What is CMMC? Cybersecurity Maturity Model Certification Explained

CMMC 2.0 Framework

CMMC 2.0, released in 2021 and entering formal rulemaking in 2024, simplified the original five-level model to three levels. Level 1 — Foundational — requires 17 practices from FAR 52.204-21 and applies to companies handling Federal Contract Information. Level 2 — Advanced — requires 110 practices from NIST SP 800-171 and applies to companies handling Controlled Unclassified Information. Level 3 — Expert — requires 110+ practices from NIST SP 800-172 and applies to programs with the highest CUI protection needs.

Level 1 companies can self-attest annually. Level 2 companies are split between those that can self-attest (non-prioritized acquisitions) and those that require a third-party Certified CMMC Third Party Assessor Organization assessment every three years. Level 3 requires government-led assessments.

Implementation Timeline

CMMC requirements are being phased into DoD contracts. The DoD anticipates CMMC requirements appearing in contracts beginning in 2025, with full implementation across the defense industrial base over several years. Defense contractors and their subcontractors who handle CUI must achieve and maintain the appropriate CMMC level before contract award.

NIST SP 800-171 Alignment

CMMC Level 2's 110 practices map directly to NIST SP 800-171, which organizes requirements into 14 families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

NIST SP 800-171 implementation has been required for defense contractors handling CUI through DFARS clauses since 2017, but compliance was self-reported without verification. CMMC adds third-party verification, mandatory assessment, and contract enforcement — converting a self-attestation requirement into a verified certification requirement.

CMMC in Defense Sector M&A

For PE sponsors evaluating defense sector targets, CMMC certification status and readiness are material diligence findings. Companies with active or pipeline DoD contracts that lack required CMMC certification face contract renewal risk that affects revenue continuity and exit valuation. CMMC compliance should be evaluated as part of pre-close diligence for defense sector acquisitions, including assessment of current NIST 800-171 implementation maturity and gap-to-certification timeline.

Related: CMMC Roadmap and Underlying Controls

For Defense Industrial Base contractors approaching CMMC, the operational question is not what CMMC is but how to prepare. The CMMC compliance roadmap walks through the typical preparation sequence from gap analysis through third-party assessment readiness. The underlying control catalog that CMMC validates is NIST SP 800-53 (via NIST 800-171, which is a subset of 800-53 controls specific to controlled unclassified information).

Real-World Example: Defense Contractor Loses Contract Over CMMC Non-Compliance

As CMMC requirements began appearing in DoD contracts, multiple defense contractors were disqualified from contract competitions for failing to demonstrate adequate NIST SP 800-171 implementation. In one documented case, a mid-tier defense electronics manufacturer lost a contract renewal when the contracting officer required a current NIST SP 800-171 self-assessment score that the company could not provide accurately — revealing that their previously submitted score had misrepresented actual implementation status. The Department of Justice has pursued False Claims Act cases against companies that submitted inaccurate cybersecurity certifications in connection with government contracts.