Cybersecurity Maturity Model Certification
Also known as: CMMC, CMMC 2.0
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense program that verifies whether contractors meet the cybersecurity controls already required by FAR 52.204-21 and NIST SP 800-171. It defines three certification levels and the assessment mechanism for each, established by 32 CFR Part 170 and made contractually binding by DFARS 252.204-7021.
Related terms
- CMMC Level 1
CMMC Level 1 is the lowest of the three CMMC certification tiers, covering contractors who handle Federal Contract Information (FCI) but not CUI. It requires implementing the 15 safeguarding requirements in FAR 52.204-21(b)(1), an annual self-assessment, and an annual senior-official affirmation posted in SPRS.
- CMMC Level 2
CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.
- CMMC Level 3
CMMC Level 3 is the highest CMMC certification tier, reserved for DoD programs involving CUI of the highest priority. It requires implementing NIST SP 800-171 plus 24 enhanced controls drawn from NIST SP 800-172, and triennial assessments performed by the DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
- 32 CFR Part 170
32 CFR Part 170 is the Department of Defense final rule that established the CMMC program, defining the three certification levels, the assessment regime, the senior-official affirmation requirement, and the role of C3PAOs and the CMMC Accreditation Body. It became effective December 16, 2024.
- DFARS 252.204-7021
DFARS 252.204-7021 is the contract clause that makes a CMMC certification or self-assessment a material condition of award and continued performance on covered DoD contracts. It took effect November 10, 2025 as part of the 48 CFR final rule, and triggers the annual senior-official affirmation requirement under 32 CFR 170.22.
Read more in the Library
- CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors
The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.
- CMMC Level 1 vs Level 2: Which One Do You Actually Need? (2026 Plain-English Guide)
Most small defense contractors are Level 1, not Level 2, but the wrong answer here costs you a year and tens of thousands of dollars. Here's the single question that decides it.
- Do I Even Need CMMC? A 4-Question Decision Tree for 2026
Half the small businesses asking about CMMC don't actually need it, and the other half need it more urgently than they realize. Four questions and you'll know where you stand.