What CMMC is
CMMC (the Cybersecurity Maturity Model Certification) is the US Department of Defense's certification framework for any contractor or subcontractor handling sensitive government information. The current version, CMMC 2.0, was streamlined from the original 5-level CMMC 1.0 in 2021. The final rule (32 CFR Part 170) was published October 2024.
Contract-clause rollout (DFARS 252.204-7021) phases in through 2028. By 2028, essentially every DoD contract handling FCI or CUI will require CMMC certification at the appropriate level before award.
FCI vs CUI
FCI (Federal Contract Information)
Information provided by or generated for the government under contract that's not intended for public release. Examples: contract performance data, proprietary contract correspondence, transactional details. The handling baseline is the 15 requirements in FAR clause 52.204-21.
CUI (Controlled Unclassified Information)
Information requiring safeguarding or dissemination controls under 32 CFR Part 2002. Includes technical drawings, export-controlled (ITAR) data, specific weapons system specs, intelligence information. The handling baseline is the 110 requirements in NIST SP 800-171 Rev 2.
The National Archives maintains the CUI Registry listing every defined CUI category. If your contract identifies data as CUI, you're at Level 2 minimum.
The 3 CMMC levels
| Level | Information | Controls | Assessment |
|---|---|---|---|
| Level 1 (Foundational) | FCI only | 15 (FAR 52.204-21) | Annual self-assessment + executive affirmation |
| Level 2 (Advanced) | CUI | 110 (NIST SP 800-171 Rev 2) | Triennial C3PAO third-party assessment for prioritized acquisitions; self-assessment for limited scope |
| Level 3 (Expert) | Highest-priority CUI (APT-targeted) | 110 + 24 enhanced (NIST SP 800-172) | Triennial government-led assessment by DCMA's DIBCAC |
What's in the 110 NIST 800-171 controls
The 110 Level-2 controls are grouped into 14 control families:
- Access Control (AC) — 22 controls. Who can access what.
- Awareness and Training (AT) — 3 controls. Security training.
- Audit and Accountability (AU) — 9 controls. Logging and log review.
- Configuration Management (CM) — 9 controls. Baseline configs, change control.
- Identification and Authentication (IA) — 11 controls. MFA, password policy.
- Incident Response (IR) — 3 controls. IR plan, testing.
- Maintenance (MA) — 6 controls. System maintenance procedures.
- Media Protection (MP) — 9 controls. Handling and disposal.
- Personnel Security (PS) — 2 controls. Background checks, departures.
- Physical Protection (PE) — 6 controls. Facility access.
- Risk Assessment (RA) — 3 controls. Vulnerability scanning, risk analysis.
- Security Assessment (CA) — 4 controls. Self-assessment cadence.
- System and Communications Protection (SC) — 16 controls. Encryption, boundary protection.
- System and Information Integrity (SI) — 7 controls. Patching, malware, monitoring.
The assessment process for Level 2
- Scoping — define the CMMC Assessment Scope. Includes every system, person, process, and facility that touches CUI. Aggressively segment what's NOT in scope.
- System Security Plan (SSP) — author the SSP describing how each of the 110 controls is implemented. Templates exist; expect 200-500 pages.
- Plan of Action & Milestones (POA&M) — track open findings. Note: Level 2 has a "no POA&M for some controls" rule — some controls must be fully implemented at assessment time; others can have POA&M items if scored above the threshold.
- SPRS submission — submit your NIST 800-171 self-assessment score to the DoD's Supplier Performance Risk System. Currently 110-point scale starting at -203 (worst) up to +110.
- C3PAO assessment — a CMMC Third-Party Assessment Organization audits your controls. Typical engagement: 6-12 weeks. C3PAOs are accredited by Cyber AB.
- Certification — Cyber AB issues the CMMC Level 2 certificate. Valid 3 years with annual affirmations.
Cost and timeline
| Phase | Time | Cost (Level 2, ~100 employee org) |
|---|---|---|
| Gap assessment | 2-4 weeks | $15-40K |
| Remediation + SSP authoring | 6-18 months | $75-300K (internal + consulting) |
| C3PAO assessment | 6-12 weeks | $50-150K |
| Total to Level 2 | 9-24 months | $150-500K |
| Annual affirmation + maintenance | Ongoing | $30-100K/year |
CMMC vs FedRAMP vs NIST 800-171
| Standard | Audience | Notes |
|---|---|---|
| CMMC 2.0 | DIB contractors handling FCI/CUI | Certification overlay on NIST 800-171 |
| NIST SP 800-171 | Non-federal systems processing CUI | The control set. CMMC Level 2 = these controls + audit |
| FedRAMP | Cloud providers selling to federal agencies | Different audience: cloud, not DIB. Different control set (800-53) |
| NIST SP 800-53 | Federal agencies + FedRAMP cloud | The bigger control catalog. 800-171 is a subset selected for non-federal systems |
| DFARS 252.204-7012 | DoD contractors handling CUI | The contract clause requiring 800-171; CMMC adds the certification piece |
Subcontractor flow-down
CMMC requirements flow down through the supply chain. If your prime's contract requires Level 2, every subcontractor that handles in-scope FCI/CUI must also hold Level 2 — or be excluded from touching that data. Common pattern: primes are requiring Level 2 across the board, even from subs that don't actually need it, to simplify their own scope.
If you're a subcontractor, talk to your primes early. Many are publishing CMMC roadmaps and prioritizing certified subs in awards.