What Is CMMC? Cybersecurity Maturity Model Certification Explained for Vendors

CMMC — the Cybersecurity Maturity Model Certification — is the US Department of Defense’s framework for ensuring that defense contractors and their supply chains adequately protect controlled unclassified information. If you sell software, cloud services, or technology to defense primes, subcontractors, or any organization in the defense industrial base, CMMC is not a background compliance consideration. It is a contract eligibility requirement that determines whether you can bid at all.

TL;DR
• CMMC is a US DoD cybersecurity certification framework that defense contractors must achieve to win or retain government contracts
• It has three levels: Level 1 (basic safeguarding), Level 2 (advanced practices aligned with NIST SP 800-171), and Level 3 (expert practices)
• CMMC 2.0, finalized in late 2024, replaced the original five-level model and relies heavily on NIST SP 800-171 as its control baseline
• Level 2 and Level 3 require third-party assessment by a C3PAO; Level 1 allows annual self-assessment
• Software vendors in the defense supply chain face CMMC requirements through their prime contractor customers even if they have no direct DoD contracts

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework and certification program developed by the US Department of Defense (DoD) to verify that defense contractors and subcontractors implement adequate cybersecurity practices to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It replaced the previous honor-system approach, under which contractors self-attested to compliance with NIST SP 800-171, with a formal certification requirement that must be verified before contract award.

CMMC applies to all organizations in the Defense Industrial Base (DIB) — the network of commercial firms that provide products and services to the DoD. This includes prime contractors who hold direct DoD contracts, subcontractors who support primes, and any organization in the supply chain that handles FCI or CUI in the performance of a DoD contract. Software vendors who provide tools, platforms, or services to defense contractors frequently fall within CMMC scope even without holding a direct government contract.

CMMC 2.0, the current version finalized through rulemaking in late 2024, simplified the original five-level model to three levels and aligned more closely with existing NIST standards. The program is being phased into contracts progressively, with full implementation across defense contracts expected by 2028.

What Is the Difference Between FCI and CUI?

Understanding the distinction between Federal Contract Information and Controlled Unclassified Information is essential for determining which CMMC level applies to your organization and your contracts.

Federal Contract Information (FCI) is information provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not intended for public release. FCI is the baseline category — virtually all DoD contractors handle some form of FCI. Organizations that handle only FCI and not CUI are subject to CMMC Level 1.

Controlled Unclassified Information (CUI) is information the government creates or possesses that requires safeguarding or dissemination controls according to law, regulation, or government-wide policy, but is not classified. CUI encompasses a wide range of sensitive information categories including export-controlled technical data, privacy information, law enforcement sensitive information, and defense-critical technical specifications. Organizations that handle CUI must achieve at least CMMC Level 2, and organizations handling the most sensitive CUI may be required to achieve Level 3.

For software vendors, the key question is whether the systems or data your platform handles or processes includes CUI — even if you do not generate it yourself. If your software stores, processes, or transmits CUI on behalf of a defense contractor, you are a subcontractor in the CMMC sense and must achieve the appropriate certification level.

What Are the Three CMMC 2.0 Levels?

CMMC 2.0 defines three certification levels, each aligned with a different risk profile and set of security requirements. The level required for a specific contract is specified in the contract solicitation.

CMMC Level 1 — Foundational applies to organizations that handle FCI but not CUI. It requires implementation of the 17 basic safeguarding requirements from FAR clause 52.204-21. These are the most basic security hygiene practices: limiting information system access to authorized users, limiting physical access to information systems, sanitizing or destroying information system media, limiting and authenticating external connections, identifying information systems users, sanitizing portable storage devices, protecting audit information, identifying and authenticating users and devices, controlling remote access, and protecting wireless access. Level 1 allows annual self-assessment and self-attestation; no third-party certification is required.

CMMC Level 2 — Advanced applies to organizations that handle CUI. It requires implementation of all 110 security practices from NIST SP 800-171, organized across 14 domains: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. For most contracts, Level 2 requires triennial third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO). Some Level 2 contracts may allow self-assessment with senior official affirmation, based on the sensitivity of the CUI involved.

