What is CMMC? Cybersecurity Maturity Model Certification Explained

CMMC 2.0 Framework

CMMC 2.0, released in 2021 and entering formal rulemaking in 2024, simplified the original five-level model to three levels. Level 1 — Foundational — requires 17 practices from FAR 52.204-21 and applies to companies handling Federal Contract Information. Level 2 — Advanced — requires 110 practices from NIST SP 800-171 and applies to companies handling Controlled Unclassified Information. Level 3 — Expert — requires 110+ practices from NIST SP 800-172 and applies to programs with the highest CUI protection needs.

Level 1 companies can self-attest annually. Level 2 companies are split between those that can self-attest (non-prioritized acquisitions) and those that require a third-party Certified CMMC Third Party Assessor Organization assessment every three years. Level 3 requires government-led assessments.

Implementation Timeline

CMMC requirements are being phased into DoD contracts. The DoD anticipates CMMC requirements appearing in contracts beginning in 2025, with full implementation across the defense industrial base over several years. Defense contractors and their subcontractors who handle CUI must achieve and maintain the appropriate CMMC level before contract award.

NIST SP 800-171 Alignment

CMMC Level 2's 110 practices map directly to NIST SP 800-171, which organizes requirements into 14 families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

NIST SP 800-171 implementation has been required for defense contractors handling CUI through DFARS clauses since 2017, but compliance was self-reported without verification. CMMC adds third-party verification, mandatory assessment, and contract enforcement — converting a self-attestation requirement into a verified certification requirement.

CMMC for PE Portfolio Companies

PE funds with defense-sector portfolio companies face CMMC compliance as a contract retention and growth requirement. A portfolio company that fails to achieve required CMMC level faces disqualification from DoD contract competitions and potential loss of existing contracts at renewal. CMMC compliance should be evaluated as part of pre-close diligence for defense sector acquisitions, including assessment of current NIST 800-171 implementation maturity and gap-to-certification timeline.

Real-World Example: Defense Contractor Loses Contract Over CMMC Non-Compliance

As CMMC requirements began appearing in DoD contracts, multiple defense contractors were disqualified from contract competitions for failing to demonstrate adequate NIST SP 800-171 implementation. In one documented case, a mid-tier defense electronics manufacturer lost a contract renewal when the contracting officer required a current NIST SP 800-171 self-assessment score that the company could not provide accurately — revealing that their previously submitted score had misrepresented actual implementation status. The Department of Justice has pursued False Claims Act cases against companies that submitted inaccurate cybersecurity certifications in connection with government contracts.