Skip to main content

    We value your privacy

    We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking "Accept All", you consent to our use of cookies. Read our Cookie Policy to learn more.

    Skip to main content
    Back to Glossary
    framework
    2 min read

    CMMC

    CMMC (Cybersecurity Maturity Model Certification) is a DoD requirement for defense contractors that combines cybersecurity standards and third-party assessment to protect Controlled Unclassified Information (CUI).

    CMMC is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB). It was created to ensure contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

    CMMC 2.0 has three levels: - Level 1 (Foundational): 17 practices for FCI protection, self-assessment - Level 2 (Advanced): 110 practices aligned with NIST 800-171 for CUI, third-party assessment - Level 3 (Expert): 110+ practices with additional controls, government-led assessment

    Key CMMC requirements: - Based on NIST SP 800-171 controls - Requires third-party assessment for Level 2+ (C3PAO) - Contractors must maintain certification for contract eligibility - Flows down to subcontractors handling CUI

    Implementation timeline: - Required for new DoD contracts progressively starting 2025 - Full implementation expected by 2028

    Why It Matters

    For defense contractors, CMMC is becoming a hard requirement for contract eligibility. Without certification, organizations will be locked out of DoD contracts—a $400+ billion annual market. The certification requirement flows down to subcontractors, meaning even small companies in the defense supply chain must achieve CMMC compliance to continue doing business.

    Key Points

    Required for DoD contractors handling CUI
    3 levels with increasing control requirements
    Level 2 requires third-party assessment
    Based on NIST 800-171 framework
    Subcontractors must also comply

    Applicable Compliance Frameworks

    NIST CSF

    Related Terms

    FedRAMP

    FedRAMP (Federal Risk and Authorization Management Program) is a US government program that provides a standardized approach to security assessment for cloud products and services used by federal agencies.

    Frequently Asked Questions

    When will CMMC be required?

    CMMC 2.0 is being phased into DoD contracts starting 2025. By 2028, most contracts involving CUI will require CMMC Level 2 certification.

    What is a C3PAO?

    Certified Third-Party Assessment Organization (C3PAO) is an accredited organization authorized to conduct CMMC Level 2 assessments.

    Related Services & Resources

    Service

    Vanta Implementation

    Expert Vanta deployment with 80+ integrations configured in 4-6 weeks

    Learn more
    Service

    Drata Implementation

    Full Drata setup with automated evidence collection and control mapping

    Learn more
    Standard

    SOC 2 Compliance

    Trust services criteria for security, availability, and confidentiality

    Learn more
    Standard

    ISO 27001 Certification

    International standard for information security management

    Learn more
    Resource

    SOC 2 Complete Guide

    Everything you need to know about achieving SOC 2 compliance

    Learn more
    Resource

    HIPAA Checklist

    Comprehensive checklist for HIPAA compliance requirements

    Learn more

    Need Help with CMMC?

    Our experts can help you understand and implement the right controls for your organization.

    Talk to an ExpertBrowse All Terms