The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) program that verifies defense contractors implement cybersecurity controls to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). While CMMC is often discussed as something “new,” it is closely tied to DFARS cybersecurity obligations that already require contractors to safeguard Covered Defense Information and implement NIST SP 800-171 protections for CUI on contractor information systems (DFARS 252.204-7012). DFARS 252.204-7019 and 252.204-7020 reinforced this by requiring companies to maintain and report NIST SP 800-171 assessment results in SPRS and enabling DoD-led assessments. CMMC builds on that foundation by standardizing how compliance is verified and, when required by contract, using independent assessments to confirm the controls are actually in place and operating as intended. security requirements across the defense industrial base supply chain.