CMMC Level 3 — Expert applies to organizations handling the most critical CUI on DoD’s highest priority programs. It builds on Level 2 and adds a subset of practices from NIST SP 800-172, which addresses advanced persistent threats. Level 3 assessments are conducted by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not by commercial C3PAOs. Level 3 applies to a relatively small number of programs and contractors; most DoD suppliers will target Level 1 or Level 2.

What Is NIST SP 800-171 and Why Does It Matter for CMMC?

NIST Special Publication 800-171 is the foundational cybersecurity standard for protecting CUI in non-federal systems and organizations. It defines 110 security requirements organized across 14 control families, and it is the primary technical baseline for CMMC Level 2. Understanding NIST SP 800-171 is therefore understanding the substance of what most CMMC Level 2 requirements ask organizations to implement.

The 14 control families of NIST SP 800-171 cover: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity. Each family contains multiple specific requirements — 110 in total — that describe the security outcomes organizations must achieve.

Organizations pursuing CMMC Level 2 are essentially implementing NIST SP 800-171 in a verifiable, documented form. The System Security Plan (SSP) and Plan of Action and Milestones (POA&M) that organizations must maintain are the primary documentation artifacts that C3PAOs review during assessments. A mature NIST SP 800-171 compliance program — with documented policies, implemented controls, and evidence of control operation — is the foundation of a successful CMMC Level 2 assessment.

How Does the CMMC Assessment Process Work?

The CMMC assessment process varies by level. For Level 1, organizations conduct annual self-assessments and submit self-attestations through the Supplier Performance Risk System (SPRS). For Level 2 (when third-party assessment is required) and Level 3, the process is more formal and more resource-intensive.

For CMMC Level 2 third-party assessments, organizations engage a C3PAO — a commercial assessment organization that has been certified by the CMMC Accreditation Body (Cyber AB) to conduct official CMMC assessments. The C3PAO assigns a team of Certified CMMC Assessors (CCAs) who review the organization’s System Security Plan, conduct interviews with personnel, review documentation of control implementation, and test controls through technical examination of systems within the assessment scope.

The assessment produces a score based on how many of the 110 NIST SP 800-171 practices are fully implemented, partially implemented, or not implemented. Organizations must achieve a minimum score (based on DoD requirements at the time of assessment) to receive certification. Organizations with deficiencies may be permitted to develop a POA&M for practices that are not yet fully implemented, subject to specific limitations on which practices can be addressed through a POA&M rather than full implementation at assessment time.

Assessments are valid for three years. Organizations must maintain their security posture throughout the certification period and conduct annual affirmations of continued compliance by a senior official between triennial assessments.

How Does CMMC Affect Software Vendors in the Defense Supply Chain?

Software vendors that are not defense contractors themselves often discover their CMMC obligations through their customers rather than through direct government communication. A prime contractor subject to CMMC requirements must flow down those requirements to subcontractors who handle FCI or CUI in the performance of the contract. If your software platform is used to store, process, or transmit CUI as part of a defense program, your customer’s CMMC obligation becomes your CMMC obligation.

The practical implications are significant. A SaaS vendor whose platform is used by defense contractors to manage program data, share technical specifications, or process controlled research must achieve the CMMC level required for the type of information they handle. This means implementing NIST SP 800-171 controls, maintaining an SSP, and — for Level 2 contracts requiring third-party assessment — passing a C3PAO assessment before their customer can continue using their platform on a CMMC-covered contract.

Software vendors who are not yet CMMC-certified but whose customers are defense contractors should assess their CMMC exposure proactively. Customers will increasingly require CMMC certification as a vendor qualification criterion, and the transition from assessment preparation to certified status typically takes twelve to twenty-four months for organizations starting from a low baseline.

How Does CMMC Relate to Other Security Frameworks?

CMMC does not exist in isolation. Its control requirements overlap substantially with other security frameworks that defense-adjacent vendors may already be pursuing, and understanding the overlaps allows organizations to rationalize their compliance investments rather than treating each framework as a fully independent program.

ISO 27001 and CMMC share significant control coverage. ISO 27001’s Annex A controls map to many of the NIST SP 800-171 requirements that underpin CMMC Level 2. An organization with a current ISO 27001 certification has documented and audited a broad set of security controls that satisfy overlapping CMMC requirements. ISO 27001 certification does not substitute for CMMC certification, but it provides a strong foundation that reduces the gap between an organization’s current state and CMMC Level 2 readiness.

