CMMC (Cybersecurity Maturity Model Certification)

Who must comply with CMMC?

All Department of Defense contractors and subcontractors who process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The DFARS clause 252.204-7012 requires implementation of NIST SP 800-171 for CUI; CMMC 2.0 verifies that implementation. Phased rollout in DoD contracts began in 2025 — every new defense contract will eventually require CMMC certification at the level appropriate to the contract's data sensitivity.

What are the three CMMC levels?

Level 1 (Foundational): 17 cybersecurity practices for contractors handling Federal Contract Information (FCI). Annual self-assessment with senior official affirmation. Level 2 (Advanced): 110 practices aligned with NIST SP 800-171 r2 for contractors handling CUI. Self-assessment for less sensitive CUI; C3PAO assessment for prioritized CUI. Level 3 (Expert): 110 NIST 800-171 + additional NIST SP 800-172 controls. DIBCAC government assessment required.

What documents are required for CMMC?

Core artifacts: System Security Plan (SSP) describing each implemented practice; Plan of Action and Milestones (POAM) for any deficiencies; evidence library demonstrating each practice in operation (access reviews, training records, incident response records, encryption attestations, vendor risk assessments). At Level 2 with C3PAO assessment, the evidence library must withstand third-party scrutiny across all 110 practices.

What is a C3PAO?

A C3PAO (Certified Third-Party Assessor Organization) is an organization authorized by the CMMC Accreditation Body (Cyber AB) to conduct CMMC Level 2 certification assessments. C3PAOs employ Certified Assessors who evaluate a contractor's implementation of the 110 practices. C3PAO certification is required for Level 2 certifications involving prioritized CUI; lower-priority CUI may use self-assessment. The list of authorized C3PAOs is published by Cyber AB.