CMMC
Getting Started Guide

Cybersecurity Maturity Model Certification

Mandatory certification for all contractors in the US Department of Defense supply chain.

Audit Effort6–12 months for Level 2
Key FactBased on NIST SP 800-171 controls; enforced through contracts.

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The DoD created CMMC to ensure that appropriate levels of cybersecurity practices are in place to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

CMMC 2.0 streamlines the model into three compliance levels. Level 1 (Foundational) requires 17 basic cyber hygiene practices. Level 2 (Advanced) requires compliance with the 110 controls of NIST SP 800-171. Level 3 (Expert) adds an additional subset of controls from NIST SP 800-172 for the highest-priority programs.

Crucially, CMMC shifts the paradigm from self-attestation to third-party verification. For Level 2 and Level 3, contractors must pass a rigorous assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) to be eligible for DoD contract awards.

Does CMMC Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

Prime DoD Contractors

Major defense contractors (Lockheed Martin, Boeing) must hold Level 2 or Level 3 certs to win contracts.

Mandatory

Subcontractors and Suppliers

The requirement flows down the entire supply chain. Even a machine shop making one bolt for a tank must achieve at least Level 1.

Mandatory

GovTech SaaS Platforms

If a defense contractor uses your SaaS platform to store or process CUI, your platform must meet FedRAMP Moderate equivalence or CMMC Level 2.

Mandatory
You probably don't need CMMC if:
  • Companies that do not bid on or participate in US Department of Defense contracts.
  • Providers of strictly Commercial Off-The-Shelf (COTS) products that are entirely unmodified, though this exception is very narrow.

Why CMMC Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

The Rule is Finalizing

After years of drafts, the final CMMC rule is being published. Phased rollout in DoD contracts is imminent, and early adopters will win bids over unprepared competitors.

The C3PAO Bottleneck

There are roughly 300,000 companies in the DIB and only a few dozen authorized C3PAOs. Waiting until the last minute guarantees you won't get an assessor in time.

False Claims Act Liability

The Department of Justice's Civil Cyber-Fraud Initiative is aggressively pursuing contractors who misrepresent their cybersecurity status to the government.

The Requirements

The core security controls and evidence parameters audited for CMMC.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for CMMC.

1
Weeks 1-4

Enclave Scoping & Gap Assessment

Locate all CUI. The best strategy is usually building a secure 'enclave' rather than bringing the whole company into scope.

Key Deliverable:CUI Data Flow Diagram, Enclave Boundary Definition
2
Weeks 5-24

Implementation & SSP Drafting

Implement the 110 NIST 800-171 controls inside the enclave. Configure GCC High (if using Microsoft). Draft the SSP.

Key Deliverable:System Security Plan (SSP), Deployed Enclave
3
Weeks 25-32

C3PAO Assessment

Contract a C3PAO to conduct the formal assessment, submit the score to the DoD, and close out any allowed POA&Ms.

Key Deliverable:CMMC Level 2 Certification
With Existing Certifications

6-8 months: Even with SOC 2 or ISO 27001, CMMC's strict requirements (like FIPS validation and specific US-citizen data sovereignty rules) require a heavy technical lift.

Starting from Scratch

12-18 months: Building a compliant enclave from scratch requires migrating to GovCloud environments and entirely rethinking IT architecture.

The Mistakes That Delay Most CMMC Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Scoping the whole corporate network

Why it happens:

If CUI touches your main network, the entire company must meet 110 DoD controls, which is cripplingly expensive and slow.

How to avoid it:

Build a CUI Enclave (e.g., in Azure GovCloud). Restrict CUI strictly to that enclave. Only the enclave gets assessed.

Using standard commercial cloud (AWS/M365 Commercial)

Why it happens:

Standard commercial clouds often do not meet DFARS 7012 requirements for incident reporting or US-persons-only support.

How to avoid it:

You generally must use Microsoft 365 GCC High or AWS GovCloud to store CUI.

Confusing FIPS 'compliant' with FIPS 'validated'

Why it happens:

A vendor claiming their encryption is 'FIPS compliant' means nothing to a CMMC auditor. They need the actual NIST validation certificate number.

How to avoid it:

Demand the FIPS 140-2 or 140-3 certificate number from your firewall, VPN, and storage vendors. If they don't have one, replace them.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Insights & Playbooks

CMMC Insights

Read practical security, engineering, and audit management playbooks from the GRC hub.

Visit the GRC Blog
Readiness Tools

CMMC Checklist

Assess your baseline control posture against CMMC criteria in 10 minutes.

Start Assessment
Decision Engine

Compare Frameworks

Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.

Start Framework Finder

Frequently Asked Questions

Common queries about CMMC compliance and certification processes.