Frameworks

CMMC Compliance

A plain-English guide to the Cybersecurity Maturity Model Certification (CMMC) for defense contractors—what it is, the three levels, and how to prepare for assessment.

Updated December 29, 202510 min read
CMMCDoDDefense Industrial BaseCUINIST 800-171

What CMMC is (in plain English)

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard developed by the U.S. Department of Defense (DoD) to ensure contractors in the Defense Industrial Base (DIB) have adequate cybersecurity practices in place before they can bid on or work on DoD contracts.

Unlike self-attestation approaches of the past, CMMC requires independent verification of your cybersecurity posture. If you want to continue winning defense contracts, you need to prove—not just claim—that you're protecting sensitive information.

Why CMMC exists

Before CMMC, contractors self-attested to meeting NIST SP 800-171 requirements. The problem: many claimed compliance without actually implementing the controls. Adversaries exploited these gaps, leading to significant breaches of sensitive defense information.

CMMC closes this loophole by requiring third-party assessments for most contractors handling sensitive data. It's the DoD's way of saying: "Trust, but verify."

Understanding the three CMMC 2.0 levels

CMMC 2.0 streamlined the original five-level model down to three tiers, making compliance more accessible while maintaining rigor where it matters most.

Level 1: Foundational

Who needs it: Contractors handling Federal Contract Information (FCI) only—basic, non-sensitive government data.

What's required:

  • 17 cybersecurity practices derived from FAR 52.204-21
  • Basic cyber hygiene: password policies, antivirus, access controls
  • Annual self-assessment (no third-party audit required)

Think of it as: The baseline. If you do any business with the federal government, you likely need at least Level 1.

Level 2: Advanced

Who needs it: Contractors handling Controlled Unclassified Information (CUI)—sensitive but not classified data.

What's required:

  • 110 practices aligned with NIST SP 800-171
  • Documented policies and procedures for each practice
  • For prioritized acquisitions: triennial third-party assessments by a C3PAO (CMMC Third-Party Assessment Organization)
  • For non-prioritized acquisitions: annual self-assessments with affirmation

Think of it as: The standard for most defense contractors. This is where the real work happens—and where most companies need the most help.

Level 3: Expert

Who needs it: Contractors working on the most sensitive programs, protecting CUI from Advanced Persistent Threats (APTs).

What's required:

  • All 110 NIST SP 800-171 practices, plus 24 additional practices from NIST SP 800-172
  • Triennial government-led assessments (DIBCAC)
  • Highly mature, continuously monitored security program

Think of it as: Enterprise-grade security for the most critical defense programs. Few contractors need this level, but those who do face rigorous scrutiny.

FCI vs. CUI: Know the difference

Understanding what data you handle determines your required CMMC level:

  • FCI (Federal Contract Information): Information provided by or generated for the government under contract, not intended for public release. Examples: contract pricing, delivery schedules, basic project communications.

  • CUI (Controlled Unclassified Information): Sensitive information that requires safeguarding per law, regulation, or government policy. Examples: technical drawings, test results, engineering specifications, export-controlled data.

If you're unsure what you handle, assume CUI until proven otherwise—the penalties for getting it wrong far exceed the cost of compliance.

What assessors actually evaluate

CMMC assessors aren't looking for perfection. They're looking for evidence that your controls are:

  1. Defined: You have written policies and procedures
  2. Implemented: The controls are actually in place and functioning
  3. Managed: Someone owns the process and maintains it
  4. Measured: You track effectiveness and improve over time

Expect scrutiny around:

  • Access Control: Who can access CUI and how you enforce least privilege
  • Audit & Accountability: Logging, monitoring, and retaining evidence
  • Configuration Management: Secure baselines, change control, asset inventory
  • Identification & Authentication: MFA, password policies, identity management
  • Incident Response: Detection, response, reporting, lessons learned
  • Risk Assessment: Identifying, analyzing, and treating security risks
  • Security Assessment: Regular internal evaluations and remediation
  • System & Communications Protection: Encryption, boundary defense, network segmentation

The CMMC certification process

Here's what the path to certification typically looks like:

1. Scope your environment

Define your CUI boundary—the systems, people, and processes that touch sensitive data. The smaller and cleaner your scope, the easier your assessment.

