What is CMMC?

CMMC is a Department of Defense certification framework that verifies defense contractors implement adequate cybersecurity practices to protect controlled unclassified information (CUI).

What is CMMC?

CMMC (Cybersecurity Maturity Model Certification) is a DoD framework requiring defense contractors to achieve verified cybersecurity maturity levels to handle Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). It replaces self-attestation with third-party assessments to ensure consistent cybersecurity practices across the defense supply chain.

What are the CMMC levels?

CMMC 2.0 defines three levels. Level 1 (Foundational) requires 17 basic practices with annual self-assessment. Level 2 (Advanced) requires 110 practices aligned with NIST SP 800-171, with triennial third-party assessment. Level 3 (Expert) requires additional practices from NIST SP 800-172, assessed by government-led teams.

Who needs CMMC certification?

All DoD contractors and subcontractors handling FCI or CUI require CMMC certification at the level specified in their contract. This extends throughout the supply chain, meaning small subcontractors are also subject to requirements. The required level depends on the sensitivity of information handled in the contract.

How does CMMC relate to NIST SP 800-171?

CMMC Level 2 directly maps to the 110 security requirements in NIST SP 800-171. While NIST 800-171 previously relied on self-attestation, CMMC adds third-party verification through C3PAO assessments. CMMC Level 3 builds upon 800-171 with additional enhanced security requirements from NIST SP 800-172.

What is a C3PAO?

A CMMC Third-Party Assessment Organization (C3PAO) is an entity authorized by the CMMC Accreditation Body (Cyber-AB) to conduct CMMC assessments. C3PAOs employ certified assessors who evaluate contractor environments against CMMC requirements, producing assessment reports that determine certification eligibility for defense contracts.

How long does CMMC certification take?

CMMC preparation typically requires 6-18 months depending on current security maturity. Organizations must implement all required practices, develop documentation including a System Security Plan and POA&M, and maintain controls before scheduling a C3PAO assessment. The assessment itself typically takes 1-2 weeks depending on scope.

How does penetration testing support CMMC?

CMMC Level 2 requires vulnerability scanning and, at Level 3, penetration testing is explicitly required. Regular penetration testing validates technical control effectiveness, identifies gaps in CUI protection, supports continuous monitoring requirements, and provides evidence for assessment readiness and ongoing compliance.

What are the costs of CMMC compliance?

CMMC compliance costs vary significantly by level and organization size. Level 1 self-assessment may cost $5,000-$15,000 for small businesses. Level 2 implementation and assessment can range from $50,000 to $500,000 or more, including infrastructure upgrades, documentation development, managed security services, and C3PAO assessment fees.