SOC 2 Type II provides independent evidence of security controls that overlaps with CMMC Level 2 requirements, particularly in the access control, incident response, system monitoring, and change management domains. Like ISO 27001, SOC 2 does not substitute for CMMC but provides evidence that reduces the documentation and control implementation burden of a CMMC assessment.

The NIST Cybersecurity Framework (CSF) is referenced in CMMC guidance as an organizing framework. Organizations using NIST CSF as their security governance framework will find that the Identify, Protect, Detect, Respond, and Recover functions map directly to CMMC Level 2 control families, making the translation from CSF to CMMC 800-171 practices more structured than starting from scratch.

How Do Defense Contractors Use CMMC in Vendor Evaluations?

Prime contractors who are subject to CMMC are responsible for flowing down cybersecurity requirements to their subcontractors and supply chain. In practice, this means that defense primes are increasingly incorporating CMMC requirements into their vendor onboarding processes, RFP solicitations, and security questionnaires.

Vendor security questionnaires from defense primes frequently ask about CMMC certification level, SPRS score, SSP status, and whether the vendor has engaged a C3PAO. Vendors who cannot provide specific answers to these questions — or who do not yet have a CMMC program — are increasingly disqualified from defense subcontracting opportunities before commercial evaluation begins.

For vendors receiving CMMC-related questions in DDQs and security questionnaires from defense contractor customers, the most credible answers are specific and documented: your current SPRS score, the scope of your SSP, which NIST SP 800-171 practices are fully implemented versus on a POA&M, and your timeline for C3PAO assessment if not yet certified. Vague responses about “following NIST guidelines” carry no weight with prime contractor security teams who understand the specifics of what CMMC requires.

What Is the Timeline for CMMC Implementation?

CMMC is being implemented through a phased approach that ties certification requirements to specific contract actions over time. The DoD’s rulemaking for CMMC 2.0 was finalized in late 2024, which triggered the start of the phased implementation timeline.

Phase 1 began with the finalization of the rule and applies to contracts where CMMC Level 1 or Level 2 self-assessment requirements are included in solicitations. Phase 2 adds Level 2 third-party assessment requirements to solicitations beginning approximately one year after rule finalization. Phase 3 adds Level 2 and Level 3 requirements across a broader range of contracts approximately two years after rule finalization. Phase 4, expected approximately three years after rule finalization, sees CMMC requirements applied across the full range of applicable DoD contracts.

For software vendors, the implication is that CMMC requirements are already appearing in some contracts and will progressively expand across the defense supply chain through 2027 and 2028. Organizations that wait until a specific contract requires CMMC certification before beginning preparation will find the timeline insufficient. Assessment preparation typically requires twelve to twenty-four months; organizations targeting Level 2 C3PAO certification should begin their programs now rather than when contract requirements make it urgent.

How Should Vendors Prepare for CMMC?

Preparation for CMMC follows a structured sequence that applies regardless of the organization’s current security posture. The sequence is: scoping, gap assessment, remediation, documentation, and assessment readiness. Shortcuts in any of these phases typically result in failed assessments, POA&M findings, or incomplete certification that cannot be used for contract eligibility purposes.

Scoping defines which systems, personnel, and locations fall within the CMMC assessment boundary — the set of assets that store, process, or transmit CUI (for Level 2) or FCI (for Level 1). Accurate scoping is the most important decision in the preparation process, because it determines both the cost of compliance and the extent of the assessment. Over-scoping creates unnecessary compliance burden; under-scoping creates assessment failures and contract ineligibility.

Gap assessment evaluates the current implementation status of each required NIST SP 800-171 practice against the organization’s scoped environment. The assessment identifies which practices are fully implemented, which are partially implemented, and which are not implemented. The gap assessment output drives the remediation plan and the POA&M.

Remediation implements the controls required to close identified gaps. For most organizations, this involves technical implementation of missing controls, policy and procedure documentation, and evidence collection demonstrating control operation. The System Security Plan — which documents the security requirements applicable to the system, how each is implemented, and the responsibilities for implementation — is the primary artifact produced during this phase.

