Learn
What is CMMC? FAR 52.204-21 explained Your environment SPRS submission How it works Pricing FAQ Log in Get started
A primer for small defense contractors

About CMMC

CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for protecting Controlled Unclassified Information across the defense supply chain. If you handle CUI, you'll need certification to keep your contracts.

The basics

Four things to know.

1

Who needs it

Any contractor or subcontractor that handles Controlled Unclassified Information for the DoD. That's roughly 80,000 companies across the defense industrial base.

2

What "Level 2" means

Most contractors need CMMC Level 2 — implementation of all 110 controls in NIST SP 800-171, verified by a third-party assessor (called a C3PAO).

3

What you submit

A System Security Plan (SSP), a Plan of Action and Milestones (POA&M), and a SPRS self-assessment score uploaded to the DoD's Supplier Performance Risk System.

4

What's at stake

Without certification, you can't bid on or renew DoD contracts that involve CUI. Primes are already requiring CMMC compliance from their subcontractors.

The data

What counts as CUI?

Controlled Unclassified Information is government-owned or government-created information that requires protection under federal law, regulation, or policy — but isn't classified. If you're handling something sensitive on behalf of the federal government, but it doesn't carry a classified marking, it's likely CUI.

The CUI program is governed by 32 CFR Part 2002 and managed by the National Archives (NARA), which maintains a registry of every approved CUI category. There are over 100 specific categories. For DoD contractors, the categories that come up most often are:

Controlled Technical Information (CTI)

Engineering drawings, specifications, technical reports, source code, and other data with military or space application.

Export Controlled

Data covered by ITAR or EAR — defense articles, defense services, and dual-use technology subject to export restrictions.

Procurement & Acquisition

Source selection information, proposals, contract data, and pricing information that's sensitive to the procurement process.

Privacy (PII)

Personal information about federal personnel, contractors, or other individuals collected under federal authority.

If you're not sure what categories apply to your contract, the contract itself, the DD Form 254 (for cleared work), or your contracting officer can confirm. The full registry is maintained at archives.gov/cui.

The data, simpler tier

What counts as FCI?

Federal Contract Information is information not intended for public release that's provided by or generated for the federal government under contract — but doesn't carry the safeguarding requirements of CUI. If you do work for the government and produce contract artifacts that aren't sensitive enough to be CUI, you're handling FCI.

The FCI definition comes from FAR 52.204-21, the Federal Acquisition Regulation clause that requires basic safeguarding for contract information. This clause is the foundation of CMMC Level 1.

FCI vs. CUI — the practical difference

FCI is everyday contract information: invoices, basic deliverables, work orders, routine emails about a contract. CUI is the sensitive subset that requires explicit protection — engineering drawings, technical specifications, source selection data, and other categories the government has formally designated.

Most defense contractors handle FCI on every contract. Only some handle CUI — typically those whose contracts involve technical, scientific, or otherwise sensitive material.

How to know which applies to you

The contract clauses are the source of truth. Contracts requiring CMMC Level 1 typically include only FAR 52.204-21. Contracts requiring CMMC Level 2 add DFARS 252.204-7012, which governs CUI handling. If your contract has only the FAR clause, you're an FCI/Level 1 shop. If it has the DFARS clauses too, CUI is in scope and Level 2 applies.

The levels

The three levels of CMMC.

CMMC 2.0 has three levels, scaled to the sensitivity of the information involved. The level that applies to you is set by your contract, not by you. Most defense contractors handling CUI fall into Level 2.

