CMMC (Cybersecurity Maturity Model Certification) is the U.S. Department of Defense’s framework for ensuring that every contractor in the defense supply chain handles sensitive government information securely.
The Short Answer
CMMC (Cybersecurity Maturity Model Certification) is the U.S. Department of Defense’s (DoD) framework for ensuring that every contractor in the defense supply chain handles sensitive government information securely. If your organization works with the DoD — directly or as a subcontractor — CMMC determines whether you’re eligible to bid on, win, and keep federal contracts.
Think of it as a cybersecurity audit with teeth: not just a policy checklist, but a verified, third-party-assessed certification that proves your systems are built and maintained to DoD standards.
Espresso Labs covers up to 80% of CMMC Level 2 controls automatically through its managed platform, reducing the time, cost, and internal effort required to achieve and maintain certification.
110
NIST 800-171 Practices
320
Assessment Objectives
3
Certification Levels
100%
Supply Chain Coverage
Why Was CMMC 2.0 Created?
The DoD created CMMC in response to a surge in cyberattacks targeting defense contractors, many of which were small and mid-sized businesses with limited security resources. CMMC replaced the honor-system approach of self-attestation with independently verified compliance. The result: no certification, no contract.
Who Needs CMMC Certification?
CMMC certification is required for organizations that do business with the U.S. Department of Defense (DoD) and handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This includes prime contractors, subcontractors, manufacturers, engineering firms, technology providers, professional services firms, and other organizations that support the Defense Industrial Base (DIB).
CMMC requirements flow down through the supply chain, meaning organizations do not need to contract directly with the DoD to be affected. If a prime contractor shares CUI or requires compliance from its suppliers, those subcontractors may also need to achieve the appropriate level of CMMC certification. As CMMC requirements become embedded in defense contracts, certification is increasingly becoming a prerequisite for winning and retaining government business.
What’s in CMMC 2.0?
The CMMC 2.0 framework consolidates established cybersecurity requirements and industry best practices into a structured set of security practices and processes organized across three progressively advanced maturity levels. Organizations must implement these requirements across 14 cybersecurity domains, also known as control families, to achieve and maintain compliance:
Access Control (AC)
Awareness & Training (AT)
Audit & Accountability (AU)
Configuration Management (CM)
Identification & Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
Physical Protection (PE)
Risk Assessment (RA)
Security Assessment (CA)
System and Communications Protection (SC)
System and Information Integrity (SI)
Who Certifies an Organization for CMMC?
Who Certifies Organizations for CMMC?
Organizations seeking CMMC Level 2 certification must undergo an assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). C3PAOs are independent assessment firms authorized by the Cyber AB to perform official CMMC assessments and determine whether an organization meets the required security controls.
Only authorized C3PAOs can issue a recommendation for certification. Following a successful assessment, the results are reviewed through the CMMC ecosystem, and the organization is awarded certification. As demand for CMMC assessments continues to grow across the Defense Industrial Base (DIB), organizations that prepare early are better positioned to secure assessment dates and avoid potential delays.
The Three CMMC Levels
Foundational
17 basic practices. Annual self-attestation. Applies to contractors handling Federal Contract Information (FCI).
Advanced
110 practices aligned to NIST SP 800-171. Third-party C3PAO assessment required. Applies to CUI handlers
Expert
110+ practices plus DoD-specified requirements. Government-led assessment. Highest-priority CUI programs.
What CMMC Is Not
It’s not a one-time certification. Compliance must be maintained and periodically re-assessed.
It’s not optional for DoD contractors. CMMC requirements are embedded in contract clauses (DFARS).
It’s not just an IT issue. It touches HR, operations, vendor management, and executive leadership.
Frequently Asked Questions
Controlled Unclassified Information (CUI) is sensitive information created or possessed by the U.S. government that requires safeguarding or dissemination controls but is not classified. Examples of CUI may include technical drawings, engineering data, specifications, manufacturing processes, contract information, export-controlled data, and other information related to government programs.
