Cybersecurity Maturity Model Certification
Mandatory certification for all contractors in the US Department of Defense supply chain.
What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The DoD created CMMC to ensure that appropriate levels of cybersecurity practices are in place to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC 2.0 streamlines the model into three compliance levels. Level 1 (Foundational) requires 17 basic cyber hygiene practices. Level 2 (Advanced) requires compliance with the 110 controls of NIST SP 800-171. Level 3 (Expert) adds an additional subset of controls from NIST SP 800-172 for the highest-priority programs.
Crucially, CMMC shifts the paradigm from self-attestation to third-party verification. For Level 2 and Level 3, contractors must pass a rigorous assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) to be eligible for DoD contract awards.
Does CMMC Apply to Your Organisation?
Understanding typical procurement requirements and compliance thresholds.
Prime DoD Contractors
Major defense contractors (Lockheed Martin, Boeing) must hold Level 2 or Level 3 certs to win contracts.
Subcontractors and Suppliers
The requirement flows down the entire supply chain. Even a machine shop making one bolt for a tank must achieve at least Level 1.
GovTech SaaS Platforms
If a defense contractor uses your SaaS platform to store or process CUI, your platform must meet FedRAMP Moderate equivalence or CMMC Level 2.
- Companies that do not bid on or participate in US Department of Defense contracts.
- Providers of strictly Commercial Off-The-Shelf (COTS) products that are entirely unmodified, though this exception is very narrow.
Why CMMC Matters in 2026
Understanding the current regulatory pressures and market adoption vectors.
The Rule is Finalizing
After years of drafts, the final CMMC rule is being published. Phased rollout in DoD contracts is imminent, and early adopters will win bids over unprepared competitors.
The C3PAO Bottleneck
There are roughly 300,000 companies in the DIB and only a few dozen authorized C3PAOs. Waiting until the last minute guarantees you won't get an assessor in time.
False Claims Act Liability
The Department of Justice's Civil Cyber-Fraud Initiative is aggressively pursuing contractors who misrepresent their cybersecurity status to the government.
The Requirements
The core security controls and evidence parameters audited for CMMC.
How Long Does It Take?
A realistic phase-by-phase implementation roadmap for CMMC.
Enclave Scoping & Gap Assessment
Locate all CUI. The best strategy is usually building a secure 'enclave' rather than bringing the whole company into scope.
Implementation & SSP Drafting
Implement the 110 NIST 800-171 controls inside the enclave. Configure GCC High (if using Microsoft). Draft the SSP.
C3PAO Assessment
Contract a C3PAO to conduct the formal assessment, submit the score to the DoD, and close out any allowed POA&Ms.
With Existing Certifications
6-8 months: Even with SOC 2 or ISO 27001, CMMC's strict requirements (like FIPS validation and specific US-citizen data sovereignty rules) require a heavy technical lift.
Starting from Scratch
12-18 months: Building a compliant enclave from scratch requires migrating to GovCloud environments and entirely rethinking IT architecture.
The Mistakes That Delay Most CMMC Programs
Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.
Scoping the whole corporate network
If CUI touches your main network, the entire company must meet 110 DoD controls, which is cripplingly expensive and slow.
Build a CUI Enclave (e.g., in Azure GovCloud). Restrict CUI strictly to that enclave. Only the enclave gets assessed.
Using standard commercial cloud (AWS/M365 Commercial)
Standard commercial clouds often do not meet DFARS 7012 requirements for incident reporting or US-persons-only support.
You generally must use Microsoft 365 GCC High or AWS GovCloud to store CUI.
Confusing FIPS 'compliant' with FIPS 'validated'
A vendor claiming their encryption is 'FIPS compliant' means nothing to a CMMC auditor. They need the actual NIST validation certificate number.
Demand the FIPS 140-2 or 140-3 certificate number from your firewall, VPN, and storage vendors. If they don't have one, replace them.
Rishabh's Take on CMMC
Practitioner Voice“CMMC is the most brutal compliance framework to implement simply because of the government-mandated rigidity. You cannot talk your way out of a control by claiming 'compensating controls' like you can in SOC 2. FIPS encryption is binary: you have the cert or you fail. Do not attempt to certify your entire company unless you are a pure-play defense contractor. Isolate the CUI into a tiny, hyper-secure enclave, lock it down with GCC High, and assess only that enclave. Also, start now. The line for C3PAO assessors is going to be years long.”
Related Resources
Articles, guides, and tools to accelerate your compliance program.
CMMC Insights
Read practical security, engineering, and audit management playbooks from the GRC hub.
CMMC Checklist
Assess your baseline control posture against CMMC criteria in 10 minutes.
Compare Frameworks
Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.
Frequently Asked Questions
Common queries about CMMC compliance and certification processes.