Skip to content

CMMC Fundamentals

 

Explore basic concepts about CMMC, DIB, who should comply, consequences of non-compliance and more, through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.

 

Table of Contents

What is CMMC (Cybersecurity Maturity Model Certification)?

 

Summary: CMMC is a mandatory DoD cybersecurity framework requiring defense contractors to implement and prove protections for sensitive federal information across the Defense Industrial Base through tiered, independently verified certification levels. 

The Cybersecurity Maturity Model Certification (CMMC) is a federal compliance program established by the U.S. Department of Defense to verify that companies in the Defense Industrial Base have implemented adequate cybersecurity protections for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC operates as a three-level tiered model, Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert), with each level corresponding to the sensitivity of information handled and the rigor of security required. 

Unlike the prior self-attestation model, CMMC introduces mandatory third-party verification for most contractors handling CUI. The program is governed by two federal rules: 32 CFR Part 170 (the CMMC Program Rule, effective December 16, 2024) and the DFARS 48 CFR acquisition rule (effective November 10, 2025), which together make CMMC an enforceable condition of DoD contract award. 

 

Why did the DoD create CMMC?

 

Summary: The DoD created CMMC to close a systemic gap in cybersecurity enforcement across the defense supply chain, where decades of self-reported compliance left sensitive defense information chronically under protected. 

Before CMMC, contractors were required under DFARS clause 252.204-7012 to implement the 110 security controls in NIST SP 800-171 and self-attest compliance in the Supplier Performance Risk System (SPRS). DoD audits revealed that actual compliance rates among self-attesting contractors ran as low as 10 to 15 percent despite contractors reporting full compliance. Foreign adversaries, particularly state-sponsored actors, were actively exploiting this gap to steal CUI related to weapons systems, military technology, and defense research. 

CMMC addresses this by replacing self-attestation with mandatory third-party assessments conducted by Cyber AB-authorized C3PAOs for most CUI-handling contractors, making verified cybersecurity a condition of contract award rather than a self-declared checkbox.

 

What problem does CMMC solve that DFARS self-attestation could not? 

 

Summary: CMMC solves the verification problem, the fundamental inability of the DoD to confirm that defense contractors were actually implementing the cybersecurity controls they were reporting in SPRS. 

Under the DFARS 252.204-7012 self-attestation model, contractors submitted their own NIST SP 800-171 compliance scores without independent validation. Organizations routinely reported SPRS scores that did not reflect their real security posture, either through negligence or deliberate misrepresentation. This exposed the defense supply chain to significant cyber risk while creating False Claims Act liability for contractors who knowingly misrepresented their posture. 

CMMC solves this by introducing independent, structured assessments conducted by Cyber AB-authorized C3PAOs who examine documentation, interview personnel, and test technical controls against all 110 NIST SP 800-171 Rev 2 requirements and 320 assessment objectives. For CMMC Level 1, self-assessment remains permitted but must be affirmed annually by a senior company official. For most Level 2 contractors, third-party certification is required every three years under DFARS 252.204-7021. 

 

What changed from CMMC 1.0 to CMMC 2.0? 

 

Summary: CMMC 2.0, finalized in 32 CFR Part 170 on October 15, 2024, made four fundamental changes: it reduced levels from five to three, eliminated unique CMMC-specific practices, reintroduced self-assessment for certain contractors, and allowed POA&Ms under specified conditions. 

The original CMMC 1.0, introduced in January 2020, required all contractors to undergo mandatory third-party assessments across five maturity levels and included 171 proprietary practices beyond NIST SP 800-171. Industry feedback identified these requirements as overly burdensome for small businesses. 

CMMC 2.0 streamlined the model by fully aligning with existing federal standards, Level 1 with FAR 52.204-21, Level 2 with NIST SP 800-171 Rev 2, and Level 3 with NIST SP 800-172. It removed process maturity requirements entirely and reduced compliance costs while preserving the core objective of verified cybersecurity across the Defense Industrial Base.

 

What is the Defense Industrial Base (DIB)? 

 

Summary: The Defense Industrial Base is the network of more than 300,000 companies, research institutions, and contractors that collectively design, produce, deliver, and maintain military systems and materials for the U.S. Department of Defense. 

