Cybersecurity Maturity Model Certification
Protecting controlled unclassified information in the defense industrial base
What does CMMC require in 2026?
CMMC sets cybersecurity requirements for Defense Industrial Base contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The 32 CFR final rule (October 2024) established the three-level framework. The companion 48 CFR DFARS acquisition rule (Federal Register September 10, 2025; effective November 10, 2025) put CMMC requirements directly into DoD solicitations via DFARS clause 252.204-7021. Phase 1 (November 2025 through November 2026) adds Level 1 and Level 2 self-assessment requirements to new contracts. Phase 2 (from November 2026) requires third-party C3PAO assessments for Level 2. Full rollout targets November 2028. Contractors need an active System Security Plan and SPRS score before bidding. Sources: Federal Register 2025-17359; dodcio.defense.gov/CMMC/About.
// What is CMMC?
CMMC establishes cybersecurity requirements for organizations in the Defense Industrial Base (DIB) handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The program requires contractors to demonstrate cybersecurity maturity through assessment before receiving certain DoD contracts.
CMMC 2.0, finalized via 32 CFR in October 2024, streamlined the original five-level model to three levels aligned with existing NIST standards. Level 1 covers basic FCI protection, Level 2 aligns with NIST SP 800-171 for CUI, and Level 3 adds enhanced controls from NIST SP 800-172 for critical programs.
The companion 48 CFR DFARS acquisition rule was finalized in the Federal Register on September 10, 2025 (effective November 10, 2025), inserting DFARS clause 252.204-7021 into DoD solicitations. Phase 1 (November 2025 through November 2026) requires Level 1 and Level 2 self-assessments in new DoD contracts. Phase 2 (from November 2026) requires mandatory third-party C3PAO assessments for Level 2 contracts. Full program coverage across all applicable contracts is targeted by November 2028. Sources: Federal Register 2025-17359; dodcio.defense.gov/CMMC/About.
// Inside the Regulation
CMMC 2.0 defines three maturity levels with increasing security requirements. Each level builds on the previous, with controls derived from NIST Special Publications 800-171 and 800-172.
Level 1: Foundational
Basic safeguarding of Federal Contract Information (FCI) based on FAR 52.204-21 requirements. Self-assessment with annual affirmation.
15 Practices
Basic cyber hygiene practices including access control, identification, media protection, physical protection, system protection, and system integrity.
Self-Assessment
Annual self-assessment with affirmation by senior company official. No third-party certification required.
Scope
Applies to contractors handling only FCI (not CUI). Entry point for most small contractors.
Level 2: Advanced
Protection of Controlled Unclassified Information (CUI) aligned with NIST SP 800-171 Rev 2. Requires third-party assessment for most contracts.
110 Practices
Complete implementation of NIST SP 800-171's 110 security requirements across 14 control families.
Assessment Types
Self-assessment for non-prioritized acquisitions; third-party assessment by C3PAO (Certified Third-Party Assessment Organization) for prioritized acquisitions.
Plan of Action & Milestones
Limited POA&Ms allowed for certain requirements with defined timelines for remediation.
Key Control Families
Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, System & Information Integrity.
Level 3: Expert
Enhanced protection for CUI on critical programs against advanced persistent threats. Government-led assessment required.
110+ Practices
All NIST SP 800-171 requirements plus selected enhanced controls from NIST SP 800-172.
Government Assessment
Assessment conducted by Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Critical Programs Only
Required only for contractors supporting the most sensitive DoD programs with highest-value CUI.
Note: CMMC builds on existing DFARS 252.204-7012 requirements, which already require NIST SP 800-171 implementation. The key change is mandatory assessment and certification before contract award, rather than self-attestation. Organizations already compliant with 800-171 are well-positioned for CMMC Level 2.
// Who Must Comply
- 1 Prime contractors on DoD contracts involving FCI or CUI
- 2 Subcontractors handling FCI or CUI from DoD contracts
- 3 Defense Industrial Base organizations seeking DoD work
- 4 Manufacturers and suppliers in defense supply chains
- 5 IT service providers supporting DoD contractors
// Key Requirements
Access Control
Limit system access to authorized users, processes, and devices; control CUI flow
Audit & Accountability
Create, protect, and retain system audit logs; review and report on audit events
Configuration Management
Establish and maintain baseline configurations; control and monitor changes
Identification & Authentication
Identify and authenticate users, devices, and processes; implement multi-factor authentication
Incident Response
Establish incident handling capabilities; detect, report, and respond to incidents
System Protection
Monitor, control, and protect communications; implement subnetwork isolation
// Enforcement & Penalties
CMMC non-compliance results in ineligibility for contract award. False claims about compliance status carry severe penalties under the False Claims Act. Organizations misrepresenting CMMC status face potential debarment from federal contracting.
False Claims Act: treble damages + $11,000+ per claim
Examples:
- Contract award denial for insufficient CMMC level
- False Claims Act liability for misrepresenting compliance status
- Contract termination if certification lapses during performance
- Debarment from federal contracting for willful non-compliance
// Cyber Insurance Impact
Cyber insurers serving defense contractors increasingly require evidence of CMMC compliance or readiness. Coverage for CUI breaches may depend on demonstrated compliance with applicable requirements. Some insurers offer specialized DIB policies with CMMC compliance conditions.
// How Breach Craft Helps
We help organizations achieve CMMC compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of CMMC.
// Common Questions
Can a virtual CISO support CMMC compliance?
What did the 48 CFR DFARS acquisition rule change for CMMC?
When do defense contractors need a C3PAO assessment?
Does CMMC apply to subcontractors?
// Industries That Need CMMC
These industries commonly require CMMC compliance as part of their regulatory obligations.
Guide last reviewed: June 15, 2026
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873