Definition
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's verification framework ensuring that defense contractors implement adequate cybersecurity practices to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 has three levels: Level 1 (Foundational) requires 17 basic cyber hygiene practices with self-assessment; Level 2 (Advanced) aligns with NIST SP 800-171's 110 controls and requires third-party assessment for critical contracts; Level 3 (Expert) adds additional controls from NIST SP 800-172 with government-led assessments. CMMC certification will be required in DOD contracts through a phased rollout beginning in 2025. Unlike previous self-attestation requirements, CMMC requires independent verification of cybersecurity maturity.
Also Known As
- CMMC 2.0
- DOD Cybersecurity Certification
Examples
Common Mistakes to Avoid
- ✕Assuming current NIST 800-171 self-attestation satisfies future CMMC requirements
- ✕Not starting certification process early enough before contract opportunities require it
- ✕Underestimating the scope of systems and assets that handle CUI
Who Should Know This Term
Defense contractors, IT security teams, compliance officers, DOD subcontractors
Official Source
DOD CMMC Program