CMMC 101
What Defense Contractors Need to Know
If your business works with the U.S. Department of Defense — or wants to — cybersecurity compliance isn't optional. The Cybersecurity Maturity Model Certification (CMMC) is the DoD's way of making sure the companies it works with are actually protecting sensitive government information, not just pinky-promising they are. And as of November 2025, those requirements are now showing up in contracts.
What Is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. It's a framework developed by the Department of Defense to protect sensitive defense information from cyberattacks and data breaches across the Defense Industrial Base (DIB) — the 300,000+ companies that make up the DoD's contractor ecosystem.
Think of it as a tiered certification program. The DoD assigns a required CMMC level to each contract, and contractors must prove they've met that level's security standards before they can win or keep that work. Starting November 10, 2025, CMMC requirements began appearing in new DoD contracts as a condition of award.
CMMC is built on security controls drawn from NIST SP 800-171, organized across 14 areas including access control, incident response, configuration management, and more.
Regulatory basis: 32 CFR Part 170 (CMMC Program Rule, effective December 16, 2024) and 48 CFR / DFARS Case 2019-D041 (Acquisition Rule, effective November 10, 2025).
Who Needs CMMC?
Short answer: If you have a DoD contract — or want one — you almost certainly need CMMC.
Since 2017, virtually all DoD contracts have included a clause (DFARS 252.204-7012) requiring contractors to implement specific cybersecurity controls. A congressional study found that very few contractors were actually meeting those requirements, even though they were signing off that they were. That gap led to the creation of CMMC — a formal, verifiable certification process.
CMMC compliance is required if your work involves:
- Federal Contract Information (FCI): Non-public information generated or provided under a government contract
- Controlled Unclassified Information (CUI): Sensitive but unclassified government data — things like engineering drawings, technical specifications, research data, and software source code
CMMC requirements also flow down through the supply chain. If a prime contractor shares CUI with you as a subcontractor, you're required to meet the same CMMC level.
One exemption: Contracts solely for commercially available off-the-shelf (COTS) items are exempt from CMMC requirements.
What Level Do You Need?
There are three CMMC maturity levels. Most contractors will fall into Level 1 or Level 2.
For contracts involving only Federal Contract Information (FCI). Requires compliance with 15 cybersecurity practices based on FAR 52.204-21. Demonstrated through annual self-assessment and affirmation submitted to the Supplier Performance Risk System (SPRS). No third-party assessment is required at this level.
For contracts involving Controlled Unclassified Information (CUI). Requires all 110 security controls from NIST SP 800-171 Rev. 2. This level has two paths depending on your contract:
- Level 2 (C3PAO): Required for most DoD contractors handling defense-related CUI. Must be assessed by an accredited CMMC Third-Party Assessment Organization (C3PAO). Valid for three years. Annual affirmation of continued compliance also required.
- Level 2 (Self): Available only for contractors handling CUI that falls outside the National Archives' CUI Defense Organizational Index Grouping — a narrow exception covering things like tax records or archaeological data. Requires annual self-assessment and SPRS submission.
Important: DoD estimates that approximately 70–75% of Level 2 contractors will require a C3PAO assessment, not self-attestation. If your work involves technical data, engineering drawings, or defense-related CUI, plan for C3PAO.
For contractors supporting the most critical national security programs. Requires all 110 Level 2 controls plus 24 additional controls from NIST SP 800-172. Must be assessed by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC) — a Level 2 C3PAO certification is a prerequisite. Assessment required every three years.
Your contract tells you which level you need. Look for DFARS clause 252.204-7021 in your prime contracting or subcontracting agreement — it specifies the required level and assessment type.
A Note on POA&Ms and Conditional Status
Under the final rule, Level 2 contractors that don't meet all 110 controls at the time of assessment may still achieve Conditional Level 2 Status, provided they:
- Score at least 80% of the maximum possible score, and
- Have fully implemented all identified critical requirements
Any unmet requirements must be documented in a Plan of Action and Milestones (POA&M) and fully remediated within 180 days. After remediation, a closeout assessment is required to achieve Final Level 2 Status. Note: POA&Ms are not permitted at Level 1.
The Implementation Timeline
CMMC is rolling out in four phases:
Phase 1 Nov 10, 2025-Level 1 and Level 2 self-assessments required for applicable new contracts
Phase 2 Nov 10, 2026-Level 2 C3PAO assessments required for applicable contracts
Phase 3 Nov 10, 2027-Level 2 C3PAO requirements extend to existing contract options; Level 3 required on applicable contracts
Phase 4 Nov 10, 2028-Full implementation — CMMC applies to all applicable DoD contracts above the micro-purchase threshold
Don't wait on Phase 2. C3PAO lead times are currently running 9–12 months or longer, and available assessment slots are filling up fast. If your contracts will require a C3PAO assessment, start preparing now.
What Is Scoping — and Why Does It Matter?
Before you can achieve CMMC compliance, you need to figure out what you're protecting and where it lives. This process is called scoping, and it's the critical first step.
