Cybersecurity Maturity Model Certification(CMMC)

Overview

The Cybersecurity Maturity Model Certification (CMMC) is a DoD program that verifies defense contractors have implemented adequate cybersecurity practices to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 defines three levels: Level 1 (Foundational, 17 practices with self-assessment), Level 2 (Advanced, 110 NIST SP 800-171 controls with third-party assessment), and Level 3 (Expert, additional controls with government assessment).

Why It Matters in GovCon

CMMC is transforming the defense industrial base by making cybersecurity a contract eligibility requirement rather than a self-attested checkbox. Contractors who fail to achieve the required CMMC level cannot bid on or perform contracts requiring that level. The investment in compliance — infrastructure, documentation, and assessment — is significant but increasingly non-negotiable for defense work.

Key Details

• Three Levels: Level 1 (self-assessment for FCI), Level 2 (third-party assessment for CUI), Level 3 (government-led assessment for critical programs).
• NIST SP 800-171: CMMC Level 2 aligns directly with the 110 controls in NIST SP 800-171 Rev 2.
• C3PAOs: Certified Third-Party Assessment Organizations conduct Level 2 assessments; accredited by the Cyber AB.
• Phased Rollout: CMMC requirements are being phased into contracts through DFARS rulemaking starting in 2025.
• Subcontractors: Flow-down requirements mean subcontractors handling CUI must also achieve appropriate CMMC levels.

How GovCon Data Can Help

GovCon Data identifies solicitations with CMMC requirements, helping contractors prioritize compliance investments based on the opportunities they want to pursue.

Related Terms

• NIST SP 800-171
• Controlled Unclassified Information (CUI)
• Federal Contract Information (FCI)
• DFARS 252.204-7012
• Authority to Operate (ATO)