Who must comply with CMMC?

All Department of Defense contractors and subcontractors who process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The phased rollout in DoD contracts began in 2025 — every new defense contract eventually requires CMMC certification at the level appropriate to the contract's data sensitivity.

What are the three CMMC levels?

Level 1 Foundational — 17 cybersecurity practices for FCI handlers, annual self-assessment with senior official affirmation. Level 2 Advanced — 110 NIST SP 800-171 r2 controls for CUI handlers, C3PAO assessment for prioritized CUI or self-assessment for non-prioritized CUI. Level 3 Expert — 110 NIST 800-171 controls plus NIST 800-172 enhanced controls, DIBCAC government assessment.

How long is CMMC certification valid?

Final CMMC Level 2 and Level 3 certifications are valid for three years, with annual senior official affirmations. Level 1 self-assessment is valid for one year and must be renewed annually. Conditional CMMC Status (when controls remain in POAM) is valid for only 180 days.

What does CMMC Level 2 assessment cost?

Typical C3PAO assessment for Level 2 ranges $50,000-$250,000 for mid-market contractors, with larger or more complex enterprise environments running higher. Costs include planning, on-site assessment, reporting, and Cyber AB review fees. Initial certification typically costs more than re-certification at year three.

What is the difference between FCI and CUI?

Federal Contract Information (FCI) is information not intended for public release that is provided by or generated for the Government under contract. Controlled Unclassified Information (CUI) is information requiring safeguarding per laws, regulations, or government policies — defined and registered through NARA's CUI Registry. FCI handlers face Level 1 (17 practices); CUI handlers face Level 2 (110 controls) or Level 3.

What is DFARS 252.204-7012?

DFARS 252.204-7012 ('Safeguarding Covered Defense Information and Cyber Incident Reporting') is the contract clause requiring defense contractors handling Covered Defense Information to implement NIST SP 800-171 controls and report cyber incidents within 72 hours. The clause predates CMMC; CMMC formalizes verification of 252.204-7012 compliance.

What software supports CMMC compliance?

CMMC tooling typically includes: GRC platforms (Vanta, Drata, Apptega), evidence collection and management systems (FileFlo, Hyperproof), SIEM and security monitoring (Splunk, Microsoft Sentinel), endpoint protection (CrowdStrike, SentinelOne), identity and access management (Okta, Microsoft Entra), and configuration management (Chef, Puppet, Ansible). Most contractors use multiple specialized tools rather than a single platform.

CMMC 2.0 Compliance: The Complete Defense Contractor Guide

Q: What is CMMC 2.0?

The Cybersecurity Maturity Model Certification 2.0 is the Department of Defense framework verifying that defense contractors implement adequate cybersecurity controls when handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC 2.0 is codified at 32 CFR Part 170 with the final rule effective December 16, 2024. Three certification levels apply based on the type and sensitivity of data handled.

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense framework verifying that defense contractors and subcontractors implement adequate cybersecurity controls when handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC 2.0 is codified at 32 CFR Part 170 (final rule effective December 16, 2024) and enforced through DFARS clause 252.204-7012. Phased rollout in DoD contracts began in 2025 — every new defense contract eventually requires CMMC certification at the level appropriate to the contract's data sensitivity. This guide covers all three certification levels, the 110 NIST SP 800-171 controls, the assessment ecosystem (C3PAO and DIBCAC), required artifacts (SSP and POAM), and operational compliance for defense contractors.

CMMC 2.0 At a Glance

Level 1 Foundational — FCI handlers — 17 practices — annual self-assessment — 1-year validity
Level 2 Advanced — CUI handlers — 110 NIST 800-171 r2 controls — C3PAO or self-assessment — 3-year validity
Level 3 Expert — Highest-priority CUI — 110 + NIST 800-172 enhanced — DIBCAC government assessment — 3-year validity

CMMC Topics

Run a free CMMC compliance audit →

Free check — no signup, no credit card. See your gaps in 3 minutes.

Free: 28-page CMMC Level 1 vs Level 2 Self-Assessment Workbook

17 Level 1 practices with self-rating, 110 NIST 800-171 controls quick-rate, SSP template, POAM template, evidence library structure.

Delivered free to your inbox · No commitment, no sales calls without your permission · Unsubscribe anytime