Cybersecurity Maturity Model Certification (CMMC)

Definition

The Cybersecurity Maturity Model Certification (CMMC) program is DoW's approach to verifying that defense contractors and subcontractors implement cybersecurity controls for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 defines three levels: Level 1 (self-assessed, 17 controls based on FAR 52.204-21), Level 2 (aligned with NIST SP 800-171 Rev 2's 110 controls, third-party assessed for prioritized contracts), and Level 3 (subset of NIST SP 800-172, government assessed). The final CMMC rule (48 CFR) began flowing into DFARS clauses in 2025 and will appear progressively on new DoW solicitations.

Why It Matters

CMMC is becoming a pass/fail gate for DoW work. If you touch CUI and cannot document your CMMC Level 2 posture, you will be unable to bid on affected contracts. Preparation takes 9–18 months for most small and mid-sized firms — SSP documentation, POA&M remediation, technical control implementation, and third-party assessment — so starting early is essential. Primes also flow down CMMC requirements, so subcontractors face the same deadlines.

Example

A 40-person engineering firm on a Navy contract receives CUI. It spends 14 months implementing NIST 800-171 controls, generates an SSP, and completes a C3PAO assessment. Its Level 2 certification is recorded in SPRS before the next task order is issued, unblocking a $6.5M re-compete.

Related Terms