CMMC (Cybersecurity Maturity Model Certification) is the Department of War’s program for verifying — not just trusting — that a defense contractor’s cybersecurity actually protects the sensitive information (FCI and CUI) it’s been entrusted with. It applies to any company in the Defense Industrial Base, from large primes down to small subcontractors, and replaces the old self-attestation model with independent, verified assessment.
The program took an unusually long road to get here: FAR and DFARS clauses starting in 2016-17 set the stage with self-attestation, CMMC 1.0 launched in 2019-20 but drew heavy industry pushback over cost and complexity, and the redesigned CMMC 2.0 arrived in late 2021. From there, it needed two separate federal rulemakings — one to establish the program itself (final Dec 2024) and one to actually put it into contracts (effective Nov 2025) — which is why it took roughly six years from announcement to real enforcement. The next major deadline is November 2026, when third-party (C3PAO) assessment becomes mandatory for Level 2.
The program has three levels scaled to data sensitivity: Level 1 (Foundational, basic FCI safeguarding, self-assessed), Level 2 (Advanced, built entirely on NIST SP 800-171’s 110 requirements, protecting CUI), and Level 3 (Expert, adding NIST SP 800-172 controls for the most sensitive programs, assessed directly by the government). Real-world implementation carries genuine friction, too — fewer than 100 authorized assessors nationwide, uneven cost burden on small businesses, and scoping/documentation mistakes are the most common reasons companies stumble.
The training also walks through a concrete example — Control 3.5.3 (multifactor authentication) — showing exactly what the requirement says, how a company would actually implement it, and what evidence an assessor expects to see, since this is reportedly one of the most frequently failed controls in real assessments.

Leave a Reply