The DIB spans every sector of the economy, aerospace, electronics, shipbuilding, information technology, logistics, and professional services, and includes prime contractors holding direct DoD contracts as well as subcontractors at every supply chain tier. The DoD estimates that approximately 220,000 of these entities handle either FCI or CUI and are subject to CMMC obligations. Of those, roughly 80,000 are expected to require CMMC Level 2 certification. 

The security posture of the entire DIB directly affects national security, because adversaries target the weakest links in the supply chain to access sensitive defense information. CMMC was designed specifically to raise the baseline security floor across this entire network.

 

Who is required to comply with CMMC? 

 

Summary: Every prime contractor and subcontractor at any tier of the defense supply chain that processes, stores, or transmits FCI or CUI on non-federal information systems is required to comply with CMMC under DFARS 252.204-7021. 

The specific CMMC level required is stated in each DoD solicitation or contract. Contractors handling only FCI must meet Level 1. Contractors handling CUI must meet Level 2 or Level 3 depending on the sensitivity and criticality of the CUI involved. The requirement flows down through the entire supply chain, if a prime contractor handles CUI, every subcontractor receiving CUI in performance of that contract must also meet the required level. 

Vendors of commercially available off-the-shelf (COTS) items and micro-purchase providers are the primary exemptions. Foreign contractors performing under DoD contracts are not exempt and must comply regardless of their country of origin. 

 

Do subcontractors need to comply with CMMC? 

 

Subcontractors at every tier of the defense supply chain are required to comply with CMMC when they process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in the performance of a DoD contract, as mandated under DFARS 252.204-7021. 

Prime contractors are responsible for ensuring that CMMC requirements flow down to applicable subcontractors and that those subcontractors hold a current valid CMMC status at the required level before work begins. The CMMC level required of a subcontractor is determined by the type of information that flows to them, a subcontractor receiving only FCI needs Level 1; one receiving CUI needs at minimum Level 2. Prime contractors must verify subcontractor CMMC status using SPRS and must not flow CUI to a subcontractor that does not hold the required certification or a current self-assessment at the required level. 

 

Do foreign defense contractors need to comply with CMMC? 

 

Foreign defense contractors performing under DoD contracts are required to comply with CMMC regardless of their country of origin or the location of their operations, provided they process, store, or transmit FCI or CUI on non-federal information systems. 

The CMMC program applies to any entity operating within the CMMC Ecosystem as defined by the Cyber AB. Foreign companies may work with either U.S.-based or foreign-based C3PAOs that meet Cyber AB authorization requirements. Foreign-owned entities face additional scrutiny related to Foreign Ownership, Control, or Influence (FOCI) considerations, which can affect the scope of assessment and the types of information systems evaluated. Foreign contractors should work directly with their contracting officer to confirm applicable CMMC requirements and any FOCI-related constraints on their IT environment.

 

Are vendors of commercially available off-the-shelf (COTS) items exempt from CMMC? 

 

Vendors whose DoD contracts are exclusively for the acquisition of commercially available off-the-shelf (COTS) items are exempt from CMMC requirements under 32 CFR Part 170 and DFARS 252.204-7021. 

A COTS item is a commercial product sold in substantial quantities to the general public, offered without modification in the same form as sold commercially, and which does not involve the creation, receipt, or handling of FCI or CUI in contract performance. The exemption applies only when the entire contract scope is COTS. If a vendor provides both COTS items and services that involve handling FCI or CUI, the non-COTS portion is subject to CMMC. Vendors unsure whether their contract qualifies should review the contract language for DFARS clause 252.204-7021 and consult their contracting officer, as an incorrect COTS determination carries significant legal risk under the False Claims Act. 

 

Does CMMC apply above the micro-purchase threshold only? 

 

CMMC requirements apply to DoD contracts and subcontracts above the micro-purchase threshold where the contractor’s information systems will be used to process, store, or transmit FCI or CUI. 

The micro-purchase threshold is currently $10,000 for most federal acquisitions. Contracts at or below this threshold involving no FCI or CUI handling are generally exempt. However, this exemption is narrow, the DoD applies CMMC requirements to any contract above the micro-purchase threshold where covered information is involved, regardless of total contract dollar value. Small-dollar service contracts, task orders, and delivery orders that involve access to DoD information systems or handling of CUI are subject to CMMC requirements even if the total contract value is modest. What determines applicability is the nature of the information handled, not the size of the award. 

