Knowledge Center / CMMC
US Department of Defense · United States

CMMC

Cybersecurity Maturity Model Certification for the US defense supply chain.

The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense’s programme to verify that contractors in the Defense Industrial Base protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 streamlined the model to three levels built on established NIST standards.

The three levels

LevelNameBasisAssessment
1Foundational15 basic safeguards (FAR 52.204-21) for FCIAnnual self-assessment
2AdvancedThe 110 requirements of NIST SP 800-171 (for CUI)Third-party (C3PAO) or self-assessment per contract
3Expert800-171 plus a subset of NIST SP 800-172Government-led assessment

FCI vs CUI

  • FCI — Federal Contract Information not intended for public release (Level 1).
  • CUI — Controlled Unclassified Information requiring safeguarding per NIST 800-171 (Level 2+).

Path to certification

  1. Determine the CMMC level required by your contracts.
  2. Scope systems handling FCI/CUI (consider enclaving CUI to reduce scope).
  3. Assess against 800-171 (Level 2) and produce an SSP and POA&M.
  4. Remediate gaps and compute your SPRS score.
  5. Undergo a C3PAO assessment (Level 2 where required) and achieve certification.
How CyberSigma helps
We scope your FCI/CUI environment, assess against NIST 800-171, build the SSP/POA&M, and prepare you for the C3PAO assessment.

Frequently asked questions

What is the difference between CMMC and NIST 800-171?
CMMC Level 2 is essentially an assessed-and-certified implementation of NIST SP 800-171’s 110 requirements; CMMC adds the certification and assessment programme on top.
Official documents

Need help with CMMC?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.