CMMC Compliance Reference for Defense Contractors
The Cybersecurity Maturity Model Certification (CMMC) framework governs cybersecurity requirements for contractors operating within the United States Department of Defense (DoD) supply chain. Compliance is mandatory for any organization seeking or holding DoD contracts that involve Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This reference covers the structure of CMMC 2.0, the certification levels and their associated requirements, common contractor scenarios, and the regulatory boundaries that determine which compliance path applies.
Definition and Scope
CMMC was established by the DoD to verify that defense contractors adequately protect sensitive federal information. The framework was overhauled from its original version into CMMC 2.0, which the DoD finalized through a rulemaking process that amended Title 32 and Title 48 of the Code of Federal Regulations (DoD CMMC Program Final Rule, 32 CFR Part 170).
The scope of CMMC extends across the entire Defense Industrial Base (DIB), which the DoD estimates comprises more than 300,000 companies (DoD CMMC Overview). Any organization that processes, stores, or transmits CUI on behalf of the DoD — including prime contractors and subcontractors — falls within scope. The framework draws directly on NIST SP 800-171, which defines 110 security requirements for protecting CUI in nonfederal systems, and NIST SP 800-172 for enhanced requirements at the highest level.
CMMC 2.0 consolidates the original five-level model into three distinct levels:
- Level 1 (Foundational) — 17 practices aligned with the Federal Acquisition Regulation (FAR) clause 52.204-21, applicable to contractors handling FCI only.
- Level 2 (Advanced) — 110 practices drawn entirely from NIST SP 800-171, applicable to contractors handling CUI.
- Level 3 (Expert) — A subset of contractors handling CUI associated with DoD's highest-priority programs; requirements exceed NIST SP 800-171 and draw from NIST SP 800-172.
How It Works
CMMC compliance operates through a combination of self-assessment and third-party or government-led certification, depending on the assigned level.
Level 1 contractors complete an annual self-assessment and affirm results through the Supplier Performance Risk System (SPRS), the DoD's official repository for contractor cybersecurity scores. No third-party assessment is required at this level.
Level 2 is bifurcated. Contractors on a prioritized acquisition path must obtain a triennial certification from a Certified Third-Party Assessment Organization (C3PAO), accredited by the Cyber AB (formerly CMMC Accreditation Body). Contractors on a non-prioritized path may conduct a triennial self-assessment with senior official affirmation submitted to SPRS.
Level 3 requires a government-led assessment conducted by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
The assessment process follows a structured sequence:
- Contractor conducts a gap analysis against applicable NIST SP 800-171 controls.
- A System Security Plan (SSP) and Plan of Action and Milestones (POA&M) are documented.
- For C3PAO-required assessments, the contractor engages an accredited C3PAO through the Cyber AB Marketplace.
- Assessment results are recorded and submitted to SPRS.
- Certification status is validated during contract award or renewal.
Risk and compliance consultants and cybersecurity consulting firms frequently support contractors through gap analysis and SSP development phases.
Common Scenarios
Small subcontractor handling CUI: A tier-2 machine shop transmits technical drawings marked CUI to a prime contractor. Despite its size, the subcontractor must achieve Level 2 compliance — either through self-assessment or C3PAO certification depending on the contract's designation. Small contractors are not exempt; small business cybersecurity providers have emerged specifically to serve this segment.
Prime contractor managing a large supplier network: A prime must flow CMMC requirements down to subcontractors through contract clauses. Failure to enforce flow-down obligations exposes the prime to False Claims Act liability in addition to contract termination risk.
Cloud service provider (CSP) in the DoD ecosystem: Any CSP storing or processing CUI must meet the FedRAMP Moderate baseline at minimum, per the DoD Cloud Computing Security Requirements Guide (CC SRG). CMMC Level 2 applies to the contractor's operations on top of the cloud environment. Cloud security providers operating in the defense sector must demonstrate compliance with both frameworks simultaneously.
Existing contractor with legacy NIST SP 800-171 self-assessment: Contractors who previously submitted scores under DFARS clause 252.204-7019 must transition to CMMC requirements as the DoD phases CMMC into solicitations. Legacy scores in SPRS do not satisfy CMMC certification requirements for future contracts that specify CMMC Level 2 certification.
Decision Boundaries
The central determination in CMMC applicability is information type — specifically whether a contract involves FCI, CUI, or neither.
| Condition | Applicable Level |
|---|---|
| Contract involves FCI only (no CUI) | Level 1 |
| Contract involves CUI, non-prioritized path | Level 2 (self-assessment) |
| Contract involves CUI, prioritized acquisition | Level 2 (C3PAO certification) |
| Contract involves CUI for highest-priority DoD programs | Level 3 (DIBCAC assessment) |
The DoD determines whether an acquisition is "prioritized" based on program sensitivity; contractors do not self-select their assessment path. CUI categories and markings are governed by the National Archives and Records Administration (NARA) CUI Registry, which defines over 100 authorized CUI categories across 20 groupings.
CMMC requirements do not apply to contracts exclusively involving Commercial Off-The-Shelf (COTS) products, as defined under 48 CFR 2.101. Contractors uncertain about their CUI handling obligations should consult the contract's Statement of Work and applicable DFARS clauses, particularly 252.204-7012, which predates but complements CMMC requirements.
For broader context on how CMMC relates to other federal and industry frameworks, the cybersecurity compliance frameworks reference and the NIST Cybersecurity Framework reference describe parallel regulatory structures. Government-focused service providers are catalogued under government cybersecurity contractors.
References
- DoD CMMC Program — Office of the Under Secretary of Defense for Acquisition & Sustainment
- CMMC Program Final Rule, 32 CFR Part 170 — Federal Register (October 2024)
- NIST SP 800-171 Rev 2 — Protecting Controlled Unclassified Information in Nonfederal Systems
- NIST SP 800-172 — Enhanced Security Requirements for Protecting CUI
- Cyber AB (CMMC Accreditation Body)
- NARA CUI Registry — National Archives and Records Administration
- DFARS Clause 252.204-7012 — Safeguarding Covered Defense Information
- Supplier Performance Risk System (SPRS) — DoD