The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense’s programme to verify that contractors in the Defense Industrial Base protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 streamlined the model to three levels built on established NIST standards.
The three levels
| Level | Name | Basis | Assessment |
|---|---|---|---|
| 1 | Foundational | 15 basic safeguards (FAR 52.204-21) for FCI | Annual self-assessment |
| 2 | Advanced | The 110 requirements of NIST SP 800-171 (for CUI) | Third-party (C3PAO) or self-assessment per contract |
| 3 | Expert | 800-171 plus a subset of NIST SP 800-172 | Government-led assessment |
FCI vs CUI
- FCI — Federal Contract Information not intended for public release (Level 1).
- CUI — Controlled Unclassified Information requiring safeguarding per NIST 800-171 (Level 2+).
Path to certification
- Determine the CMMC level required by your contracts.
- Scope systems handling FCI/CUI (consider enclaving CUI to reduce scope).
- Assess against 800-171 (Level 2) and produce an SSP and POA&M.
- Remediate gaps and compute your SPRS score.
- Undergo a C3PAO assessment (Level 2 where required) and achieve certification.
How CyberSigma helps
We scope your FCI/CUI environment, assess against NIST 800-171, build the SSP/POA&M, and prepare you for the C3PAO assessment.
Frequently asked questions
What is the difference between CMMC and NIST 800-171?
CMMC Level 2 is essentially an assessed-and-certified implementation of NIST SP 800-171’s 110 requirements; CMMC adds the certification and assessment programme on top.
Official documents
CyberSigma resources
Need help with CMMC?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