Scoping means identifying which parts of your business — people, systems, locations, and third-party services — touch sensitive government data (CUI or FCI). Those assets become your assessment boundary: the perimeter within which CMMC controls must be applied.
Here's the key insight most organizations miss: scoping isn't the same as applying every rule to everything. A piece of test equipment, a network firewall, and an employee each have different roles — and different controls apply to each.
Getting scoping right saves you money and effort. Getting it wrong means either overspending on unnecessary controls or — worse — leaving gaps that fail your assessment.
How Assets Are Categorized
Not every system in your organization is treated the same way under CMMC. The DoD uses five asset categories for Level 2:
CUI Asset
Any system that stores, processes, or transmits Controlled Unclassified Information. These are the crown jewels of your assessment scope. Full CMMC controls apply.
Examples: servers with engineering drawings, workstations used to access design specs, file transfer services handling CUI
Security Protection Asset (SPA)
Systems that don't hold CUI themselves, but provide security functions that protect systems that do. Full CMMC controls apply.
Examples: firewalls, antivirus solutions, SIEM platforms, VPN concentrators, multi-factor authentication systems
Contractor Risk Managed Asset (CRMA)
Systems that could potentially access CUI but are prevented from doing so by company policy and controls. CMMC-specific controls don't apply — your own security policies govern these.
Examples: employee laptops on a segmented non-CUI network, email systems where CUI is administratively prohibited
Specialized Asset (SA)
Devices that may interact with CUI but can't be fully secured through standard means. Managed under your enterprise security policies — not assessed against CMMC controls.
Examples: IoT/IIoT devices, CNC machines, government-furnished equipment, operational technology (OT)
Out-of-Scope Asset (OSA)
Systems that are completely separated — physically or logically — from CUI and don't provide security protections for it. No CMMC requirements apply.
Examples: a guest WiFi network, supplier portals where no CUI is shared, visitor management systems
The Scoping Decision: A Simple Guide
When evaluating any system, device, or service, ask these questions in order:
1: Does it store, transmit, or process CUI?
CUI Asset. Full controls apply.
2: Does it provide security functions for a CUI asset?
Security Protection Asset. Full controls apply.
3: Is it physically or logically separated from CUI?
Out-of-Scope Asset. No controls required.
4: Is it an IoT device, OT system, government property, or test equipment?
Specialized Asset. Managed under enterprise policy.
5: Does it sit inside your network but isn't intended to hold CUI?
Contractor Risk Managed Asset. Documented and governed by your own policies.
One important note on third parties: If a vendor, managed service provider, or subcontractor performs security functions for your environment or receives CUI — they're in scope. You need a written agreement documenting their security responsibilities.
Two Real-World Scoping Examples
Example 1: Flat Network (Harder)
Imagine a small defense subcontractor using a single, unsegmented network. Because all devices share the same network — even those that don't need CUI — everything falls into scope. The company's firewall, every employee workstation, remote workers, the MSP doing patch management, and even the outsourced bookkeeper who VPNs in all get pulled into the assessment boundary. This means more cost and more controls required.
The takeaway: Without network segmentation, your scope grows fast.
Example 2: Segmented Network (Smarter)
A defense engineering firm that isolates CUI into its own dedicated network enclave tells a very different story. The corporate LAN, guest WiFi, and general-purpose servers stay out of scope. Only the CUI enclave, the security tools protecting it, the CNC machines on the shop floor, and third parties that receive CUI are in scope.
The takeaway: Network segmentation is one of the most effective ways to reduce your CMMC assessment scope — and your compliance costs.
Where to Start?
CMMC compliance can feel overwhelming, but it follows a clear sequence:
Identify your CMMC level — check your contract for DFARS clause 252.204-7021
Define your assessment scope — inventory your people, systems, data flows, and third parties
Create a System Security Plan (SSP) — document how your environment is structured and protected
Implement required controls — policies, procedures, and technical safeguards
Record your score in SPRS — required for both self-assessments and C3PAO assessments as a condition of contract award
Engage a C3PAO if required — start this process early; lead times are 9–12+ month
Maintain your program — annual affirmations required at all levels; full reassessment every 3 years at Level 2 and 3
Where to Start?
CMMC compliance can feel overwhelming, but it follows a clear sequence:
- Identify your CMMC level — check your contract for DFARS clause 252.204-7021
- Define your assessment scope — inventory your people, systems, data flows, and third parties
- Create a System Security Plan (SSP) — document how your environment is structured and protected
- Implement required controls — policies, procedures, and technical safeguards
- Record your score in SPRS — required for both self-assessments and C3PAO assessments as a condition of contract award
- Engage a C3PAO if required — start this process early; lead times are 9–12+ months
- Maintain your program — annual affirmations required at all levels; full reassessment every 3 years at Level 2 and 3
Ready to Get Started?
FFI Systems helps defense contractors navigate every step of the CMMC journey — from scoping your environment to preparing for third-party assessment. Whether you're just learning what CMMC means for your business or you're deep in remediation, we can help.