CMMCDocs.comIf you are a defense contractor — or a subcontractor to one — the Cybersecurity Maturity Model Certification (CMMC) program will affect your ability to win and perform on Department of Defense contracts. Understanding what CMMC is, why it exists, and what it requires is the essential first step in your compliance journey.
Why CMMC Exists
The defense industrial base (DIB) has been losing sensitive information to adversaries for years. Nation-state actors have targeted defense contractors to steal technical data, controlled unclassified information (CUI), and intellectual property. The DoD's previous approach — requiring contractors to self-attest to cybersecurity standards under DFARS 252.204-7012 — did not work. Many contractors submitted compliance claims that did not reflect reality, and there was no mechanism to verify them.
CMMC was created to solve this problem by requiring independent verification of cybersecurity practices before a contractor can win certain DoD contracts. Instead of trusting contractors to self-report, CMMC brings third-party assessors into the picture.
The CMMC Model
CMMC 2.0 defines three certification levels. Level 1 covers basic cyber hygiene with 17 practices from FAR 52.204-21, applicable to contractors handling Federal Contract Information (FCI). Level 2 maps to all 110 security requirements in NIST SP 800-171 Rev 2, applicable to contractors handling CUI. Level 3 adds enhanced requirements from NIST SP 800-172 for the most sensitive unclassified programs.
Most defense contractors will need Level 2, because most defense contracts involving technical data or design information involve CUI. Level 1 applies to contractors who handle only basic contract-related information without sensitivity markings.
The Rulemaking Process
As of early 2023, the DoD is developing the CMMC proposed rule (32 CFR Part 170) and the accompanying DFARS rule that will include CMMC requirements in contracts. The rulemaking process involves proposed rule publication, a public comment period, and final rule publication. Industry observers expect the proposed rule later in 2023 or in 2024.
What You Should Do Now
Do not wait for the final rule to start preparing. The underlying requirement — NIST SP 800-171 compliance — has been in effect since 2017 under DFARS 252.204-7012. If you handle CUI, you should already have a System Security Plan, a current SPRS score, and an active compliance program. CMMC adds verification on top of existing requirements. Contractors who are already implementing NIST 800-171 in good faith will find CMMC manageable. Those starting from zero face a significant lift.