Cybersecurity Maturity Model Certification (CMMC)

What is Cybersecurity Maturity Model Certification?

A Cybersecurity Maturity Model Certification (CMMC) is a framework that verifies contractors meet cybersecurity standards for processing, storing, or transmitting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

It was established by the U.S. Department of Defense and builds on standards from the National Institute of Standards and Technology (NIST). The latest version, CMMC 2.0, streamlines the framework into three maturity levels.

How does Cybersecurity Maturity Model Certification work?

Here’s how the CMMC certification process works:

Identify the required certification level: Contractors determine the CMMC level based on the type of work and sensitivity of the information they handle.
Assess current cybersecurity practices: Existing controls and policies are compared against CMMC requirements to evaluate the current security posture.
Address gaps and strengthen security: Systems, policies, and controls are updated to meet the required standards.
Complete the appropriate assessment: Level 1 requires a self-assessment; Level 2 requires either a self-assessment or a CMMC Third-Party Assessment Organization (C3PAO) assessment, depending on contract requirements; and Level 3 requires a Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment.
Receive certification status: Once requirements are met, certification is granted for a defined period.
Maintain ongoing compliance: Security practices are maintained through regular reaffirmations or reassessments.

Types of cybersecurity maturity model certification

CMMC includes three levels, aligned with the sensitivity of the government information an organization handles. Each level builds on the previous one and defines the required scope and strength of cybersecurity protections.

Level 1

Establishes baseline practices to protect FCI. Requires an annual self-assessment and affirmation of compliance with 15 security requirements in Federal Acquisition Regulation (FAR) clause 52.204-21.

Level 2

Covers protection of CUI. Includes 110 requirements from NIST SP 800-171 Revision 2 and requires either a self-assessment or a C3PAO assessment every three years.

Level 3

Focuses on protection against advanced persistent threats (APTs) to CUI. Requires a Final Level 2 (C3PAO) CMMC Status for the same assessment scope, an assessment by the DIBCAC every three years, and annual affirmation of compliance with 24 requirements from NIST SP 800-172.

Why is Cybersecurity Maturity Model Certification important?

CMMC plays an important role for several reasons:

Protects sensitive government data: Helps ensure controls are in place to reduce the risk of data loss or unauthorized access.
Supports national security goals: Strengthens the resilience of defense contractors against cyber threats targeting critical systems and data.
Standardizes cybersecurity expectations: Establishes a consistent baseline across contractors, replacing fragmented self-attestation practices.
Sets conditions for contract eligibility: Determines whether organizations can continue work involving FCI or CUI.

Risks and privacy concerns

Before pursuing CMMC, organizations should consider the following risks:

Fake CMMC certificates: Some providers falsely claim to issue official certification, leading to invalid assessments and non-compliance.
Exposed evidence stores: Poorly secured repositories for documentation, configs, or logs can leak CUI or internal data.
Mis-scoped CUI: Incorrect scoping can result in under- or over-protection, causing gaps, failed assessments, or unnecessary costs.
Inconsistent C3PAO quality: A 2025 audit by the U.S. Department of Defense Office of Inspector General found gaps in how C3PAOs are authorized, making assessor verification important.
Employee monitoring and privacy concerns: Logging and monitoring requirements can raise privacy issues, especially on employee devices or in remote environments.
Personal devices and data scope: Depending on how CUI is accessed, stored, transmitted, or protected, some remote-access technologies, devices, or supporting security assets may fall within scope, creating challenges around data collection and separation of personal and work activity.

FAQ

Is CMMC the same as NIST SP 800-171?

Cybersecurity Maturity Model Certification (CMMC) is not the same as the National Institute of Standards and Technology (NIST) SP 800-171. CMMC incorporates SP 800-171 controls at Level 2 but adds formal assessment requirements beyond the standard.

What’s the difference between FCI and CUI?

Federal Contract Information (FCI) is information created for or provided by the government under a contract that isn’t intended for public release. Controlled Unclassified Information (CUI) is unclassified government data that requires stricter protection under specific laws or policies.

When is self-assessment allowed vs. C3PAO?

Self-assessment is allowed for Level 1 of the Cybersecurity Maturity Model Certification (CMMC) and for Level 2 if the contract permits it. Level 3 requires a Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment.

How long does a CMMC status last?

Level 1 status is valid for one year, while Level 2 and Level 3 status determinations are valid for three years from the date of issuance.

What is a POA&M, and when is it permitted?

A Plan of Action and Milestones (POA&M) is a corrective plan for gaps identified during an assessment. It is allowed at Level 2 and Level 3 for select non-critical items and must be resolved within 180 days; it is not permitted at Level 1.