Introduction
Defense contractors today face a binary choice: achieve CMMC compliance or lose eligibility to bid on DoD contracts. With Phase 1 implementation launched November 10, 2025, this is no longer a future concern - it's current policy affecting contract awards right now.
According to the DoD's regulatory impact analysis, over 220,000 contractors and subcontractors comprise the Defense Industrial Base (DIB), with small businesses representing 73% of that population. For these companies, CMMC status determines whether they can even compete for DoD work.
This guide walks through everything defense contractors need to know to get compliant:
- What CMMC is and why it exists
- The three compliance levels and which applies to you
- Who must comply (primes and subcontractors)
- How the assessment process works
- The four-phase rollout timeline
- Practical steps to start preparing now
Overview: CMMC Compliance at a Glance
- CMMC is a DoD program requiring verified cybersecurity standards before contract award
- Three levels - Foundational (Level 1), Advanced (Level 2), Expert (Level 3) - based on information sensitivity
- Phase 1 began November 10, 2025, requiring Level 1 and Level 2 self-assessments as conditions of award
- CMMC flows down to all subcontractors who handle FCI or CUI
- Non-compliance means losing contract eligibility entirely, so preparation before bid time is critical
What Is CMMC and Why It Matters for Defense Contractors
The Cybersecurity Maturity Model Certification (CMMC) is a DoD framework designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from state-sponsored and criminal cyber threats targeting the Defense Industrial Base. Understanding what CMMC requires - and why it was created - is the starting point for any contractor navigating DoD contracts.
The Problem CMMC Solves
Prior to CMMC, contractors self-reported their cybersecurity compliance with NIST SP 800-171 under DFARS 252.204-7012. DoD Inspector General and GAO reports found contractors did not consistently implement these mandated security requirements. CMMC addresses this gap by introducing third-party assessments and formal affirmations that create enforceable accountability.
Two Types of Protected Information
Federal Contract Information (FCI):
- Non-public information provided by or generated for the government under contract
- Excludes simple transactional information
- Requires Level 1 compliance
Controlled Unclassified Information (CUI):
- Government-created or -controlled information requiring safeguarding
- Law or policy requires dissemination controls
- Requires minimum Level 2 compliance
In practice, most defense subcontractors handle CUI - which means Level 2 requirements, not the lighter Level 1 baseline, are the relevant benchmark for the majority of the supply chain.
Key Features of the CMMC Program
- Tiered model based on information sensitivity (not company size or contract value)
- Mandatory assessments - self-assessments or third-party certifications depending on level
- Contract-tied enforcement - CMMC status becomes a condition of contract award
- Annual affirmations - senior officials must attest to ongoing compliance in SPRS
The Three CMMC Levels Explained
CMMC operates as a tiered maturity model - each level adds more controls, stricter assessment requirements, and greater scrutiny than the one before it. The DoD specifies the required level directly in each solicitation based on the sensitivity of information involved.
The table below offers a quick comparison before diving into the details:
| Level 1 - Foundational | Level 2 - Advanced | Level 3 - Expert | |
|---|---|---|---|
| Controls | 15 practices (FAR 52.204-21) | 110 practices (NIST SP 800-171 R2) | 110 + 24 enhanced (NIST SP 800-172) |
| Assessment | Annual self-assessment | Self-assessment or C3PAO (every 3 years) | DCMA DIBCAC (every 3 years) |
| CUI Required? | No - FCI only | Yes | Yes - highest sensitivity |
| POA&Ms Allowed? | No | Limited (180-day closeout) | Yes (180-day closeout) |
Level 1 - Foundational
Requirements:
- 15 basic security practices aligned with FAR clause 52.204-21
- Focused on safeguarding FCI
- Annual self-assessment conducted internally
- Senior official affirms compliance annually in SPRS
- POA&Ms not permitted - all 15 requirements must be fully met
Who needs it: Contractors handling only FCI with no CUI involved.
Level 2 - Advanced
Requirements:
- 110 security practices aligned with NIST SP 800-171 Revision 2
- Designed to broadly protect CUI
- Two assessment pathways:
- Self-assessment: Every 3 years for non-defense-critical CUI
- C3PAO certification: Every 3 years for defense-category CUI
- Both require annual affirmation in SPRS
- POA&Ms permitted for limited requirements, must close within 180 days
Excluded from POA&Ms (must be fully met):
- AC.L2-3.1.20 External Connections
- AC.L2-3.1.22 Control Public Information
- CA.L2-3.12.4 System Security Plan
- PE.L2-3.10.3 Escort Visitors
- PE.L2-3.10.4 Physical Access Logs
- PE.L2-3.10.5 Manage Physical Access
Who needs it: Most contractors handling CUI - the majority of the DIB falls into this category.