1

Foundational

For FCI-only contractors
  • Who needs it: Contractors handling Federal Contract Information (FCI) but not CUI
  • Requirements: 17 basic practices from FAR 52.204-21
  • Assessment: Annual self-assessment
  • Baseline coverage: Fully supported — guided interview, gap report, and SPRS affirmation worksheet.
2

Advanced

For contractors handling CUI
  • Who needs it: Contractors handling CUI of any kind
  • Requirements: All 110 controls in NIST SP 800-171 Rev 3
  • Assessment: Third-party C3PAO assessment every three years (some contracts allow self-assessment)
  • Baseline coverage: Fully supported — guided interview, SSP, POA&M, readiness report, and SPRS scoring guide.
3

Expert

Highest-risk CUI
  • Who needs it: Contractors handling CUI in the highest-priority programs
  • Requirements: Level 2 plus a subset of NIST SP 800-172 enhancements
  • Assessment: Government-led assessment by DIBCAC every three years
  • Baseline coverage: Not supported. Level 3 implementations are bespoke and best served by specialized consultants.
The evolution

How CMMC has evolved.

The program you'll be assessed against today is CMMC 2.0. It's a meaningful simplification of the original framework, and understanding what changed helps explain why the program looks the way it does.

CMMC 1.0 (2020)

The original framework had five maturity levels and added DoD-specific practices on top of NIST 800-171. It also required third-party assessment for nearly every contractor handling CUI, with no allowance for partial compliance at certification time.

CMMC 2.0 (current)

The DoD streamlined the framework after extensive industry feedback. Five levels collapsed to three. The DoD-specific practices were dropped — Level 2 now aligns directly with NIST 800-171 Rev 3, no additions. Some contractors can self-assess at Level 2 if their contract allows it. POA&Ms are now permitted at certification time for select controls, with closure required within 180 days. The result: a tighter, more achievable framework that contractors and assessors find easier to work with.

The rollout

CMMC is being phased in.

The Department of Defense is rolling CMMC requirements into contracts gradually. Here's where things stand and what's coming.

CMMC rollout timeline
In progress
November 2025
Phase 1: Self-assessment requirements appear in DoD solicitations
November 2026 — You are here
Phase 2: Mandatory third-party C3PAO assessments begin
November 2027
Phase 3: Level 2 + Level 3 required on all new contracts
November 2028
Phase 4: Full implementation across all applicable DoD contracts
The documentation

The three artifacts CMMC compliance requires.

CMMC Level 2 doesn't ask for a single document — it asks for a coordinated set of artifacts that, together, describe your security posture and your plan to address gaps.

System Security PlanSSP
A document describing your current state for each of the 110 NIST 800-171 controls — what you have in place, what's partially in place, and what isn't yet. Each control gets a narrative grounded in your specific environment, processes, and tools. Gaps belong in the SSP; honest description is what assessors expect, not blanket attestations of compliance. The SSP is the foundational document an assessor reads first. Read the SSP guide →
Plan of Action and MilestonesPOA&M
A list of every control you haven't fully implemented yet, together with your plan and timeline to close each gap. Assessors expect you to have a POA&M — being honest about gaps is part of the framework, not a failure. Read the POA&M guide →
SPRS ScoreSupplier Performance Risk System
A numerical self-assessment score (out of 110, roughly) that you upload to the DoD's Supplier Performance Risk System. The score reflects your current implementation status across all 110 controls. Primes and DoD contracting officers can see it. Read the SPRS guide →
Who's who

Key roles in the CMMC ecosystem.

If you're new to CMMC, the alphabet soup of organizations and credentials can be confusing. Here's a quick guide.

CyberABAccreditation body
The independent organization that manages the CMMC ecosystem on behalf of the DoD — accrediting assessors, training practitioners, and maintaining the framework.
C3PAOCertified third-party assessor
An accredited organization that conducts the actual CMMC Level 2 assessment of your environment. Their finding determines whether you pass or fail.
Registered PractitionerRP / RPA
An individual credentialed by the CyberAB to provide consulting and advisory services on CMMC compliance. RPs help contractors prepare for assessment but cannot conduct the assessment itself.
CCP / CCACertified professionals and assessors
Higher-tier credentials. Certified CMMC Professionals have deeper framework knowledge; Certified CMMC Assessors are qualified to conduct assessments under a C3PAO.

Find out where you stand. In about an hour.

Take the guided readiness interview. Walk away with a score, a gap list, and a draft of the documents CMMC requires.

Get your readiness report Back to home