For teams managing the security questionnaire and RFP compliance responses that defense prime contractors send to their supply chain — many of which now include CMMC-specific questions about SPRS scores, SSP status, and certification timelines — Steerlab.ai automates the generation of responses from your approved content library, ensuring that your CMMC program details are communicated accurately and consistently across every defense vendor assessment your team completes.

Frequently Asked Questions

What does CMMC stand for?

CMMC stands for Cybersecurity Maturity Model Certification. It is a US Department of Defense cybersecurity framework and certification program that verifies defense contractors and subcontractors have implemented adequate cybersecurity practices to protect Federal Contract Information and Controlled Unclassified Information. CMMC 2.0, the current version, was finalized through DoD rulemaking in late 2024 and is being phased into defense contracts through approximately 2028.

Who needs CMMC certification?

Any organization in the Defense Industrial Base that handles Federal Contract Information or Controlled Unclassified Information in the performance of a DoD contract needs CMMC certification at the level appropriate to the information they handle. This includes prime contractors who hold direct DoD contracts, subcontractors who support primes, and any organization in the defense supply chain whose systems store, process, or transmit FCI or CUI. Software vendors whose platforms are used by defense contractors to handle CUI are subcontractors in the CMMC sense and must achieve the required certification level.

What is a C3PAO?

A C3PAO — CMMC Third-Party Assessment Organization — is a commercial assessment organization certified by the CMMC Accreditation Body (Cyber AB) to conduct official CMMC Level 2 assessments. C3PAOs employ Certified CMMC Assessors who review organizations’ System Security Plans, conduct interviews, examine control documentation, and test technical controls to determine whether the organization meets CMMC Level 2 requirements. CMMC Level 2 contracts that require third-party assessment (rather than self-assessment) must use a C3PAO; self-selected auditors or consultants cannot issue CMMC certifications.

How long does CMMC certification take?

The timeline from beginning CMMC preparation to receiving certification depends heavily on the organization’s starting security posture and the target level. For Level 1 self-assessment, organizations with basic security hygiene in place can typically complete the assessment and self-attestation within a few months. For Level 2 C3PAO assessment, organizations should expect twelve to twenty-four months from initial gap assessment to certified status, depending on the number and complexity of gaps to remediate. Organizations starting from a low baseline or with complex scoping environments should plan for the longer end of this range.

Is CMMC the same as NIST SP 800-171?

No, but they are closely related. NIST SP 800-171 is the technical standard defining 110 security requirements for protecting CUI in non-federal systems. CMMC Level 2 is essentially the certification that an organization has implemented all 110 NIST SP 800-171 practices in a verifiable, assessed form. The key difference is verification: under the previous DFARS clause 252.204-7012, organizations self-attested to NIST SP 800-171 compliance without external verification. CMMC adds third-party assessment (for most Level 2 contracts) and government assessment (for Level 3 contracts) to verify that the self-attested compliance is genuine.

Is there software that helps vendors respond to CMMC-related security questionnaires?

Yes. Defense prime contractors are increasingly sending security questionnaires and DDQs to their supply chain that include specific CMMC questions: SPRS score, SSP status, POA&M items, C3PAO engagement status, and control implementation details by NIST SP 800-171 domain. Response automation platforms help vendors maintain a governed library of approved answers to these recurring questions. Steerlab.ai automates the generation of security questionnaire responses from your approved content library, ensuring that your CMMC program details are communicated accurately and consistently across every defense vendor assessment your team completes.

What is an SPRS score and why does it matter?

An SPRS (Supplier Performance Risk System) score is a numerical score between -203 and 110 that represents an organization’s self-assessed compliance with NIST SP 800-171 requirements. The score is calculated based on how many of the 110 practices are fully implemented, with weighted deductions for partially implemented or unimplemented practices. Organizations must submit their SPRS score to the DoD’s Supplier Performance Risk System as part of their CMMC Level 1 and Level 2 self-assessment or pre-assessment reporting. Defense prime contractors and government contracting officers use SPRS scores as indicators of a vendor’s cybersecurity posture and CMMC readiness.