Level 3 - Expert
Requirements:
- All 110 NIST SP 800-171 R2 requirements
- Plus 24 selected enhanced requirements from NIST SP 800-172
- Assessment conducted by DCMA's DIBCAC every three years
- Prerequisite: Current Level 2 C3PAO certification for the same assessment scope
- POA&Ms permitted with 180-day closeout
Level 3 applies to contractors handling the most sensitive CUI - breakthrough technologies, large CUI aggregations, or systems with significant DoD exposure. The enhanced controls under NIST SP 800-172 exist specifically to counter Advanced Persistent Threats (APTs): nation-state-level actors capable of sustained, targeted attacks that basic and intermediate controls aren't designed to stop.
Who Is Required to Meet CMMC Standards
CMMC applies to all DoD prime contractors and subcontractors at any tier whose work requires processing, storing, or transmitting FCI or CUI. The required level is determined by information sensitivity - not company size or contract dollar value.
Subcontractor Flowdown Rule
Prime contractors are responsible for ensuring subcontractors hold a current CMMC certificate or valid self-assessment at the appropriate level for the information they handle. If a sub processes only FCI, Level 1 applies. If they handle CUI, minimum Level 2 applies.
Small businesses make up 73% of the DIB's 220,000+ contractors - which means a large portion of the defense supply chain must now meet formal cybersecurity standards, often for the first time.
Exemptions
Exempt:
- Contracts exclusively for Commercially Available Off-the-Shelf (COTS) items
Not exempt:
- FAR Part 12 commercial item contracts above the micro-purchase threshold where FCI or CUI is processed
- Subcontractors at any tier handling FCI or CUI
How CMMC Differs from NIST 800-171
NIST SP 800-171 is the underlying security standard - a catalog of 110 controls - that CMMC Level 2 is built upon. The critical difference is enforcement:
| Aspect | NIST 800-171 (Pre-CMMC) | CMMC |
|---|---|---|
| Compliance method | Self-attestation | Third-party assessment + affirmation |
| Verification | None | C3PAO or DIBCAC certification |
| Accountability | Self-reported scores | Annual affirmations with legal liability |
| Enforcement | Minimal | Contract award eligibility |
The enforcement gap shown above explains why CMMC introduced third-party verification - self-reported scores under NIST 800-171 offered no real accountability. For contractors handling the most sensitive programs, the framework goes further. NIST 800-172 extends 800-171 with enhanced protections built to counter Advanced Persistent Threats (APTs), and CMMC Level 3 draws on 24 selected 800-172 requirements to address those higher-risk environments.
The CMMC Assessment Process
Three Assessment Pathways
1. Self-Assessment (Level 1 annually, Level 2 self every 3 years):
- Conducted internally by the Organization Seeking Assessment (OSA)
- Results entered into SPRS
- Senior official affirms compliance
2. C3PAO Assessment (Level 2 certification every 3 years):
- Conducted by a DoD-accredited Third-Party Assessment Organization
- Required for defense-category CUI
- Results flow into CMMC eMASS, which transmits to SPRS
3. DIBCAC Assessment (Level 3 every 3 years):
- Conducted by DCMA's Defense Industrial Base Cybersecurity Assessment Center
- Requires current Level 2 C3PAO certification as prerequisite
- Results flow into CMMC eMASS
Each pathway feeds into a different system of record - and understanding where your results land matters for contract eligibility verification.
Systems of Record
SPRS (Supplier Performance Risk System): All self-assessment results and annual affirmations are entered here. Contracting officers review SPRS directly to verify eligibility before awarding contracts.
CMMC eMASS: C3PAO and DIBCAC assessment results are uploaded here, then automatically transmitted to SPRS.
Both systems must reflect current, accurate status - gaps or mismatches can delay contract awards.
Affirmation Requirements
An Affirming Official (senior-level representative) must submit a binding attestation of continuous compliance in SPRS:
- After every assessment
- After any POA&M closeout
- Annually thereafter
Legal liability: Misrepresentation may result in prosecution under 18 U.S.C. § 1001 (False Statements Act) and civil liability under the False Claims Act.
