CMMC
What is CMMC?
CMMCA U.S. Department of Defense certification program that verifies contractors in the Defense Industrial Base have adequate cybersecurity controls in place.
The Cybersecurity Maturity Model Certification (CMMC) is a DoD program that requires Defense Industrial Base (DIB) contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to demonstrate compliance with specific cybersecurity requirements before contract award. CMMC 2.0 has three levels: Level 1 (Foundational, 17 FAR-based practices, annual self-assessment), Level 2 (Advanced, 110 NIST SP 800-171 practices, third-party assessment by a C3PAO for most CUI contracts), and Level 3 (Expert, adds NIST SP 800-172 controls, assessed by DIBCAC). The rule is enforced via the DFARS clause 252.204-7021, with phased rollout across DoD contracts.
● Examples
- 01
A defense subcontractor undergoing a C3PAO assessment to reach CMMC Level 2 before bidding on a CUI contract.
- 02
A small parts supplier completing a CMMC Level 1 self-assessment for an FCI-only contract.
● Frequently asked questions
What is CMMC?
A U.S. Department of Defense certification program that verifies contractors in the Defense Industrial Base have adequate cybersecurity controls in place. It belongs to the Compliance & Frameworks category of cybersecurity.
What does CMMC mean?
A U.S. Department of Defense certification program that verifies contractors in the Defense Industrial Base have adequate cybersecurity controls in place.
How do you defend against CMMC?
Defences for CMMC typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CMMC?
Common alternative names include: Cybersecurity Maturity Model Certification.