CMMC (Cybersecurity Maturity Model Certification)

What Is CMMC (Cybersecurity Maturity Model Certification)?

CMMC (Cybersecurity Maturity Model Certification) is a cybersecurity compliance framework developed by the U.S. Department of Defense (DoD) to protect sensitive information within the Defense Industrial Base (DIB).

The framework establishes standardized cybersecurity requirements for defense contractors and verifies that those requirements are implemented before organizations can receive certain Department of Defense contracts.

CMMC is designed to:

• Establish required cybersecurity controls for defense contractors
• Validate implementation through formal assessments
• Tie certification status to eligibility for covered DoD contracts
• Apply to organizations handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)

Rather than relying solely on organizations to self-attest to cybersecurity compliance, CMMC introduces certification levels and assessment requirements that confirm security controls are implemented and operating effectively.

Overview of CMMC

CMMC was introduced to address cybersecurity weaknesses across the U.S. defense supply chain. The Defense Industrial Base (DIB) consists of hundreds of thousands of organizations that design, manufacture, and support military systems and technologies.

Because these organizations often store or process sensitive government data, weaknesses within contractor networks can create national security risks.

Historically, contractors were required to implement security controls defined in NIST SP 800-171, but compliance largely relied on self-attestation. Investigations later revealed that many organizations had not fully implemented the required safeguards.

CMMC was created to strengthen enforcement by requiring organizations to demonstrate cybersecurity maturity through certification and formal assessments.

Background Drivers

Several factors contributed to the development of the CMMC framework.

• Reliance on self-attestation under NIST SP 800-171: Under earlier requirements, organizations were responsible for confirming their own compliance with federal cybersecurity standards. This often resulted in inconsistent implementation across the defense supply chain.
• Cyber espionage targeting defense contractors: Nation-state threat actors have frequently targeted defense contractors to obtain military technologies, research, and intellectual property.
• Supply chain vulnerabilities: The Defense Industrial Base contains a large network of organizations, including subcontractors and service providers. Weak security practices at any point in the supply chain can expose sensitive information.
• Intellectual property theft: Defense contractors have historically been targeted for cyber attacks designed to steal proprietary research, system designs, and operational plans.

Enforcement Authority

CMMC is mandated by the U.S. Department of Defense and applies to contractors and subcontractors bidding on contracts involving Federal Contract Information or Controlled Unclassified Information.

Key enforcement characteristics include:

• Certification requirements tied directly to DoD contract eligibility
• Applicability to both prime contractors and subcontractors
• Requirements phased into DoD solicitations over time
• Verification through self-assessments, third-party assessments, or government assessments

Organizations that cannot demonstrate the required certification level may be unable to bid on certain defense contracts.

Evolution of the Model

The CMMC framework has evolved since its original release.

CMMC 1.0 (Original Model)
The initial version of the framework introduced five maturity levels intended to measure cybersecurity capabilities across contractors.

CMMC 2.0 (Current Model)
The updated version simplified the framework to three maturity levels, reducing redundancy while aligning more closely with existing federal cybersecurity standards.

Types of CMMC (CMMC 2.0 Levels)

CMMC 2.0 defines three certification levels that correspond to different types of sensitive information and threat exposure.

Level 1: Foundational

Level 1 applies to contractors that handle FCI.

Key characteristics include:

• 17 basic safeguarding controls
• Based on FAR 52.204-21
• Annual self-assessments permitted
• Focus on basic cybersecurity hygiene

These requirements emphasize basic safeguards such as system access control and protection of federal contract data.

Level 2: Advanced

Level 2 applies to organizations that process or store CUI.

Key characteristics include:

• 110 security controls aligned with NIST SP 800-171
• Focus on protecting CUI from more sophisticated threats
• Third-party assessments required for most contracts

Because many defense contractors handle CUI, Level 2 certification is expected to apply to a large portion of the DIB.

Level 3: Expert

Level 3 is intended for contractors working on high-priority national security programs.

This level builds on Level 2 requirements and introduces additional security controls derived from NIST SP 800-172, which focuses on defending CUI against advanced persistent threats.

Key characteristics include:

• Government-led assessments
• Additional safeguards beyond NIST SP 800-171
• Enhanced protections for sensitive defense programs

The Original Five Levels (CMMC 1.0)

The original CMMC model defined five maturity levels:

1. Basic Cyber Hygiene
2. Intermediate Cyber Hygiene
3. Good Cyber Hygiene
4. Proactive
5. Advanced / Progressive

CMMC 2.0 consolidated these levels into three tiers to simplify implementation and align more closely with existing cybersecurity standards.

Causes of CMMC Development

CMMC was developed in response to several systemic cybersecurity challenges affecting defense contractors.

Key drivers included:

• Persistent cyber attacks targeting the Defense Industrial Base
• Inconsistent compliance with NIST SP 800-171 requirements
• Limited mechanisms for validating cybersecurity controls
• Increasing complexity of modern defense supply chains

The framework aims to create a standardized certification system that verifies cybersecurity maturity across contractors supporting national defense programs.

Effects of CMMC Development

The introduction of CMMC has several operational and governance implications for organizations within the defense supply chain.

Common impacts include:

• Cybersecurity tied directly to contract eligibility
• Increased documentation and audit readiness requirements
• Greater supply chain accountability
• Expanded executive oversight of cybersecurity programs

Organizations pursuing certification frequently implement additional security controls such as:

• Multi-factor authentication (MFA)
• Access control and identity management
• Centralized logging and monitoring
• Incident response programs
• Network segmentation
• Vendor risk management practices

Compare CMMC to NIST SP 800-171

Although CMMC is closely related to NIST SP 800-171, the two frameworks serve different roles.

NIST SP 800-171

• Defines 110 security controls
• Serves as a security standards framework
• Focuses on protecting Controlled Unclassified Information
• Historically relied on self-attestation

CMMC

• Functions as a certification and validation program
• Enforces implementation of required controls
• Introduces structured maturity levels
• Requires self, third-party, or government assessments

In simple terms:

NIST defines the required security controls, while CMMC verifies that contractors have implemented them before receiving certain Department of Defense contracts.

Examples of CMMC

Real-World Examples

Defense Manufacturer

A manufacturing company producing specialized military components receives technical drawings containing Controlled Unclassified Information. Because the organization stores and processes CUI, it must achieve CMMC Level 2 certification and implement controls such as encryption, logging, access restrictions, and multi-factor authentication.

Managed Service Provider

An IT service provider supporting defense contractors may fall within the scope of CMMC if it manages infrastructure that stores or processes Federal Contract Information or Controlled Unclassified Information.

Software Development Contractor

A company developing software for high-priority defense programs may require Level 3 certification and be subject to government-led security assessments.

Who Might Need CMMC

Organizations that may fall within the scope of CMMC include:

• Prime defense contractors
• Subcontractors handling Federal Contract Information
• Organizations processing Controlled Unclassified Information
• Cloud and hosting providers supporting defense systems
• Manufacturers receiving controlled specifications
• IT service providers with administrative access to contractor networks

Any organization within the Defense Industrial Base that processes, stores, or transmits FCI or CUI may eventually require certification.

Related Terms

• NIST
• ISO 27001
• SOC 2
• CIS Controls

AI-powered DNS security isn’t just the future—it’s how you stay ahead today. Start your free trial of DNSFilter and see how proactive DNS protection makes all the difference.