POA&M Rules for Levels 2 and 3
A Plan of Actions and Milestones allows contractors to receive conditional CMMC status while addressing unmet requirements, but:
- All POA&M items must close within 180 days
- Closeout assessment required by same entity type
- Certain critical requirements cannot be deferred to POA&M
- Failure to close within 180 days = status expiration + contractual remedies
Assessment Costs
Contractors bear the full cost of CMMC assessments. The DoD Regulatory Impact Analysis estimates Level 2 C3PAO certification at $104,670 for small entities and $117,768 for other-than-small entities over a 3-year cycle. Actual C3PAO pricing varies based on market dynamics.
The DoD recognizes certain cybersecurity costs as allowable contract costs under FAR Part 31 - contractors should confirm with their contracting officer which expenses qualify for reimbursement.
CMMC Implementation Timeline and How to Prepare
Phased Rollout
| Phase | Start Date | Implementation Scope |
|---|---|---|
| Phase 1 | November 10, 2025 | Level 1 and Level 2 self-assessments required as condition of award |
| Phase 2 | November 10, 2026 | Adds Level 2 C3PAO certification requirements |
| Phase 3 | November 10, 2027 | Extends Level 2 C3PAO to option periods; introduces Level 3 |
| Phase 4 | November 10, 2028 | Full implementation across all applicable DoD contracts above MPT |
Practical First Steps
1. Identify your information boundaries:
- Does your contract involve FCI, CUI, or both?
- Which CMMC level applies to your work?
2. Conduct a gap assessment:
- Evaluate current controls against NIST SP 800-171 requirements
- Document gaps and prioritize remediation
3. Build foundational documentation:
- Develop your System Security Plan (SSP)
- Create a POA&M for any identified gaps
- Register for SPRS if not already enrolled
4. Implement technical controls:
- Deploy security monitoring and logging
- Establish vulnerability management processes
- Implement endpoint protection and incident response capabilities
Managed Security Support for CMMC Compliance
These steps are straightforward on paper - but executing them without a dedicated security team is where most small and mid-sized defense contractors run into trouble. Cybriant's managed security services are built around the specific technical controls CMMC Level 2 and Level 3 require:
- 24/7 Managed SIEM covers continuous log aggregation, monitoring, and threat detection - directly addressing Audit and Accountability (AU) and Incident Response (IR) control families
- Vulnerability Management provides real-time scanning and automated patch management to satisfy Risk Assessment (RA) and Configuration Management (CM) requirements
- Managed Detection and Response (MDR) delivers endpoint protection and incident remediation aligned to System and Communications Protection (SC) controls
- CMMC Readiness Assessments include gap analysis, SSP development, POA&M creation, and SPRS score calculation before your formal assessment date
For contractors without in-house security staff, a managed security partner removes the guesswork - and significantly lowers the odds of a costly failed assessment.
To map your current posture against CMMC Level 2 and build a realistic path to certification, start with a readiness assessment. Call Cybriant at 844-411-0404 to get scoped.
Frequently Asked Questions
What is CMMC?
CMMC is the DoD's Cybersecurity Maturity Model Certification program - a tiered framework requiring defense contractors to prove they meet specific cybersecurity standards before being awarded contracts involving FCI or CUI. It replaces the previous self-attestation model with verified compliance.
Is CMMC now required?
Yes. Phase 1 implementation began November 10, 2025, making CMMC compliance a condition of contract award for applicable DoD solicitations. Level 1 and Level 2 self-assessments are currently required, with C3PAO certifications and Level 3 assessments rolling out in subsequent phases.
How is CMMC different from NIST?
NIST SP 800-171 is the security standard - a set of controls. CMMC is the enforcement and verification framework built on top of it, adding mandatory assessments, third-party certification, and annual affirmations that turn voluntary self-attestation into enforceable accountability.
Does CMMC apply to subcontractors?
Yes. CMMC flows down through the supply chain at all tiers. Prime contractors are responsible for ensuring all subcontractors hold the appropriate CMMC level for the sensitive information they handle, whether that's Level 1 for FCI or Level 2/3 for CUI.
Who does not need CMMC certification?
Contractors working exclusively with Commercially Available Off-the-Shelf (COTS) items are exempt. CMMC only applies to DoD contractors and subcontractors whose work involves processing, storing, or transmitting FCI or CUI.
