The Cybersecurity Maturity Model Certification (CMMC) Program of the Department of Defense (DoD) establishes requirements for defense contractors and subcontractors to implement prescribed cybersecurity standards for safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The CMMC program also establishes requirements for assessing compliance with the applicable prescribed cybersecurity standard for contractor information systems that: process, store, or transmit FCI or CUI; provide security protections for systems which process, store, or transmit CUI; or are not logically or physically isolated from systems which process, store, or transmit CUI. 

The defense industrial base (DIB) is the target of more frequent and complex cyberattacks. CMMC is a key component of the Department of Defense’s expansive DIB cybersecurity improvement effort.

There are three main objectives of CMMC:
 

1. Protect FCI/CUI from cyberattacks and nation state actors
2. Create a unifying cybersecurity standard for DIB contractors
3. Ensure accountability from DIB contractors responsible for protecting FCI/CUI

All DIB contractors are required to achieve certification in one of the three levels of cybersecurity within the CMMC model.
 

Level 1: Foundational

• Basic cyber hygiene
• Requires the implementation of 17 basic practices for protection of FCI (FAR 52.204.21)
• Requires annual self-assessment and self-attestation in SPRS.

Level 2: Advanced

• Requires the implementation of 110 controls based on NIST SP 800-171 Revision 2
• Designed to protect FCI and CUI
• Assessed every three years by a CMMC Third-Party Assessment Organization (C3PAO)

Level 3: Expert

• Required for protection of CUI by select, large DIB contractors
• 110 controls per NIST SP 800-171 Revision 2, plus 24 enhanced controls from NIST SP 800-172
• Requires annual self-assessment, entry of scores into SPRS, and triennial review/certification by DCMA Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

Details and graphics from https://dodcio.defense.gov/CMMC/About/.

See https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity model-certification-cmmc-program 

See https://www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal acquisition-regulation-supplement-assessing-contractor-implementation-of

Rulemaking under Title 32 CFR is required to formally establish the DoD CMMC Program in regulation, and separate rulemaking under Title 48 CFR is required to update contractual requirements in the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the program.

CMMC certification will be implemented and enforced through the DoD acquisition and contracting process starting November 10, 2025. For BPMI contracts, suppliers shall be required to confirm and provide evidence of their C3PAO Level 2 certification status as a condition for contract award. 

CMMC is designed to ensure DIB contractors are protecting the confidentiality of FCI and CUI. This is important for DIB contractors, as the unauthorized access or modification of FCI and CUI could result in significant financial, reputational, and legal repercussions. The Department of Justice (DOJ) pursues reported cyber-related fraud by Government contractors under the Civil Cyber-Fraud Initiative and the False Claims Act (FCA). Failure to comply with CMMC 2.0 can lead to fines of $10,000 per control under the FCA.  

The final CMMC rule, 48 CFR Part 170, was published on September 10, 2025. This sets November 10, 2025, as the start of Phase 1 of the CMMC implementation period. The CMMC assessment requirements will be rolled out in four phases over three years:

1. Phase 1: Begins with self-assessments.
2. Subsequent Phases: Gradually add CMMC Level requirements until full implementation of the program in Phase 4 in three years.

The Defense Federal Acquisition Regulation Supplement (DFARS) clauses 252.204-7012 and 252.204-7019 have been a part of BPMI contracts for several years. Starting from November 10, 2025 (Phase 1), suppliers awarded contracts must demonstrate compliance with the 32 CFR Part 170 CMMC Program as a condition for contract award.

Industry experts suggest that preparing for CMMC readiness can take up to one year, with the certification process potentially taking an additional year.

By the start of FY27, BPMI suppliers must confirm and provide evidence of their CMMC Level 2 certification status to be eligible for contract awards. This evidence may include:

• A certificate confirming CMMC Level 2 compliance, signed by a Cybersecurity Assessor and Instructor Certification Organization (CAICO)-certified C3PAO, dated within the last three years.
  • The certificate must include the CMMC Unique Identifier (UID) for the scoped information system.
  • It should list all Commercial and Government Entity (CAGE) Codes for supplier locations where BPMI contractual information is stored and processed.
• A CMMC SPRS report confirming final level of certification (e.g., Final Level 2 (C3PAO)), the UID, the assessment date, the assessment scope including all CAGE codes, and the CMMC status expiration date.

The CMMC certification process should always start with the Cyber Accreditation Body (AB). Cyber AB is the official accreditation body of the CMMC Ecosystem and the sole authorized non-governmental partner of DoD in implementing and overseeing the CMMC conformance regime. Organizations Seeking Certification (OSCs) must start by registering with Cyber AB. Through Cyber AB, suppliers will obtain resources and support throughout the certification process.

