What Is CMMC?
CMMC (Cybersecurity Maturity Model Certification) is the DoD’s framework for verifying that defense contractors actually protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It’s codified in 32 CFR Part 170, the program rule that took effect on 16 December 2024, and put into contracts via DFARS clauses that took effect on 10 November 2025. CMMC adds a verification layer on top of cybersecurity requirements that have been contractually required since 2017 — it doesn’t change what you have to do, it changes how you have to prove you did it.
FCI vs CUI
Section titled “FCI vs CUI”These two information types determine which CMMC level applies to you:
Federal Contract Information (FCI) — Information not intended for public release, provided by or generated for the Government under a contract. Defined in FAR 52.204-21. Examples: contract numbers, delivery schedules, basic project status. Triggers Level 1.
Controlled Unclassified Information (CUI) — Sensitive but unclassified information that requires safeguarding under law, regulation, or government-wide policy. Categories defined in 32 CFR Part 2002 and the NARA CUI Registry. Examples: Export Control, Privacy, Proprietary Business Information, Critical Infrastructure. Triggers Level 2 or Level 3 depending on sensitivity.
Three Levels
Section titled “Three Levels”Level 1 — Foundational. 15 basic safeguarding requirements from FAR 52.204-21. Annual self-assessment with an Affirming Official’s annual affirmation submitted to SPRS. Covers FCI. No POA&Ms permitted at any time.
Level 2 — Advanced. 110 security requirements from NIST SP 800-171 Rev 2 (organised in 14 families). Two paths:
- Level 2 (Self) — self-assessment with annual affirmation; permitted on selected contracts during the rollout phase.
- Level 2 (C3PAO) — certification assessment by a Certified Third-Party Assessment Organization. Becomes the default for CUI contracts in Phase 2 (10 November 2026).
Either path covers CUI. This is what this reference focuses on.
Level 3 — Expert. Level 2 plus 24 additional requirements from NIST SP 800-172. Assessed by DCMA DIBCAC (the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center). Reserved for the most sensitive CUI.
Who It Applies To
Section titled “Who It Applies To”Any organization in the Defense Industrial Base (DIB) that handles FCI or CUI under DoD contracts — primes, subcontractors, and any company in the supply chain that processes, stores, or transmits this information. The required CMMC level is specified in the contract solicitation (Section L) and evaluation criteria (Section M), and flowed down to subcontractors per 32 CFR § 170.23. Subs must hold the CMMC status appropriate to the data they handle, which may not be the same level as the prime.
The DoD’s terminology in the program rule:
- OSA (Organization Seeking Assessment) — companies pursuing Level 1 self / Level 2 self
- OSC (Organization Seeking Certification) — companies pursuing Level 2 (C3PAO) / Level 3 (DIBCAC)
You’ll see both terms in 32 CFR Part 170 and the assessment guides.
Why It Exists
Section titled “Why It Exists”Before CMMC, contractors self-attested to NIST 800-171 compliance under DFARS 252.204-7012 (in effect since 2017). Many claimed compliance without meeting the requirements. CMMC introduces verified status — either through self-assessment with an Affirming Official’s annual affirmation (Levels 1 and 2 self) or through independent C3PAO certification (Level 2 C3PAO) or government assessment (Level 3 DIBCAC). The technical requirements haven’t changed; the proof requirements have.
Annual affirmations
Section titled “Annual affirmations”Every CMMC Status — Level 1, Level 2 (Self), Level 2 (C3PAO), or Level 3 — requires an annual affirmation submitted to SPRS by an Affirming Official (a senior officer with responsibility for ensuring the security requirements are met). Per 32 CFR § 170.22. Missing or lapsed affirmations affect contract eligibility.