Protect your contracts and your team’s focus with straightforward CMMC guidance
Protect your contracts and your team’s focus with straightforward CMMC guidance
Organizations handling controlled information must now demonstrate that they meet a defined set of security standards in order to remain eligible for defense work. Certification verifies that your cybersecurity practices are consistent, measurable, and capable of protecting sensitive data across the defense supply chain. A vast majority of contracts will include CUI and require a Level 2 Third Party Certification.
Organizations handling controlled information must now demonstrate that they meet a defined set of security standards in order to remain eligible for defense work. Certification verifies that your cybersecurity practices are consistent, measurable, and capable of protecting sensitive data across the defense supply chain. A vast majority of contracts will include CUI and require a Level 2 Third Party Certification.
What Is the Cybersecurity Maturity Model Certification (CMMC)?
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework established by the U.S. Department of Defense to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) across the defense supply chain. It applies to DoD prime contractors and subcontractors whose systems store, process, or transmit this data while performing DoD work.
CMMC uses a tiered certification model that defines the cybersecurity practices contractors must meet to be eligible for DoD contracts. Each level represents increasing cybersecurity maturity, ensuring that protections scale with the sensitivity of the information involved and the risk posed by the mission or contract.
Most CMMC requirements are not new. They are rooted in longstanding DoD obligations, particularly those established through Defense Federal Acquisition Regulation Supplement requirements and security controls outlined in NIST SP 800-171. What CMMC changes is enforcement. Instead of relying primarily on self-attestation, CMMC requires formal validation that these controls are implemented and sustained.
In practice, CMMC shifts cybersecurity compliance from a paperwork exercise to verified performance. Contractors must demonstrate effective controls across areas such as access management, incident response, configuration management, and risk assessment. This strengthens protection of government data, creates consistency across the defense industrial base, and improves overall cyber resilience for organizations that operate in both government and commercial environments.
CMMC applies to DoD prime contractors and subcontractors at any tier that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) while performing DoD work. Requirements are enforced through contract language, including DFARS clauses, and primes are obligated to flow down the appropriate cybersecurity requirements to subcontractors when subcontract performance involves Covered Defense Information.
Why flow-down gets complicated?
Flow-down is not a blanket requirement applied to every vendor. It depends on what information a subcontractor will actually access and what the prime contract specifically requires:
Primes typically ask for proof, not promises: expect requests for an SSP/POA&M posture, incident reporting readiness, and other evidence that you can meet DFARS/NIST expectations.
CMMC Level 1 draws from Federal Acquisition Regulation (FAR) 52.204-21, which does not use the NIST 800-171 domain structure. To maintain consistency across the model, the 15 Level 1 safeguards are aligned to 6 of the 14 NIST 800-171 domains.
Level 1 contains 15 controls, all sourced directly from FAR 52.204-21(b)(1). These are considered the minimum security requirements for any contractor who processes, stores, or transmits Federal Contract Information (FCI).
Across the 15 controls, Level 1 includes 30 assessment objectives. Each control is unpacked into one or more objective-level actions that you must demonstrate during a self-assessment.
CMMC is built on NIST 800-171 and organized into 14 domains. Each domain covers a different slice of your security program, creating a broad surface area that many teams underestimate at the start.
Within those domains sit 110 controls. The controls set the requirement, but the real challenge shows up underneath them—every control is unpacked into multiple assessment objectives, each one representing a specific action you must demonstrate.
Within the 110 controls are 320 assessment objectives. Each objective represents a specific, testable action that must be performed, documented, and traceable to the requirement. While controls describe what must be achieved, objectives define the exact conditions an assessor will evaluate.
There are additional security requirements introduced at Level 3, derived from NIST SP 800-172, and layered on top of the Level 2 baseline to address advanced threats.
Assessment objectives are the individual evaluation criteria used during a CMMC Level 3 assessment to verify that security requirements are implemented, operating as intended, and producing the expected security outcomes. This includes all Level 2 assessment objectives plus additional objectives associated with the Level 3 enhanced requirements.
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework established by the U.S. Department of Defense to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) across the defense supply chain. It applies to DoD prime contractors and subcontractors whose systems store, process, or transmit this data while performing DoD work.
CMMC uses a tiered certification model that defines the cybersecurity practices contractors must meet to be eligible for DoD contracts. Each level represents increasing cybersecurity maturity, ensuring that protections scale with the sensitivity of the information involved and the risk posed by the mission or contract.
CMMC applies to DoD prime contractors and subcontractors at any tier that store, process, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) while performing DoD work.
These requirements are enforced through DoD contract language, including DFARS clauses. Prime contractors are responsible for flowing down applicable cybersecurity requirements when subcontractor performance involves Covered Defense Information.
Why flow-down gets complicated
Flow-down is not a blanket requirement for every vendor. It depends on the type of information a subcontractor will access and the specific requirements of the prime contract.
Primes typically request evidence, not assurances. Subcontractors should expect requests for SSPs, POA&Ms, incident response readiness, and other proof that DFARS and NIST requirements are being met.
The official FAR clause lists 15 safeguards, but CMMC documentation often references 17 practices. Here is why:
CMMC inherited the DoD’s earlier mapping from the DFARS 252.204-21 “Basic Safeguarding” table, where two of the FAR requirements were split into multiple CMMC practice IDs during modeling. They are not additional requirements—just a structural carryover from the original DoD-to-NIST mapping exercise.