary triggers reassessment obligations
- Submit annual affirmations of continued compliance as required by 32 CFR Part 170
Reference Table or Matrix
| CMMC Level | Information Type | Practices | Source Standard | Assessment Method | Assessment Frequency |
|---|---|---|---|---|---|
| Level 1 — Foundational | FCI only | 17 | FAR 52.204-21 | Self-assessment + senior official attestation | Annual |
| Level 2 — Advanced (self-assess) | CUI (lower-risk programs) | 110 | NIST SP 800-171 Rev. 2 | Self-assessment + affirmation | Annual |
| Level 2 — Advanced (C3PAO) | CUI (most programs) | 110 | NIST SP 800-171 Rev. 2 | C3PAO third-party assessment | Triennial |
| Level 3 — Expert | CUI (critical programs) | 110 + 24 | NIST SP 800-171 Rev. 2 + SP 800-172 | DCMA DIBCAC government assessment | Triennial |
| Actor | Role | Governing Body |
|---|---|---|
| C3PAO | Conducts Level 2 third-party assessments | Cyber AB |
| Certified Assessor (CA) | Performs assessments within C3PAO | Cyber AB |
| Certified CMMC Professional (CCP) | Supports assessments; advisory role | Cyber AB |
| DCMA DIBCAC | Conducts Level 3 government assessments | DoD / DCMA |
| OUSD(A&S) | Administers CMMC program policy | DoD |
| NARA | Maintains CUI Registry and category definitions | Executive Branch |
References
- DoD CMMC Program — Office of the Under Secretary of Defense for Acquisition and Sustainment
- 32 CFR Part 170 — CMMC Program Final Rule (eCFR)
- NIST SP 800-171 Rev. 2 — Protecting CUI in Nonfederal Systems
- NIST SP 800-172 — Enhanced Security Requirements for CUI
- NARA CUI Registry
- Cyber AB (CMMC Accreditation Body)
- DFARS 252.204-7012 — Safeguarding Covered Defense Information (acquisition.gov)
- FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems
- [NSA/CISA Cybersecurity Advisory AA22-047A — Targeting of Cleared Defense Contractors](https://www.cisa.gov/news-events/cyb