The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense (DoD) program that verifies organizations in the Defense Industrial Base (DIB) can protect sensitive contract information—especially Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

This guide covers:

What CMMC is and how it differs from “self-attestation only”
CMMC 2.0 levels and assessment types
How CMMC connects to DFARS, NIST SP 800-171, and contract flow-down
What the November 2025 contracting rollout means in practice

Related guides:

Defense cybersecurity readiness

GIF via GIPHY

Key takeaways

CMMC is a verification program: contractors must demonstrate—and in many cases prove—security practices through assessment.
CMMC 2.0 has three levels aligned to the sensitivity of information handled and contract requirements.
Level 1 maps to basic safeguarding (15 practices); Level 2 aligns with NIST SP 800-171; Level 3 adds NIST SP 800-172 enhancements.
CMMC requirements can appear in DoD contracts following the November 10, 2025 phased rollout.

What is CMMC?

CMMC is a structured model the DoD uses to ensure contractors and subcontractors implement appropriate cybersecurity controls before—and while—they handle government information.

Under CMMC 2.0, the program emphasizes:

Clear levels tied to FCI vs. CUI handling
Assessment types (self-assessment, C3PAO certification, government assessment)
Contract enforcement through DFARS acquisition rules

CMMC does not replace underlying standards like NIST SP 800-171 for CUI protection—it operationalizes how compliance is validated and reported (including via SPRS).

Why CMMC exists

Defense supply chains include thousands of contractors handling sensitive but unclassified data. CMMC addresses gaps where organizations claimed compliance without consistent evidence or third-party validation.

Driver	What CMMC aims to improve
Supply chain risk	Consistent security across primes and subs
CUI protection	Demonstrable implementation of 800-171
Contract accountability	CMMC level and assessment type in solicitations
Incident reduction	Stronger identity, logging, patching, and governance

CMMC 2.0 levels at a glance

Level	Typical information	Control basis	Common assessment
1	FCI	15 practices from FAR 52.204-21	Annual self-assessment + SPRS
2	CUI	NIST SP 800-171 (110 requirements)	Self-assessment or C3PAO (contract-dependent)
3	CUI with heightened risk	800-171 + NIST SP 800-172	C3PAO (Level 2) + DIBCAC (Level 3)

Your required level comes from contract language, data types, and program office guidance—not from internal preference alone.

Rollout and contract timing

The DoD finalized CMMC policy and contracting rules in 2024–2025. Contracting teams may begin including CMMC clauses in solicitations starting November 10, 2025, with a phased increase through 2028 for covered contracts.

Practical implication: even if your current contract lacks CMMC today, primes may flow down requirements early to avoid award risk.

See CMMC certification checklist: get started.

Get CMMC-ready with SecureSlate

SecureSlate helps DIB teams map controls, maintain SSP and boundary documentation, track POA&M items, and centralize evidence for assessments.

Get started for free

FAQ

Is CMMC the same as NIST 800-171?

No. NIST SP 800-171 defines security requirements for CUI. CMMC defines how compliance is assessed, affirmed, and reflected in contracts and SPRS.

Do subcontractors need CMMC?

Often yes—flow-down clauses can require subs to meet the same CMMC level as the prime for scoped systems and data.

When is CMMC mandatory?

Phased rollout began November 10, 2025; full implementation for covered solicitations is targeted by November 10, 2028 (excluding certain COTS-only scenarios).

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute legal advice. CMMC obligations depend on your contracts, scope, and assessor guidance—consult qualified counsel and assessors for your situation.

What is the Cybersecurity Maturity Model Certification (CMMC)?