What Is the DoD’s Cybersecurity Maturity Model Certification (CMMC)

When the Department of Defense (DoD) announced it was creating a framework for cybersecurity policy assessment and certification, and that certifications would start to be required for contracts, many businesses were caught off guard. In fact, many today are still largely unaware of the new CMMC 2.0 requirements or how they can become certified.

So, let’s cover the basics to make sure your business is ready for one of the most important new DoD requirements to emerge in many years (one that may soon be replicated by military forces of other nations as well as our own federal civilian agencies).

What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification.” It is a new requirement for DoD contractors to ensure that they and companies within their supply chain meet cybersecurity standards. In the past, government contractors had a self-assessment model to verify they met standards. The DoD wants to move away from self-assessment and into a more formal framework that includes certification from DoD-approved organizations. The benefit of this approach is that it better ensures overall cybersecurity practices throughout the DoD community and helps protect Controlled Unclassified Information (CUI) that exists in DoD partner networks.

The certification process is built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia.

CMMC 2.0 consists of 3 levels to protect Federal Contract Information (FCI), Controlled Unclassified Information (CUI), and CUI/Critical CUI for organizations in the DoD supply chain. These levels will range from “Foundational” to “Expert.” The ultimate impact will be that a government contractor will need to be certified at a certain level in order to be eligible to bid on a DoD contract opportunity.

How can my business become certified?

Your business will need to get accredited through one of the CMMC third-party assessment organizations once your organization is ready for certification.

Once the certification has been performed and approved, your company will be awarded the appropriate CMMC certification.

How do I request certification assessment?

We expect that there will be a number of companies providing 3rd party CMMC assessment and certification. For more information on certification, visit cyberab.org.

I am a subcontractor on a DoD contract. Do I need to be certified?

It is important to note that all current DoD contractors and subcontractors must be compliant with current contracts, most likely meaning compliance around the NIST SP 800-171. If you haven’t already done so or still working on certain policies or practices, visit our tool to help you get started.

Level 1 and a subset of organizations at Level 2 can be compliant with CMMC 2.0 requirements through self-assessments.

Other Level 2’s (Based on contract requirements like the DFARS 7012) will need to pass a third-party or government-led assessment.

All Level 3’s will need to get a CMMC certification.

Proactive subcontractors will be seen as an asset to prime contractors. If you are a prime contractor, this means you will need to be very assertive in helping your subcontractors understand what they need to do. Failure to comply may result in those subcontractors being ineligible to participate in future contract opportunities.

How often does my Organization need to be reassessed?

The duration is currently on a triennial basis.

What is the current timeline for CMMC implementation?

On December 26,2023, the Department of Defense (“DoD”) published the Proposed Final Rule for the Cybersecurity Maturity Model Certification (“CMMC”) program. The Proposed Final Rule is currently undergoing the 60-day comment period, which ends on February 26,2024. The implementation for CMMC will be phased in through 4 phases.

Implementation Details

Phased Implementation: Ultimately, the CMMC rules will be implemented by making the required certifications a condition of receiving award of a federal contract. The proposed rule lays out an implementation plan that consist of four phases: Phase 1 will require CMMC Level 1 or Level 2 self-assessments under applicable solicitations; Phase 2 will require CMMC Level 2 certifications assessments; Phase 3 will include CMMC Level 3 certifications assessments; and Phase 4 will include full implementation for all applicable solicitations.


  • Phase 1 begins on the effective date of the DFARS rule.
  • Phase 2 begins six months after the start date of Phase 1.
  • Phase 3 begins one calendar year after the start date of Phase 2.
  • Phase 4 begins one calendar year after the start date of Phase 3.

Under this phased plan, the DoD intends to include CMMC requirements for Levels 1, 2, and 3 in all solicitations on or after October 1, 2026.

Source: https://www.mayerbrown.com/en/perspectives-events/publications/2024/01/us-dod-proposes-final-rule-for-cybersecurity-maturity-model-certification-cmmc