Skip to main content
> CMMC

Cybersecurity Maturity Model Certification

Protecting controlled unclassified information in the defense industrial base

Established: 2020 (CMMC 2.0 finalized 2024) Last Updated: November 2025 (48 CFR acquisition rule; Phase 1 rollout) Scope: United States Defense Contractors
3
Maturity Levels

What does CMMC require in 2026?

CMMC sets cybersecurity requirements for Defense Industrial Base contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The 32 CFR final rule (October 2024) established the three-level framework. The companion 48 CFR DFARS acquisition rule (Federal Register September 10, 2025; effective November 10, 2025) put CMMC requirements directly into DoD solicitations via DFARS clause 252.204-7021. Phase 1 (November 2025 through November 2026) adds Level 1 and Level 2 self-assessment requirements to new contracts. Phase 2 (from November 2026) requires third-party C3PAO assessments for Level 2. Full rollout targets November 2028. Contractors need an active System Security Plan and SPRS score before bidding. Sources: Federal Register 2025-17359; dodcio.defense.gov/CMMC/About.

// What is CMMC?

CMMC establishes cybersecurity requirements for organizations in the Defense Industrial Base (DIB) handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The program requires contractors to demonstrate cybersecurity maturity through assessment before receiving certain DoD contracts.

CMMC 2.0, finalized via 32 CFR in October 2024, streamlined the original five-level model to three levels aligned with existing NIST standards. Level 1 covers basic FCI protection, Level 2 aligns with NIST SP 800-171 for CUI, and Level 3 adds enhanced controls from NIST SP 800-172 for critical programs.

The companion 48 CFR DFARS acquisition rule was finalized in the Federal Register on September 10, 2025 (effective November 10, 2025), inserting DFARS clause 252.204-7021 into DoD solicitations. Phase 1 (November 2025 through November 2026) requires Level 1 and Level 2 self-assessments in new DoD contracts. Phase 2 (from November 2026) requires mandatory third-party C3PAO assessments for Level 2 contracts. Full program coverage across all applicable contracts is targeted by November 2028. Sources: Federal Register 2025-17359; dodcio.defense.gov/CMMC/About.

// Inside the Regulation

CMMC 2.0 defines three maturity levels with increasing security requirements. Each level builds on the previous, with controls derived from NIST Special Publications 800-171 and 800-172.

1

Level 1: Foundational

Basic safeguarding of Federal Contract Information (FCI) based on FAR 52.204-21 requirements. Self-assessment with annual affirmation.

15 Practices

Basic cyber hygiene practices including access control, identification, media protection, physical protection, system protection, and system integrity.

Self-Assessment

Annual self-assessment with affirmation by senior company official. No third-party certification required.

Scope

Applies to contractors handling only FCI (not CUI). Entry point for most small contractors.

2

Level 2: Advanced

Protection of Controlled Unclassified Information (CUI) aligned with NIST SP 800-171 Rev 2. Requires third-party assessment for most contracts.

110 Practices

Complete implementation of NIST SP 800-171's 110 security requirements across 14 control families.

Assessment Types

Self-assessment for non-prioritized acquisitions; third-party assessment by C3PAO (Certified Third-Party Assessment Organization) for prioritized acquisitions.

Plan of Action & Milestones

Limited POA&Ms allowed for certain requirements with defined timelines for remediation.

Key Control Families

Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, System & Information Integrity.

3

Level 3: Expert

Enhanced protection for CUI on critical programs against advanced persistent threats. Government-led assessment required.

110+ Practices

All NIST SP 800-171 requirements plus selected enhanced controls from NIST SP 800-172.

Government Assessment

Assessment conducted by Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Critical Programs Only

Required only for contractors supporting the most sensitive DoD programs with highest-value CUI.

Note: CMMC builds on existing DFARS 252.204-7012 requirements, which already require NIST SP 800-171 implementation. The key change is mandatory assessment and certification before contract award, rather than self-attestation. Organizations already compliant with 800-171 are well-positioned for CMMC Level 2.

// Who Must Comply

  • 1 Prime contractors on DoD contracts involving FCI or CUI
  • 2 Subcontractors handling FCI or CUI from DoD contracts
  • 3 Defense Industrial Base organizations seeking DoD work
  • 4 Manufacturers and suppliers in defense supply chains
  • 5 IT service providers supporting DoD contractors

// Key Requirements

Access Control

Limit system access to authorized users, processes, and devices; control CUI flow

Audit & Accountability

Create, protect, and retain system audit logs; review and report on audit events

Configuration Management

Establish and maintain baseline configurations; control and monitor changes

Identification & Authentication

Identify and authenticate users, devices, and processes; implement multi-factor authentication

Incident Response

Establish incident handling capabilities; detect, report, and respond to incidents

System Protection

Monitor, control, and protect communications; implement subnetwork isolation

// Enforcement & Penalties

CMMC non-compliance results in ineligibility for contract award. False claims about compliance status carry severe penalties under the False Claims Act. Organizations misrepresenting CMMC status face potential debarment from federal contracting.

Maximum Penalty

False Claims Act: treble damages + $11,000+ per claim

Examples:

  • Contract award denial for insufficient CMMC level
  • False Claims Act liability for misrepresenting compliance status
  • Contract termination if certification lapses during performance
  • Debarment from federal contracting for willful non-compliance

// Cyber Insurance Impact

Cyber insurers serving defense contractors increasingly require evidence of CMMC compliance or readiness. Coverage for CUI breaches may depend on demonstrated compliance with applicable requirements. Some insurers offer specialized DIB policies with CMMC compliance conditions.

// How Breach Craft Helps

We help organizations achieve CMMC compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of CMMC.

// Common Questions

Can a virtual CISO support CMMC compliance?

CMMC and the underlying NIST SP 800-171 require organizations to assign security responsibilities and maintain a system security plan (SSP) and a plan of action and milestones (POA&M). They do not mandate a single titled officer, but someone has to own the program. A virtual CISO can provide that leadership, keep the SSP and POA&M current, and prepare a defense contractor for assessment.

What did the 48 CFR DFARS acquisition rule change for CMMC?

The 48 CFR final rule (Federal Register September 10, 2025; effective November 10, 2025) is the mechanism that actually puts CMMC requirements into contracts. It inserts DFARS clause 252.204-7021 into DoD solicitations and purchase orders. Without this rule, the 32 CFR program existed but had no contract vehicle to enforce it. Phase 1 (November 2025 through November 2026) focuses on self-assessments; Phase 2 (November 2026 onward) requires C3PAO third-party assessment for Level 2 contracts. See Federal Register 2025-17359 for the full rule text.

When do defense contractors need a C3PAO assessment?

Third-party assessments by a Certified Third-Party Assessment Organization (C3PAO) become mandatory for Level 2 contracts starting in Phase 2, which begins November 2026. During Phase 1 (November 2025 through November 2026), Level 2 contractors can use self-assessments in most solicitations. Contractors handling particularly sensitive CUI programs may face earlier C3PAO requirements at the agency's discretion. Organizations should begin C3PAO readiness work well before November 2026 given current assessment lead times.

Does CMMC apply to subcontractors?

Yes. CMMC requirements flow down through the supply chain. Prime contractors must ensure that subcontractors handling FCI or CUI meet the appropriate CMMC level before those subcontractors receive, process, or store covered data. The prime is responsible for verifying subcontractor compliance. Subcontractors who self-certify falsely face False Claims Act liability, which carries treble damages plus penalties exceeding $11,000 per false claim.

// Related Frameworks

// Industries That Need CMMC

These industries commonly require CMMC compliance as part of their regulatory obligations.

Guide last reviewed: June 15, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873