BPMI suppliers may also wish to enlist the support of a Registered Provider Organization (RPO) and/or an independent or supplier-employed Registered Practitioner (RP) to provide CMMC implementation/certification consulting services prior to seeking formal certification from a C3PAO. An RPO or RP can assist in identifying gaps, developing security plans/processes, and providing mitigation strategies to better ensure all requirements are met prior to contracting with a C3PAO.

Once the supplier has addressed the gaps and implemented the necessary security controls, collaborate with a C3PAO to conduct the official certification assessment and receive CMMC certification. C3PAOs, RPOs, and RPs may be searched and contacted via the Cyber AB Marketplace available on the Cyber AB website.
 

Self-assessments must be performed initially and on a triennial basis (every 3 years). Self-assessment scores must be reported in SPRS.

Additionally, certification must be performed by an authorized C3PAO on a triennial basis. The C3PAO is responsible for reporting/confirming the certification in the CMMC Enterprise Mission Assurance Support Services (eMASS) database. CMMC assessment results will not be made public.

Annual affirmation of compliance by a senior contractor official (e.g., CISO), entered electronically into SPRS, is also required for all levels under CMMC 2.0.
 

Per the DoD CIO, the definition of FCI is in FAR 52.204-21 and CUI in 32 CFR Part 2002, respectively. The DoD CUI Quick Reference Guide includes information on CUI. In addition, the Defense Counterintelligence and Security Agency (DCSA) provides answers to CUI FAQs. These FAQs describe the difference between FCI and CUI as follows:

“Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. While FCI is any information that is ‘not intended for public release,’ CUI is ‘information that requires safeguarding and may also be subject to dissemination controls.’"

The DoD followed federal rulemaking guidelines when including NIST SP 800 171 Revision 2 in the Title 32 CFR CMMC rule. The Department will incorporate Revision 3 with future rulemaking. The Department has issued a class deviation to DFARS clause 252.204-7012 to allow contracting officials to assess against Revision 2 until Revision 3 has been incorporated through rulemaking.

View more information (PDF) 
 

Unclassified Naval Nuclear Propulsion Information (U-NNPI) is a specified category of CUI. BPMI will continue to require contractors to comply with NN-801 Revision 5 for physical and cybersecurity controls for protection of U-NNPI. Section 10 cybersecurity controls in NN-801 Revision 5 are aligned with and complementary to those in NIST SP 800-171, including more stringent and specific criteria approved by Naval Reactors for cybersecurity of U-NNPI information systems. As a result, supplier systems approved by BPMI for storing, processing and transmitting U-NNPI under NN-801 Revision 5 are also compliant with NIST SP 800-171 Revision 2.

It is important for suppliers with U-NNPI information systems to maintain current and complete records for their U-NNPI plans, policies and procedures, including their NN-801 security plan approval letter received from BPMI.

It is BPMI’s understanding that those DIB companies that have previously achieved successful compliance as part of a DIBCAC assessment will automatically become eligible to receive a CMMC Level 2 certification. Certifications are valid for three years from the assessment date.

No, CMMC only applies to DIB contractors’ nonfederal systems unclassified networks that process, store, or transmit FCI or CUI.

DIB contractors may use Federal Risk and Authorization Management Program (FedRAMP)-authorized cloud environments for CUI under contract, provided the cloud service offering (CSO) is authorized at the FedRAMP Moderate (or higher) baseline. Or, if the CSO is not authorized at the FedRAMP Moderate (or higher) baseline, the cloud service provider (CSP) must 1) meet security requirements equivalent to FedRAMP Moderate, 2) have a system security plan (SSP) demonstrating compliance with FedRAMP Moderate, and 3) provide a Customer Requirements Matrix (CRM) summarizing the required controls and responsibilities of both the CSP and the contracting organization (see also DoD FedRAMP Equivalency memo, December 2023). 

The DIB contractor's on-premises infrastructure connecting to the CSO shall be part of the CMMC assessment scope. Security requirements from the CRM must be documented or referred to in the DIB contractor’s SSP.

Whether your company has previously been awarded a BPMI contract that includes DFARS clause 252.204-7012 or is brand new to contracting, the best way to prepare for implementation of CMMC is to carefully conduct a self-assessment of your contractor-owned information systems to make sure you have implemented the necessary cybersecurity measures to comply with each requirement of FAR clause 52.204-21 and/or DFARS clause 252.204-7012. 

Also, review the appropriate security requirements and carefully consider whether they have been implemented to secure any contractor-owned information systems that will be used to process, store, or transmit CUI during contract performance. Before initiating an assessment, take corrective actions to meet any security requirements that necessitate implementation to comply with CMMC requirements. 

Companies may use cloud service offerings to meet cybersecurity requirements that must be assessed as part of the CMMC requirement. The DoD DIB Cybersecurity Services has compiled a list of current resources available at https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/DIB-Cybersecurity-Services/ under DoD DIB Cybersecurity-as-a-Service (CSaaS) Services and Support.