Everything you need to know about CMMC compliance — explained without the jargon.
CMMC stands for Cybersecurity Maturity Model Certification. It's the Department of Defense's framework for making sure contractors actually protect sensitive information — not just say they do.
The program has been in development since 2019, went through a major revision in 2021 (CMMC 2.0), and was finalized as a rule in late 2024. Enforcement begins in 2025.
If you work with the DoD — whether you're a prime contractor, a subcontractor, or somewhere deep in the supply chain — this affects you. The question isn't if you need to comply. It's when and at what level.
Before CMMC, defense contractors were supposed to follow NIST 800-171 and self-attest that they were compliant. The problem? Nobody was checking. Self-attestation became a checkbox exercise, and the results were predictable:
CMMC adds teeth. Third-party assessments. Certification requirements. Contract conditions that make compliance non-negotiable. The DoD is done asking nicely.
CMMC 2.0 simplified the original five levels down to three. Most defense contractors will fall into Level 1 or Level 2.
| Level | Practices | Assessment | Who Needs It |
|---|---|---|---|
| Level 1 Foundational |
17 practices | Annual self-assessment | Basic cyber hygiene. Contractors handling Federal Contract Information (FCI) only. Most COTS-only contractors land here. |
| Level 2 Advanced |
110 practices Based on NIST 800-171 |
Triannual third-party assessment by a C3PAO | This is where most of your pain is. Any contractor handling CUI. Approximately 80,000 companies need this level. |
| Level 3 Expert |
110+ practices NIST 800-171 + 800-172 |
Government-led assessment (DIBCAC) | Top-tier classified and critical programs. A small percentage of the defense industrial base. |
The Level 2 reality check: 110 controls sounds manageable until you realize each one requires documented policies, implemented procedures, and evidence of ongoing practice. Most small contractors underestimate the effort by 2–3x.
CMMC is rolling out in four phases. The clock is already ticking.
Don't wait for Phase 2. With only 52 C3PAOs certified to perform assessments for ~80,000 companies, the bottleneck will be severe. Getting on a C3PAO's calendar will take months. Start now.
Here's the practical impact, broken down into the six things every defense contractor needs to understand right now.
All DoD contractors handling FCI or CUI must achieve the appropriate CMMC level. The only exception: strictly commercial off-the-shelf (COTS) suppliers with no access to federal information.
Plans of Action and Milestones are allowed in limited cases, but don't treat them as a long-term strategy. Assessors and contracting officers are watching. Open POA&Ms signal risk.
If you're a prime contractor, you're responsible for making sure your subcontractors meet the required CMMC level too. This flows all the way down the supply chain.
Contracting officers determine the required CMMC level for each contract based on the type of information involved. You may need different levels for different contracts.
CMMC compliance costs can be charged as indirect costs or allocated to G&A. This includes assessment fees, security tools, consultant costs, and infrastructure upgrades.
Only 52 C3PAOs are currently certified to perform Level 2 assessments. With approximately 80,000 companies needing certification, the math doesn't work. Early movers have a significant advantage.
Controlled Unclassified Information is the entire reason CMMC exists. It's information that isn't classified but is still sensitive enough that the government wants it protected.
If you've ever wondered "do I even handle CUI?" — you probably do. Here's what qualifies:
Cloud matters. If your Cloud Service Provider handles CUI, it must have FedRAMP Moderate Equivalency (or higher). This applies to Microsoft 365, SharePoint, file storage, and any SaaS tools where CUI might land. Standard commercial cloud offerings don't meet this bar.
NIST 800-171 exists specifically to protect CUI in nonfederal systems. The 110 controls in Level 2 are designed around this single objective: keeping CUI out of the wrong hands.
CMMC compliance isn't abstract. Here are the numbers that should be shaping your planning.
The projected completion period for the entire defense industrial base is 5 years. That's not a typo. At the current pace, it will take half a decade to certify everyone who needs it. The companies that move first will have a competitive advantage in bidding on CMMC-required contracts.
Let's be clear: OpsDoctor doesn't replace your CMMC consultant. You need a qualified assessor to get you across the finish line. What we do is make sure you don't slide backwards after they leave.
$1,000/month — less than 4 hours of your CMMC consultant's time. And unlike your consultant, OpsDoctor doesn't leave after the engagement ends.
Defense contracting runs on acronyms. Here's every one you'll encounter in CMMC compliance.
| Acronym | What It Means |
|---|---|
| CMMC | Cybersecurity Maturity Model Certification — the DoD's cybersecurity certification framework for defense contractors |
| CUI | Controlled Unclassified Information — sensitive but unclassified information requiring safeguarding |
| CDI | Covered Defense Information — CUI that is provided to or generated by a contractor in the performance of a DoD contract |
| FCI | Federal Contract Information — information provided by or generated for the government under a contract, not intended for public release |
| NIST 800-171 | The NIST standard defining 110 security requirements for protecting CUI in nonfederal systems. The basis for CMMC Level 2. |
| NIST 800-172 | Enhanced security requirements beyond 800-171. Applies to CMMC Level 3 for high-value assets and critical programs. |
| C3PAO | CMMC Third-Party Assessment Organization — authorized by the Cyber AB to conduct CMMC Level 2 assessments |
| DFARS | Defense Federal Acquisition Regulation Supplement — the contract clauses that make CMMC a legal requirement (specifically DFARS 252.204-7012) |
| DCAA | Defense Contract Audit Agency — audits contractor financials, relevant because compliance costs are allowable indirect costs |
| POA&M | Plan of Action and Milestones — a documented plan for addressing security requirements that aren't yet fully implemented |
| FedRAMP | Federal Risk and Authorization Management Program — the security standard for cloud services used by government. CUI requires FedRAMP Moderate Equivalency. |
| SPRS | Supplier Performance Risk System — where contractors submit their self-assessment scores |
| DIBCAC | Defense Industrial Base Cybersecurity Assessment Center — conducts government-led Level 3 assessments |
| SSP | System Security Plan — documents how your organization implements each of the required security controls |
| Cyber AB | The Cyber Accreditation Body — the nonprofit that accredits C3PAOs and manages the CMMC ecosystem |
| COTS | Commercial Off-the-Shelf — commercial products sold without modification. COTS-only suppliers may be exempt from CMMC. |
Understanding where CMMC came from helps you understand where it's going.
Your CMMC consultant gets you certified. OpsDoctor keeps you there.
Book a Discovery Call