Dashboard
FIND Opportunities SBIR/STTR Topics OTA Tracker Regulatory Feed ANALYZE Price-to-Win Spending Analytics Competitor Tracker Bid Decisions
Proposal Workspace Past Performance Capability Statements Government Contacts Pre-Solicitation Docs Company Voice Library
CMMC Compliance Suite CMMC Tracker FAR/DFARS Navigator Compliance Checker Supply Chain FCL Navigator
LEARN Academy Training Modules Knowledge Library INTELLIGENCE Insights Dashboard TALENT Talent Network Employer Dashboard Open Positions TOOLS HawkGuide Assistant Evaluation Accelerator Contract Tracker Partner Marketplace Ask an Expert SAM.gov Guide

CMMC Compliance Guide for Government Contractors

CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for verifying that defense contractors protect sensitive information. It has three levels: Level 1 (17 basic practices, self-assessed), Level 2 (110 NIST 800-171 requirements, self-assessed or C3PAO-assessed), and Level 3 (110+ requirements with additional controls, government-assessed). All companies in the defense supply chain must achieve the appropriate CMMC level to be eligible for DoD contracts.

What Is CMMC?

The Cybersecurity Maturity Model Certification was created by the Department of Defense to address a persistent problem: defense contractors were self-attesting to cybersecurity compliance under DFARS 252.204-7012, but audits revealed widespread non-compliance. Adversaries were exploiting these gaps to steal sensitive defense information from the supply chain.

CMMC adds a verification layer on top of existing requirements. Instead of simply claiming compliance, contractors must now demonstrate it through assessments -- either self-assessment or third-party certification depending on the level and program sensitivity.

The CMMC 2.0 final rule was published in October 2024 and takes effect in phases. Starting in 2025, DoD solicitations will begin including CMMC requirements. By 2028, all applicable contracts are expected to require CMMC certification at the appropriate level.

CMMC Levels Explained

Level 1 -- Foundational

Level 1 applies to contractors who handle only Federal Contract Information (FCI) -- information provided by or generated for the government under contract that is not intended for public release. It requires implementation of 17 basic cybersecurity practices drawn from FAR 52.204-21. These include fundamentals like access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. Level 1 allows annual self-assessment with results submitted to the Supplier Performance Risk System (SPRS).

Level 2 -- Advanced

Level 2 applies to contractors who handle Controlled Unclassified Information (CUI). It requires compliance with all 110 security requirements from NIST SP 800-171 Revision 2, organized across 14 security families. There are two assessment paths for Level 2: self-assessment (for contracts involving less sensitive CUI) and third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) for contracts involving more sensitive CUI. The specific path will be identified in contract solicitations.

Level 3 -- Expert

Level 3 applies to contractors handling the most sensitive CUI, particularly on programs targeted by advanced persistent threats (APTs). It includes all 110 NIST 800-171 requirements plus additional requirements from NIST SP 800-172. Assessment is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Very few small businesses will need Level 3 -- it is primarily for prime contractors and critical subcontractors on high-value defense programs.

Self-Assessment vs C3PAO Assessment

Self-Assessment
  • Available for Level 1 and some Level 2
  • Conducted annually by the contractor
  • Results submitted to SPRS
  • Senior official must affirm accuracy
  • Lower cost but carries legal risk for false claims
C3PAO Assessment
  • Required for higher-priority Level 2 programs
  • Conducted by accredited third-party organizations
  • Valid for 3 years
  • Includes document review, interviews, and testing
  • Costs range from $50,000 to $200,000+

An important note: the self-assessment option does not mean less rigor is expected. The False Claims Act applies to CMMC self-assessments, meaning contractors who overstate their compliance risk significant legal and financial penalties. Treat self-assessment with the same seriousness as a third-party audit.

NIST 800-171 Mapping

CMMC Level 2 maps directly to the 14 security families in NIST SP 800-171:

1. Access Control (22 requirements)
2. Awareness and Training (3 requirements)
3. Audit and Accountability (9 requirements)
4. Configuration Management (9 requirements)
5. Identification and Authentication (11 requirements)
6. Incident Response (3 requirements)
7. Maintenance (6 requirements)
8. Media Protection (9 requirements)
9. Personnel Security (2 requirements)
10. Physical Protection (6 requirements)
11. Risk Assessment (3 requirements)
12. Security Assessment (4 requirements)
13. System and Comm. Protection (16 requirements)
14. System and Info. Integrity (7 requirements)

If your organization is already compliant with NIST 800-171 and has submitted an accurate SPRS score, you are well positioned for CMMC Level 2. The primary difference is that CMMC requires verification of that compliance through assessment rather than self-attestation alone.

Preparation Steps

  1. Determine your required level: Review your current contracts and anticipated solicitations to determine whether you need Level 1, Level 2 (self or C3PAO), or Level 3.
  2. Define your CUI boundary: Identify where CUI enters, is processed, stored, and exits your environment. Minimizing this boundary reduces the scope of controls you must implement.
  3. Conduct a gap assessment: Evaluate your current security posture against the applicable requirements. Use the NIST 800-171 DoD Assessment Methodology to calculate your SPRS score.
  4. Develop your SSP and POA&M: Document your System Security Plan covering all applicable controls and create Plans of Action and Milestones for any gaps.
  5. Implement missing controls: Prioritize closing gaps, focusing first on any requirements that cannot have POA&Ms under CMMC rules.
  6. Engage a C3PAO (if needed): If third-party assessment is required, engage an accredited C3PAO early. There is limited assessor capacity, and wait times can be significant.
  7. Submit to SPRS: Ensure your current SPRS score is accurate and up to date before assessment.

POA&M Guidance

Under CMMC 2.0, limited use of Plans of Action and Milestones is permitted for Level 2 assessments, with important restrictions:

  • POA&M items must be closed within 180 days of assessment
  • Certain requirements are designated as "POA&M not permitted" -- these must be fully implemented at assessment time
  • Your overall SPRS score with POA&M items cannot fall below a threshold (the specific threshold is defined in the assessment methodology)
  • Each POA&M item must include specific milestones, responsible parties, required resources, and completion dates
  • A C3PAO closeout assessment is required to verify POA&M items have been resolved

Related Resources

Authority to Operate Guide Understanding FAR/DFARS Finding Government Contracts

Frequently Asked Questions

What is CMMC?

The Cybersecurity Maturity Model Certification is a DoD framework requiring defense contractors to demonstrate cybersecurity practices through assessment. It was created to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) across the defense industrial base.

What is the difference between CMMC Level 1 and Level 2?

Level 1 covers 17 basic practices for protecting FCI and allows self-assessment. Level 2 requires all 110 NIST SP 800-171 requirements for protecting CUI and may require either self-assessment or C3PAO third-party assessment depending on program sensitivity.

Do I need a C3PAO assessment or can I self-assess?

Level 1 allows self-assessment. Level 2 has two paths depending on CUI sensitivity -- self-assessment or C3PAO. Level 3 requires government-led assessment. Your contract solicitation will specify which path applies.

How does CMMC relate to NIST 800-171?

CMMC Level 2 maps directly to NIST SP 800-171. If you are already compliant with 800-171, you are well prepared. The key difference is that CMMC adds a verification and certification layer beyond self-attestation.

What is a POA&M in CMMC?

A Plan of Action and Milestones documents unmet requirements with remediation plans. Under CMMC, POA&M items must be closed within 180 days, certain critical requirements cannot use POA&Ms, and a closeout assessment is required to verify resolution.

Last updated: February 2026