The Department of Defence (DoD) developed the Cybersecurity Maturity Model Certification (CMMC) framework to protect the Defence Industrial Base (DIB) from adversarial intelligence collection efforts and corporate proprietary data theft that could compromise U.S. national security. The framework is designed to ensure that defence contractors can meet the cybersecurity requirements built on the National Institute of Standards and Technology (NIST) 800-171 standards.
The DoD issued a final rule amending the Defence Federal Acquisition Regulation Supplement (DFARS) to mandate compliance with CMMC 2.0. Since November 10, 2025, CMMC are included as award criteria in new contracts as well as when exercising option years for existing contracts.
Use the following guide to understand the key components of CMMC 2.0 and get answers to frequently asked questions about the CMMC 2.0 compliance requirements.
The CMMC framework was created to protect the availability, confidentiality, and integrity of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) throughout the DoD’s extensive contractor supply chain. CMMC 2.0 – an advancement of CMMC 1.0 based on input from stakeholders – was released in October 2024. The revised framework streamlines and simplifies the original one with the goal of increasing the accountability and uniformity of cybersecurity procedures for contractors operating within the DIB.
With the introduction of CMMC 2.0, the DoD is pursuing three objectives:
Effective since December 2024 (32 CFR Final Rule), the revised CMMC Programme is characterised by a tiered model and its assessment requirements aligned to NIST SP 800-171, a set of cybersecurity requirements published by the National Institute of Standards and Technology, and a phased rollout.
Businesses entrusted with FCI and CUI are required to implement the progressive cybersecurity standards mandated by CMMC 2.0. The programme also explains the process for mandating information that is flowed down to subcontractors to be protected.
The DoD can confirm the use of precise cybersecurity standards through CMMC evaluations.
Certain DoD contractors handling FCI and CUI will need to reach a specific CMMC level as a requirement of contract award once CMMC regulations go into effect.
Unlike the earlier programme, CMMC 2.0 fully aligns with the controls set out in NIST SP 800-171 Revision 2.
To be awarded contracts and for the continuance of contracts, all DoD contractors and subcontractors must have a current CMMC record in the DoD Supplier Performance Risk System (SPRS) or all information systems that process, store, or transmit FCI or CUI during contract performance.
DFARS mandates contractor compliance with the CMMC requirements at the specified level for contract award. Depending on the kind and level of sensitivity of the data that companies may receive, retain, and transmit, the Department of Defence will determine which CMMC level will be applicable to a contract.
As CMMC 2.0 seeks to secure the entire Defence Supply Chain, via the “flow-down” principle, DFARS clauses also apply to subcontractors, making contractors responsible for their enforcement.
Contractors and subcontractors must submit a current assessment of their compliance with SPRS prior to contract award.
The level of CMMC 2.0 compliance you require is determined by the type of information you handle: Federal Contract Information (FCI) or Controlled Classified Information (CUI). CUI is information that needs to be protected and may also be subject to dissemination regulations, whereas FCI is any information that is "not intended for public release." Title 32 CFR Part 2002 defines CUI, while FAR clause 52.204-21 defines FCI.
The revised CMMC framework includes three levels for a progressive and simplified journey to cybersecurity maturity. Each level is characterised by a set of cybersecurity best practises, standards, and processes as defined in NIST SP 800-171 Revision 2.
This level prioritises safeguarding FCI. It mandates that an organisation’s systems and procedures adhere to 15 fundamental cybersecurity practises specified under 48 CFR 52.204-21, also known as the FAR clause (see FAQ ). This level may be applicable to a subset of programmes that need to meet CMMC Level 2 requirements, if CUI is not involved; however, it is only applicable when the organisation does not receive or hold Controlled Unclassified Information.
A self-assessment conducted once a year is sufficient at Level 1. Organisations must score their assessment against DoD requirements and report the results to SPRS for the assessment to be considered valid. The yearly submission of self-assessment results serves as an affirmation of continuous compliance.
The protection of CUI is the main focus of this level. At this level, organisations need to document their processes to guide their compliance efforts and follow them as prescribed.
CMMC Level 2 is often referred to as "advanced cyber-hygiene.” It requires the implementation of 110 practises, under the 14 domains specified in NIST SP 800-171 Revision 2 (see FAQ ).
CMMC Level 2 requires certification and, therefore, third-party assessment, which must be carried out by Certified Third-Party Assessment Organisations (C3PAOs). After initial certification, affirmation of continuous compliance must be made yearly by an organisation official and posted to the Supplier Performance Risk System. Three years after initial certification, a full reassessment must be carried out by a C3PAO.
Concerned with protecting CUI from advanced persistent threats (APTs), this CUI level is also described as "High Value Assets.” CMMC Level 3 requires the implementation of 24 additional controls from NIST SP 800-172 enhanced standards related to greater cybersecurity risk management.
The certification is only conducted by the DoD via DIBCAC every three years. As a prerequisite for this level, organisations must already be holding a valid Level 2 certification. After initial certification, organisations certified at this level should follow the same process for affirmation of continuous compliance and reassessment as CMMC Level 2 certified organisations.
Once certified at a given NIST revision, organisations remain locked to that revision for the three-year certification cycle. Transition to future revisions (e.g., NIST 800-171 Revision 3) will require new rulemaking, and likely fresh Class deviations for both DFARS 7012 and the 32 CFR CMMC programme.
The CMMC accreditation body is Cyber AB.
Achieving CMMC compliance and certification, especially Levels 2 and 3, takes significant time and resources and is a project that involves the entire organisation. Here is an overview of the steps that you need to follow:
The certification level you need is driven by the type of information you handle – Federal Contract Information (FCI) or Controlled Classified Information (CUI).
Analyse your current cybersecurity procedures and compare them to the certification level requirements. What are the areas that need improvement to meet the requirements of the CMMC level you are aiming for?
To improve your cybersecurity posture, implement the procedures described in FAR 52.204-21 (Level 1) and NIST SP 800-171 (Level 2), or NIST SP 800-172 (Level 3).
To achieve Level 2 and Level 3 certifications, work with certified third-party assessment organisations (C3PAOs) or with government-led assessors (DIBCAC).
Continuous cybersecurity excellence is emphasised in CMMC 2.0. To handle new risks, make sure you update and enhance your procedures on a regular basis. When working with subcontractors, make sure they have a valid SPRS record and check their scores.
Under the CMMC 2.0 final rule, organisations may achieve “conditional certification” at Level 2 and Level 3. To transition to full certification, they have 180 days to address the gaps identified with the corrective actions plan and road map formally outlined in a POA&M document.
Achieving certification should typically take 6 to 18 months. However, costs to achieve this vary depending on scope – i.e., volume of CUI and assets that store CUI, the CMMC Level aimed for, and an organization’s cybersecurity maturity at the start of the process. To enhance readiness and prepare your organisation for certification, you can work with a CMMC Registered Provider Organisation (RPO), authorised by the Cyber AB, or a C3PAO (which, in this case, cannot also be your certifying entity).
Learn how Infor supports your compliance requirements in a CMMC 2.0-ready environment.