What Is CMMC Compliance? Cybersecurity Maturity Model Certification Explained

This is not a drill. 

From aerospace giants like Lockheed Martin to small machine shops, every company in the defense supply chain will soon need to demonstrate robust cybersecurity practices to win DoD contracts.  

The background? Cyberattacks against defense contractors have surged in recent years, threatening to compromise sensitive military information and expose national security vulnerabilities. In response, the Department of Defense developed the Cybersecurity Maturity Model Certification (CMMC): a comprehensive framework designed to protect the defense industrial base.  

This guide breaks down everything defense contractors need to know about CMMC compliance. Whether you’re a prime contractor developing next-generation weapons systems, a machine shop fabricating parts for military vehicles, or a software developer creating applications for defense logistics, you’ll find the info you need to understand CMMC and navigate the complex landscape of DoD cybersecurity requirements. 

What is CMMC compliance?

The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework established by the U.S. Department of Defense to safeguard sensitive data across the defense industrial base (DIB). The model uses self-assessment and third-party verification to ensure robust cybersecurity controls within the DoD contractor ecosystem. 

At its core, CMMC addresses the protection of two key types of information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  

• FCI, the broader category, includes basic contract-related information that isn’t intended for public release. 
• CUI encompasses unclassified but sensitive information that requires protection under various federal laws, regulations, and policies. 

The improper handling of either type of information can give adversaries access to valuable intellectual property and sensitive defense information, making CMMC compliance a matter of national security. 

CMMC draws heavily from existing cybersecurity standards, particularly NIST SP 800-171 and FIPS 200. It was developed in collaboration with industry experts, university researchers, and DoD stakeholders.  

The resulting framework addresses a wide range of cybersecurity domains, including access control, incident response, risk management, and security assessment. It also provides the DoD with increased assurance that its contractors and subcontractors are meeting cybersecurity requirements in the face of increasingly frequent and complex cyberattacks. 

A quick history of CMMC

CMMC was first developed in 2019 when the Department of Defense recognized that their existing self-attestation model was insufficient to protect sensitive defense information.  

Prior to CMMC, contractors were required to implement security controls outlined in NIST SP 800-171, but compliance was largely based on self-reporting without verification. This approach left significant vulnerabilities in the defense supply chain, leading to numerous successful cyberattacks against defense contractors. 

To address these vulnerabilities, the DoD released the first version of their CMMC framework (version 1.0) in January 2020, including five certification levels and mandatory third-party assessments by certified assessors. The initial plan was to include these CMMC requirements in all defense contracts by 2026. However, after receiving industry feedback about the complexity and cost of implementation, the DoD announced a streamlined new framework: CMMC 2.0. 

Understanding CMMC 2.0

Announced in November 2021, CMMC 2.0 was designed to simplify requirements and reduce implementation costs while maintaining robust security standards. The updated version reduced the certification levels from five to three and reintroduced some self-assessment options as an alternative to certified third-party assessment organization (C3PAO) verification. 

CMMC 2.0 also reintroduced Plans of Action and Milestones (POA&Ms), allowing companies to achieve certification while still in the process of addressing certain non-critical deficiencies. These changes were designed to make compliance more achievable for defense contractors while still maintaining the cybersecurity capabilities of the DIB. 

Who needs CMMC certification?

CMMC requirements apply to all companies that contract with the Department of Defense and handle sensitive defense information. The entire defense supply chain (including vendors and service providers) falls under this umbrella, regardless of the organization’s size. Even organizations that don’t directly contract with the DoD but serve as subcontractors to prime contractors may need certification if they handle FCI or CUI. 

CMMC will eventually be incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS) and will be required before a DoD contract is awarded. 

A brief guide to CMMC framework levels

CMMC is based on a tiered approach to cybersecurity requirements, with each level building upon the previous one. While CMMC 1.0 included five tiers, the DoD winnowed this down to three levels in CMMC 2.0. Each level is tailored to the sensitivity of information being handled and the corresponding security requirements needed to protect it. (More on this below.) 

What level of certification does your company have to meet? That depends on the type and sensitivity of DoD information you handle. The required certification level for a contract will be specified in Requests for Information (RFIs) and Requests for Proposals (RFPs), allowing contractors to understand the necessary compliance requirements before bidding. 

Companies that only process Federal Contract Information (FCI) will typically only need to achieve CMMC Level 1, which involves 17 basic cybersecurity practices. Organizations that handle Controlled Unclassified Information (CUI), on the other hand, will generally require Level 2 certification with its 110 security requirements from NIST 800-171. Meanwhile, contractors working with the most sensitive CUI supporting critical programs will need CMMC Level 3 certification, which will incorporate 24 additional requirements from NIST SP 800-172. 

Here’s a quick breakdown of what each CMMC level requires: 

Level 1 (Foundational): Protect FCI with standard cyber hygiene practices like antivirus software, access controls, and device security. Level 1 certification mainly includes fundamental cybersecurity practices that most organizations should already have in place, making it accessible even for smaller contractors with limited cybersecurity resources. Companies in Level 1 can submit an annual self-assessment to the DoD rather than a third-party assessment. 

Level 2 (Advanced): Meet all 110 security requirements from NIST 800-171, covering 14 domains of cybersecurity practice like access control, configuration management, incident response, risk management, and system and information integrity. Under CMMC Level 2, organizations handling CUI in support of non-critical programs may be eligible for self-assessment with annual affirmation by senior company officials. However, contractors supporting critical national security programs must undergo third-party assessment by C3PAOs or government assessors. 

Level 3 (Expert): Handle the most sensitive CUI for critical programs by meeting all Level 2 requirements plus a subset of enhanced security controls from NIST SP 800-172. These additional requirements focus on addressing advanced persistent threats (APTs) and protecting CUI from sophisticated nation-state actors. Level 3 certification requires detailed CMMC assessment by government officials. 

The tiered framework approach of CMMC allows the DoD to apply security requirements proportional to risk — ensuring that all contractors implement appropriate cybersecurity measures without imposing unnecessary requirements and huge implementation costs on companies that don’t handle sensitive data. 

Shifting the conversation on CMMC compliance

For many organizations within the DIB, achieving CMMC compliance requires significant investments in cybersecurity infrastructure, processes, and personnel. It’s important to view this investment not just as a cost of doing business with the DoD but as an essential component of organizational risk management. CMMC compliance can help organizations strengthen their overall security posture, protect valuable intellectual property, and demonstrate a commitment to safeguarding sensitive information. 

RegScale’s Continuous Controls Monitoring platform is designed to support organizations navigating the complexities of their CMMC program. Our platform streamlines the assessment process, helps identify and remediate gaps in security controls, and provides continuous monitoring to maintain compliance between annual assessments. By automating documentation and evidence collection, RegScale significantly reduces the administrative burden of CMMC certification while improving the accuracy and completeness of compliance documentation. 

Beyond CMMC compliance, RegScale supports a wide range of regulatory frameworks including FedRAMP, SOC 2, and more. Defense contractors can use our platform to address overlapping compliance requirements efficiently, respond to new requirements quickly, and transform compliance challenges into opportunities for long-term resilience. 

To learn more, visit our resource center.