CMMC Compliance Reference for Defense Contractors

The Cybersecurity Maturity Model Certification (CMMC) program establishes mandatory cybersecurity requirements for contractors operating within the U.S. Department of Defense (DoD) supply chain. This reference covers the program's structure, certification levels, assessment pathways, and the contractual thresholds that determine which requirements apply to a given organization. Defense contractors, subcontractors, and compliance professionals navigating DoD acquisition will find the regulatory framework described here essential to understanding where obligations begin and what assessment paths are available through the Advanced Security Providers.

Definition and scope

CMMC is a DoD-administered framework that codifies cybersecurity standards as a condition of contract eligibility rather than a voluntary best practice. The program is governed under 32 CFR Part 170, finalized as CMMC 2.0 by the DoD in December 2024. It applies to any organization handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under DoD contracts.

The scope of CMMC 2.0 spans three certification levels:

1. Level 1 (Foundational) — Covers 17 practices drawn from FAR 52.204-21, applicable to contractors handling FCI. Annual self-assessment with senior official affirmation suffices for Level 1.
2. Level 2 (Advanced) — Aligns with the 110 security requirements in NIST SP 800-171, applicable to contractors handling CUI. Most Level 2 contracts require a triennial third-party assessment by a Certified Third-Party Assessment Organization (C3PAO); a subset permits self-assessment for non-prioritized acquisitions.
3. Level 3 (Expert) — Incorporates requirements from NIST SP 800-172 in addition to NIST SP 800-171. Level 3 applies to contractors supporting critical DoD programs and requires government-led assessments conducted by the Defense Contract Management Agency (DCMA).

The program does not apply to contracts exclusively involving commercial-off-the-shelf (COTS) items, as specified in DFARS 252.204-7021.

How it works

CMMC requirements flow into contracts through DFARS clauses and solicitation language. The acquisition pathway for defense contractors operates in structured phases:

1. System Security Plan (SSP) development — The contractor documents its implementation of required controls against NIST SP 800-171 or the applicable level's control set.
2. Plan of Action and Milestones (POA&M) — Open deficiencies are recorded in a POA&M. Under CMMC 2.0, POA&Ms are conditionally permitted at Level 2 for a limited set of requirements, subject to DoD approval.
3. Assessment execution — Self-assessment (Level 1 and some Level 2) uses the NIST SP 800-171A methodology. Third-party assessments (Level 2 prioritized, Level 3) require engagement with a C3PAO or DCMA respectively.
4. Score submission to SPRS — Assessment scores are entered into the Supplier Performance Risk System (SPRS), which DoD contracting officers consult during source selection.
5. Certification issuance — For Level 2 C3PAO assessments and Level 3 government assessments, the Cyber AB (CMMC Accreditation Body) manages certification records.
6. Triennial reassessment — Certifications have a three-year validity window requiring periodic renewal.

Subcontractors flowing down CUI must meet the same level requirement as the prime contractor for the CUI-relevant scope.

For an overview of how the broader cybersecurity services sector is organized around frameworks like CMMC, see the .

Common scenarios

Prime contractor with full CUI scope — A Tier 1 defense manufacturer holding a weapons system contract will typically face a Level 2 prioritized or Level 3 requirement. This mandates C3PAO engagement or DCMA assessment and full SPRS score submission.

Small subcontractor handling limited CUI — A 50-person software subcontractor passing CUI through a secure enclave may scope CMMC requirements to a defined environment, reducing the number of assets subject to assessment. Scoping guidance is provided in the DoD's CMMC Scoping Guidance documents.

Contractor with existing FedRAMP-authorized cloud service — When a contractor uses a FedRAMP High or Moderate authorized Cloud Service Provider (CSP) for CUI, certain inherited controls reduce the contractor's direct control implementation burden under NIST SP 800-171.

DIBCAC High Assessment holders — Organizations that received a high-confidence score through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) prior to CMMC 2.0 rule finalization may have those scores recognized under transition provisions. Specific equivalency rules are detailed in 32 CFR Part 170, Subpart D.

Decision boundaries

The primary decision boundary between self-assessment and third-party assessment at Level 2 is determined by whether the contract is designated as a "prioritized acquisition." The DoD determines prioritization based on program criticality, not contractor size.

The boundary between Level 2 and Level 3 is not contractor-elected — it is assigned by DoD program offices based on the sensitivity of the program's CUI. Contractors cannot voluntarily pursue Level 3 for programs not designated at that level.

Self-assessment vs. C3PAO assessment at Level 2:

The distinction between FCI and CUI also sets a hard threshold: contractors receiving only FCI — such as those delivering non-sensitive commercial services under a DoD contract — remain at Level 1 and are not subject to NIST SP 800-171. Any contract clause referencing CUI handling triggers at minimum Level 2 obligations.

Compliance professionals researching how to locate credentialed assessors and CMMC-focused service providers can consult How to Use This Advanced Security Resource for navigation guidance.