CMMC: What It Is and How It Works

Word count: ~1,060 Specificity markers: (1) NIST SP 800-171 reference, 110 controls at Level 2; (2) Cost/time — typical Level 2 assessment $50K–$150K, 12–18 months prep; (3) Tool — SPRS scoring system; (4) Common mistake — confusing self-assessment with certification; (5) Decision point — which level applies to you

---

CMMC stands for Cybersecurity Maturity Model Certification. It's the Department of Defense's (DoD) program for verifying that defense contractors can protect sensitive government information. If you're doing business with the DoD — directly or as a subcontractor — CMMC requirements will show up in your contracts.

The short version: the DoD spent years watching defense contractors get hacked and sensitive military information walk out the door. CMMC is the response. It takes the cybersecurity requirements that have technically applied to defense contractors since 2017 and adds teeth: now you have to prove you meet them, not just say you do.

The Two Types of Information CMMC Protects

CMMC covers two categories of information:

FCI (Federal Contract Information) — information provided by or generated for the government under a contract that isn't intended for public release. Basic contract documents, simple deliverables, routine project information. If you're doing any work for the federal government, you probably handle FCI.

CUI (Controlled Unclassified Information) — sensitive government information that requires protection but isn't classified. Technical specifications for weapons systems, export-controlled research, certain types of personally identifiable information, law enforcement data, and more. There are more than 100 CUI categories. If you're doing work related to defense programs, there's a reasonable chance you handle CUI.

The distinction matters because the two types of information require different levels of protection — and different CMMC levels.

The Three Levels

CMMC Level 1: Basic Cyber Hygiene

Level 1 covers 15 basic practices drawn from FAR (Federal Acquisition Regulation) clause 52.204-21. Think password management, limiting access to authorized users, and protecting physical access to systems. If you handle FCI but not CUI, Level 1 is probably your requirement.

Level 1 is self-assessed annually. You evaluate your own compliance, document it, and submit your score to the Supplier Performance Risk System (SPRS) — the DoD's portal for tracking contractor compliance scores. No third-party assessor required at Level 1.

CMMC Level 2: Advanced Cyber Hygiene

Level 2 is where most defense contractors land. It covers 110 security requirements organized across 14 domains, all drawn from NIST (National Institute of Standards and Technology) SP 800-171 Rev 2. These include access control, incident response, audit logging, configuration management, encryption, vulnerability management, and more.

If you handle CUI, you need Level 2. And unlike Level 1, you can't just say you're compliant — for most CUI-handling contractors, a C3PAO (Third-Party Assessment Organization, an authorized company that conducts CMMC assessments) must verify your compliance on a three-year cycle, with annual affirmations in between.

A subset of Level 2 contractors — those on lower-risk programs — may be permitted to self-assess rather than use a C3PAO. Your contract will specify which category applies to you.

CMMC Level 3: Expert

Level 3 adds 24 more practices on top of Level 2, drawn from NIST SP 800-172. It applies to a small number of contractors working on the DoD's highest-priority programs. Level 3 assessments are conducted by the Defense Contract Management Agency (DCMA), a government agency — not a private C3PAO. If you need Level 3, your contract will say so explicitly.

For the vast majority of defense contractors, Level 2 is the target.

How the Assessment Process Works

For Level 2 C3PAO assessments, the process looks like this:

1. You prepare — implement the required controls, document them in your SSP (System Security Plan), and address open gaps in your POA&M (Plan of Action and Milestones).

1. You hire a C3PAO — you find an authorized C3PAO on the Cyber-AB marketplace, negotiate scope and timeline, and schedule the assessment.

1. The C3PAO assesses — the assessment team reviews your documentation (examining your SSP, policies, configurations), interviews your personnel, and tests your controls. This typically takes two to four weeks for a small-to-mid-size organization.

1. Results are submitted — the C3PAO submits the assessment results to CMMC's central database. If you pass, your certification is valid for three years.

1. You affirm annually — in years two and three of your certification cycle, a senior executive at your company affirms that your controls are still in place. This isn't a repeat assessment, but it carries legal weight. Affirming false compliance is a violation of the False Claims Act.

Timeline from deciding to pursue CMMC to passing your assessment: plan on 12–18 months for an organization starting from scratch. Shorter if your existing security posture is strong; longer if there's significant remediation work to do.

Cost: assessment fees from a C3PAO typically run $50,000–$150,000, depending on the scope of your environment. Remediation work — the actual implementation of missing controls — is separate and can range from a few thousand dollars to several hundred thousand, depending on your starting point.

The Common Mistake

The most widespread mistake in CMMC preparation is confusing self-assessment with certification.

For years, defense contractors have been required to submit SPRS scores based on self-assessment against NIST SP 800-171. Many did. Some submitted inflated scores. CMMC exists largely because the government couldn't trust those scores. A self-assessment tells you how you're doing; a C3PAO assessment tells everyone else.

If you're preparing for CMMC Level 2 and your plan is "we'll self-assess and submit our score," that may satisfy the contractual requirement if your contract allows self-assessment — but it won't produce a CMMC certification. For contracts that require C3PAO assessment, the self-assessment approach doesn't count.

Read your contract. Specifically look at clause DFARS 252.204-7021. It will specify the CMMC level required and whether self-assessment or third-party assessment is needed.

Which Level Applies to You

The guidance is simple:

• Handle FCI only — you likely need Level 1 (self-assessed annually).
• Handle CUI — you likely need Level 2, with a C3PAO assessment unless your contract specifies otherwise.
• Handle CUI on high-priority/advanced programs and your contract explicitly says Level 3 — you need Level 3.

If you're a subcontractor, your prime will communicate CMMC flow-down requirements. If they haven't, ask. You're liable for your own compliance regardless of what the prime tells you.

For a deeper look at what Level 2 implementation actually involves — domain by domain — the CMMC Level 2 guide covers the full control set and what assessors evaluate. Or ask the assistant below to help you figure out which level applies to your contracts.