What is CMMC? What is NIST 800-171? The 110 controls SSP guide (soon) POA&M guide (soon)
How it works Pricing FAQ Log in Get started
A primer for small defense contractors

About CMMC

CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for protecting Controlled Unclassified Information across the defense supply chain. If you handle CUI, you'll need certification to keep your contracts.

The basics

Four things to know.

1

Who needs it

Any contractor or subcontractor that handles Controlled Unclassified Information for the DoD. That's roughly 80,000 companies across the defense industrial base.

2

What "Level 2" means

Most contractors need CMMC Level 2 — implementation of all 110 controls in NIST SP 800-171, verified by a third-party assessor (called a C3PAO).

3

What you submit

A System Security Plan (SSP), a Plan of Action and Milestones (POA&M), and a SPRS self-assessment score uploaded to the DoD's Supplier Performance Risk System.

4

What's at stake

Without certification, you can't bid on or renew DoD contracts that involve CUI. Primes are already requiring CMMC compliance from their subcontractors.

The rollout

CMMC is being phased in.

The Department of Defense is rolling CMMC requirements into contracts gradually. Here's where things stand and what's coming.

CMMC rollout timeline
In progress
November 2025
Phase 1: Self-assessment requirements appear in DoD solicitations
November 2026 — You are here
Phase 2: Mandatory third-party C3PAO assessments begin
November 2027
Phase 3: Level 2 + Level 3 required on all new contracts
November 2028
Phase 4: Full implementation across all applicable DoD contracts
The documentation

The three artifacts CMMC compliance requires.

CMMC Level 2 doesn't ask for a single document — it asks for a coordinated set of artifacts that, together, describe your security posture and your plan to address gaps.

System Security PlanSSP
A document describing your current state for each of the 110 NIST 800-171 controls — what you have in place, what's partially in place, and what isn't yet. Each control gets a narrative grounded in your specific environment, processes, and tools. Gaps belong in the SSP; honest description is what assessors expect, not blanket attestations of compliance. The SSP is the foundational document an assessor reads first.
Plan of Action and MilestonesPOA&M
A list of every control you haven't fully implemented yet, together with your plan and timeline to close each gap. Assessors expect you to have a POA&M — being honest about gaps is part of the framework, not a failure.
SPRS ScoreSupplier Performance Risk System
A numerical self-assessment score (out of 110, roughly) that you upload to the DoD's Supplier Performance Risk System. The score reflects your current implementation status across all 110 controls. Primes and DoD contracting officers can see it.
Who's who

Key roles in the CMMC ecosystem.

If you're new to CMMC, the alphabet soup of organizations and credentials can be confusing. Here's a quick guide.

CyberABAccreditation body
The independent organization that manages the CMMC ecosystem on behalf of the DoD — accrediting assessors, training practitioners, and maintaining the framework.
C3PAOCertified third-party assessor
An accredited organization that conducts the actual CMMC Level 2 assessment of your environment. Their finding determines whether you pass or fail.
Registered PractitionerRP / RPA
An individual credentialed by the CyberAB to provide consulting and advisory services on CMMC compliance. RPs help contractors prepare for assessment but cannot conduct the assessment itself.
CCP / CCACertified professionals and assessors
Higher-tier credentials. Certified CMMC Professionals have deeper framework knowledge; Certified CMMC Assessors are qualified to conduct assessments under a C3PAO.

Find out where you stand. In about an hour.

Take the guided readiness interview. Walk away with a score, a gap list, and a draft of the documents CMMC requires.

Get your readiness report Back to home