Skip to main content
Skip to search
Skip to footer

what-is-cmmc-628x353

What Is CMMC?

Cybersecurity Maturity Model Certification

Cybersecurity Maturity Model Certification (CMMC) is a U.S. Department of Defense (DoD) program that applies to Defense Industrial Base (DIB) contractors. It is a unifying standard and certification framework to ensure that DoD contractors properly protect sensitive information.

Learn more about CMMC

The basics of CMMC

Why is CMMC important?

DIB contractors hold and use sensitive government data to develop and deliver goods and services. CMMC helps ensure that they secure this information the same way that military departments and government agencies do.

What's different about CMMC?

The U.S. government provided cybersecurity guidance for contractors for many years, but there was no way for contractors to prove how strong their cyber programs were. CMMC introduces a new set of certifications, conducted by third-party assessors. Contractors must achieve certification before they can win future government contracts.

Does CMMC apply to all government contractors?

As of 2025, CMMC applies only to DoD contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The DoD is now beginning to require certification with certain contracts. In the future, CMMC could be adopted by other federal agencies, but at this point, no formal rulemaking has extended it beyond the DoD.

What about colleges and universities?

Many higher education institutions are DoD contractors. They perform basic and applied research under contract and are also subject to CMMC. Helen Patton, former CISO at Ohio State, shares how CMMC affects the higher ed community and explains how to get started with CMMC.

Who pays for the CMMC assessment?

Contractors pay for their CMMC assessments. The costs depend upon several factors, like the target CMMC levels. However, the DoD states that certain cybersecurity contracts can incur "allowable costs" that can help contractors pay for upgrades. CMMC does not allow contractors to perform self-certifications.

Does CMMC apply to every company that does business with the government?

No. For example, companies that solely produce commercial-off-the-shelf (COTS) products do not require a CMMC certification..

Terms to know

Controlled Unclassified Information (CUI)

CUI is information the government creates or possesses that a law, regulation, or governmentwide policy requires to be safeguarded. CUI information can only be handled only when using appropriate security controls.

Defense Federal Acquisition Regulations (DFARs)

DFARs detail the terms and conditions for DoD procurement contracts. CMMC builds upon certain DFAR Supplement (DFARS) clauses that subject contractors to CMMC requirements.

CMMC Third-Party Assessor Organization (C3PAO)

C3PAO is an entity that is authorized and accredited by the government to perform CMMC assessments. The C3PAO also issues CMMC certificates based on the results of the assessments.

Office of the Under Secretary of Defense for Acquisition and Sustainment – OUSD (A&S)

The Office of the Under Secretary of Defense for Acquisition and Sustainment is a DoD organization that led the development of the CMMC program.

NIST Special Publication 800-171/172

NIST SP 800-171 catalogs a comprehensive set of security controls required to protect CUI in non-federal systems. These controls form the foundation of CMMC Level 2. For more sensitive environments, NIST SP 800-172 builds on 800-171 by adding enhanced protections against advanced persistent threats, supporting the requirements of CMMC Level 3.

Federal Contract Information (FCI)

FCI is information provide by or generated for the government under a contract that is not intended for public release. While FCI is less sensitive than CUI, it must be protected using basic security controls to prevent unauthorized access or disclosure.