Organizations that receive, store, process, or transmit CUI as part of a Department of Defense (DoD) contract are typically required to implement the security requirements of NIST SP 800-171 and, in many cases, obtain CMMC certification. Protecting CUI is the primary purpose of the CMMC program, helping ensure sensitive government information is safeguarded throughout the Defense Industrial Base (DIB) supply chain.
Federal Contract Information (FCI) is information provided by or generated for the U.S. government under a federal contract that is not intended for public release. FCI includes information created, collected, developed, received, transmitted, used, or stored by a contractor in support of performing a government contract.
Examples of FCI may include contract performance information, project schedules, internal communications related to a contract, or deliverables that are not publicly available. While FCI is generally less sensitive than Controlled Unclassified Information (CUI), organizations that handle FCI are still required to implement basic cybersecurity protections and may be subject to CMMC Level 1 requirements.
POA&M stands for Plan of Action and Milestones. It’s a document used to track security deficiencies, compliance gaps, and planned remediation activities. It identifies controls that are not yet fully implemented, describes the actions required to address them, assigns responsibility, and establishes target completion dates.
For organizations pursuing CMMC certification or implementing NIST SP 800-171, the POA&M serves as a roadmap for achieving and maintaining compliance. While the System Security Plan (SSP) documents the security controls currently in place, the POA&M documents what still needs to be improved, helping organizations prioritize remediation efforts and demonstrate continuous progress toward compliance.
A Certified Third-Party Assessment Organization (C3PAO) is an independent organization authorized by the Cyber AB to conduct official CMMC assessments. For organizations seeking CMMC Level 2 certification, a C3PAO evaluates whether the required security controls have been properly implemented and are operating effectively.
During the assessment, the C3PAO reviews documentation, interviews personnel, examines technical evidence, and validates compliance with applicable CMMC requirements. Organizations that successfully pass their assessment receive certification through the CMMC ecosystem, allowing them to bid on and perform contracts that require CMMC compliance.
NIST SP 800-171 is a cybersecurity framework published by the National Institute of Standards and Technology (NIST) that establishes requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. The framework contains 110 security requirements organized across 14 control families, including access control, incident response, configuration management, risk assessment, and system monitoring.
Organizations that handle CUI as part of a Department of Defense (DoD) contract are generally required to implement NIST SP 800-171 under DFARS Clause 252.204-7012. Because CMMC Level 2 is closely aligned with the 110 requirements in NIST SP 800-171, achieving compliance with NIST SP 800-171 is one of the most important steps toward obtaining CMMC certification.
CMMC 2.0 is built largely on the security requirements defined in NIST SP 800-171. In fact, CMMC Level 2 aligns closely with the 110 security controls contained in NIST SP 800-171, making NIST compliance the foundation for achieving CMMC certification. Organizations that handle Controlled Unclassified Information (CUI) as part of Department of Defense (DoD) contracts are already required to implement these controls under DFARS Clause 252.204-7012.
In addition, the DFARS Interim Rule requires contractors to assess their implementation of NIST SP 800-171 and submit their assessment scores to the Supplier Performance Risk System (SPRS). This self-assessment process helps organizations identify and remediate security gaps while preparing for the more formal CMMC assessment process. For many contractors, achieving compliance with NIST SP 800-171 is the most significant step toward obtaining CMMC Level 2 certification.
The CMMC 48 CFR Final Rule formally incorporates CMMC requirements into Department of Defense (DoD) contracting regulations, making CMMC an enforceable requirement for covered defense contracts. Published in the Federal Register on September 10, 2025, with an effective date of November 10, 2025, the rule marks the official beginning of the CMMC rollout across the Defense Industrial Base (DIB).
With the start of Phase 1, CMMC readiness is no longer optional for organizations seeking to do business with the DoD. New solicitations and contracts will increasingly include CMMC requirements, making compliance a critical prerequisite for winning, retaining, and renewing defense-related business opportunities.
Ready to Get Started?
CMMC compliance does not have to require a large internal team or a 6-figure budget. Espresso Labs delivers it as an automated, managed service so you can focus on winning contracts, not managing controls.