 

How do I determine which CMMC level applies to my contract? 

 

Summary: The CMMC level required for a specific contract is explicitly stated in the DoD solicitation or contract under DFARS clause 252.204-7021, which specifies the required level as a condition of award. 

To determine your level before a solicitation is issued, the governing principle is the type of information your systems will handle. Contracts involving only FCI require CMMC Level 1. Contracts involving CUI require at minimum Level 2. If the CUI falls under the National Archives CUI Registry Defense Organizational Index Grouping (DOIG), Level 2 with mandatory C3PAO certification is required. Level 3 applies to contracts involving CUI supporting critical defense programs, breakthrough technologies, or high-value assets where Advanced Persistent Threat protection is needed. 

If your contract contains DFARS clause 252.204-7012, CUI is present and Level 2 applies. When uncertain, contractors should contact their contracting officer directly for a formal CMMC level determination, as an incorrect determination creates compliance and legal risk. 

 

What are the business consequences of failing to maintain CMMC compliance? 

 

Summary: Failing to maintain CMMC compliance can result in contract termination, loss of award eligibility, payment withholding, permanent debarment from federal contracting, and criminal prosecution under the False Claims Act (31 U.S.C. §§ 3729–3733). 

Once CMMC requirements appear in a contract under DFARS 252.204-7021, a contractor must hold the required CMMC status at award and maintain it throughout contract performance. If a Level 2 certification lapses, because the three-year period expires without renewal, POA&M items are not closed within 180 days, or a significant change disrupts the certified environment, the contractor may be ineligible to exercise option periods or continue performance. 

Knowingly misrepresenting compliance status in SPRS constitutes a false claim against the federal government. The Department of Justice has pursued False Claims Act actions against defense contractors for cybersecurity misrepresentation, with settlements reaching millions of dollars. Non-compliant contractors are also increasingly excluded from prime contractor supply chains as primes enforce flow-down requirements to protect their own certification status. 

 

What happens to an existing DoD contract when an option period comes up for exercise and the contractor does not yet hold the required CMMC status?

 

Summary: When a DoD contract option period is exercised on or after the applicable CMMC enforcement phase date, the contractor must hold a current valid CMMC status at the required level at the time of exercise, failure to do so allows the contracting officer to decline the option, effectively ending the contract. 

This is one of the most operationally urgent CMMC issues in 2026. Under the phased rollout, CMMC requirements apply not only to new contract awards but also to option period exercises on contracts awarded after the Phase 1 effective date of November 10, 2025. A contractor awarded a contract during Phase 1 under a self-assessment pathway whose option period falls during Phase 2 (beginning November 10, 2026) may find that the option exercise now requires C3PAO certification they do not yet hold. 

Contractors should review every active DoD contract for option period dates, map those dates against the CMMC phased enforcement schedule, and ensure their certification timeline is completed before the option exercise date. A lapsed or absent CMMC status at option exercise is not curable retroactively, the option may not be exercised, ending the contract relationship entirely. 

 

Explore Blogs, Webinars and other Resources

Trusted by Reputed Companies

pVerify, Inc.
Electronic Data Solutions
Bernard Robinson & Company
Avance Care
iCliniq
Botsplash
Logically
Mr.Internet Systems
Vision Radiology
Tangible Solutions
Tangible Solutions
WorkSmart
Triyam
Med First Primary and Urgent Care
Arizona State Radiology
DataCaliper
Dose Spot Company Logo
DoseSpot
Forsyte I.T. Solutions
Tego Data

Accreditations and Associations

* Disclaimer: This list of accreditations is held by our team of employees and consultants.

What Our Clients Say

We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center

Our Growing List of Credentials

0 +
Assessments
0 +
Clients
0 +
Assessment Libraries
0 +
Years of Experience
0 +
No. of Staff Trained
0 +
HIPAA
0 +
SOC 2 Readiness
0 +
Pen Testing
0 +
ISO 27001 Certifications
0 +
Dollars Saved in Compliance Penalties