2. Conduct a gap analysis

Compare your current state against CMMC requirements. Identify what's missing, what's partially implemented, and what needs documentation.

3. Remediate gaps

Address the deficiencies found in your gap analysis. This often includes:

  • Creating or updating policies and procedures
  • Implementing technical controls
  • Training staff
  • Establishing continuous monitoring

4. Build your System Security Plan (SSP)

Document your entire security program: what controls you have, how they work, who's responsible, and what your environment looks like.

5. Engage a C3PAO (for Level 2 prioritized acquisitions)

Select an accredited assessment organization and schedule your assessment. They'll review documentation, interview staff, and examine evidence.

6. Pass assessment and maintain certification

Certification is valid for three years, but you must maintain controls continuously. Annual affirmations confirm ongoing compliance.

Common CMMC compliance challenges

Most contractors struggle with these areas:

Documentation gaps

You might have good security practices but lack the policies, procedures, and evidence to prove it. CMMC requires documentation for every practice.

Scope creep

CUI spreads across systems, making your assessment boundary larger and more expensive to secure. Segmentation and data flow analysis are critical.

Resource constraints

Small and mid-size contractors often lack dedicated security staff. Building a mature program while running your business is challenging.

Technical debt

Legacy systems may not support modern security controls. Upgrading infrastructure while maintaining operations requires careful planning.

Subcontractor management

Your supply chain must also be CMMC compliant. Managing downstream contractor compliance adds complexity.

Frequently Asked Questions

When does CMMC become mandatory?

The CMMC 2.0 final rule was published in October 2024. DoD is phasing in requirements starting in 2025, with full implementation expected by 2028. Contracts will begin including CMMC requirements—check each RFP for specific requirements.

How much does CMMC certification cost?

Costs vary widely based on your current maturity, scope, and level:

  • Level 1 self-assessment: Minimal direct cost (internal time)
  • Level 2 self-assessment: $10,000–$50,000+ for preparation and documentation
  • Level 2 third-party assessment: $50,000–$200,000+ including preparation, remediation, and C3PAO fees
  • Level 3: Significantly higher due to enhanced requirements and government-led assessment

Can I self-certify for CMMC?

Only for Level 1 (all contractors) and Level 2 non-prioritized acquisitions. Prioritized acquisitions requiring Level 2 need third-party assessment by an accredited C3PAO.

What happens if I fail the assessment?

You won't receive certification and cannot bid on contracts requiring that CMMC level. You can remediate issues and reassess, but timelines and costs add up. This is why thorough preparation matters.

Do I need a separate network for CUI?

Not necessarily, but it often helps. A dedicated CUI enclave reduces your scope and simplifies compliance. Many contractors find this approach more manageable than trying to secure their entire network.

How does CMMC relate to NIST 800-171?

CMMC Level 2 is directly aligned with NIST SP 800-171. If you've already implemented 800-171 controls, you're well-positioned for Level 2—but you'll still need to provide evidence and potentially undergo third-party assessment.

Where CyberPolicify fits

CyberPolicify helps you prepare for CMMC assessment—not replace the assessor, but ensure you're ready when they arrive.

Use CyberPolicify to:

  • Generate CMMC-aligned policies and procedures that cover all 110 Level 2 practices and map directly to NIST 800-171
  • Run a comprehensive gap analysis comparing your current state against CMMC requirements with clear visibility into what's missing
  • Create remediation plans with prioritized actions, assigned owners, and target dates to close gaps systematically
  • Build your System Security Plan (SSP) with documentation that assessors expect to see
  • Maintain continuous compliance with a living risk register and control tracking that keeps you ready year-round—not just for assessment day

CMMC isn't just about passing an assessment once. It's about building a security program you can sustain. CyberPolicify gives you the foundation to get there without starting from scratch or hiring an army of consultants.

When assessment day arrives, you'll have the documentation, evidence, and confidence to demonstrate your security maturity.

Framework readiness

Generate documentation mapped to frameworks

Generate CMMC-Aligned PoliciesRun a Gap Analysis

Start with policies and procedures aligned to the framework, then close gaps with a clear plan.