The Cybersecurity Maturity Model Certification (CMMC) is a program developed and implemented by the United States Department of War (DoW). It was designed to ensure that organizations belonging to the Defense Industrial Base (DIB) – organizations directly or indirectly providing the DoW with goods and/or services – are properly protecting two specific regulated types of data: Federal Contract Information (FCI) and Confidential Unclassified Information (CUI). The CMMC Program itself can be found in 32 CFR Part 170; the regulation implementing the program can be found at 48 CFR Parts 204, 212, 217, and 252. The DoW’s CMMC Program web site contains links to these and additional resources related to CMMC.
How did CMMC come about?
The DIB has been required by law to protect FCI and CUI under the Defense Federal Acquisition Regulation Supplement (DFARS), 252.204-7012, since the beginning of 2018. The original DFARS regulation and associated laws mandated that DIB organizations comply with NIST Special Publication 800-171 (revision 2 as of this writing) and self-attest to same. The DoW determined that this structure was insufficient to mitigate losses incurred due to the compromise of FCI and CUI by U.S. adversaries. As a result, the DoW developed the CMMC Program as the formal attestation and certification program requiring DIB organizations to formally attest (under penalty of perjury under the False Claims Act) to compliance with the data protection requirements identified in the DFARS and related clauses, and to obtain (in most cases) third-party certification of same.
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is defined in 32 CFR 2002.4 as:
Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
The National Archives maintains a registry of various categories of CUI. The DoW also maintains its own registry of DoW-specific CUI categories.
By law, all CUI provided by the DoW to a prime contractor, or provided by a prime to a subcontractor, is supposed to be marked as such. This is typically accomplished through the use of a letterhead, a signature block that includes the agency, or a block of designation elements on the first page of a document (the “designation indicator”).
What is Federal Contract Information (FCI)?
Federal Contract Information (FCI) is defined in 32 CFR 4.1901 as:
Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments.
Various categories of FCI (that do not qualify as CUI) can include financial reports, technical reports and data, Government-provided data, contract performance reports, process documentation, proposal responses, and/or emails exchanged with the DoW. In short, if you are doing business with the DoW in any shape or form, you almost definitely are storing, processing, transmitting, and/or generating FCI.
Who is subject to CMMC?
Any organization that:
- Processes, stores, or transmits FCI or CUI.
- Provides security protections for any assets processing, storing, or transmitting FCI or CUI.
- Provides and/or manages a platform, infrastructure, applications, and/or storage services for any entity meeting either of the above criteria.
All such entities are called Organizations Seeking Authorization (OSAs) or Organizations Seeking Certification (OSCs) within the CMMC Program.
What are the CMMC Levels?
The CMMC Program defines three (3) CMMC Levels, each of which has its own scope definition and applicable compliance and reporting/attestation requirements that increase at higher levels.
- Level 1 – Entities that process, store, or transmit FCI and not CUI.
- Level 2 – Entities that process, store, or transmit CUI.
- Level 3 – Entities that process, store, or transmit CUI identified by DoW as representing a higher risk than Level 2.
Level 1 OSAs must protect FCI using 17 selected requirements from NIST SP 800-171A. These requirements are named in Part 170.15 of the CMMC Program Rule. Some of these requirements use the term “CUI”; Level 1 entities are to replace that term with “FCI” so as to apply those requirements to FCI protections.
Level 2 OSCs must protect CUI using the 110 requirements named in 252.204-7012 (effectively, NIST SP 800-171 revision 2) by implementing and complying with all the corresponding objectives for those requirements, which are laid out in NIST SP 800-171A.
Level 3 OSCs must protect CUI in the same manner as Level 2 entities AND implement 24 additional requirements selected from NIST SP 800-172 and named in Part 170.14 of the CMMC Program Rule. The DoW has defined specific parameters for these additional requirements (also in Part 170.14) that must also be implemented.
Which CMMC Level applies to me?
For prime contractors, the required CMMC Level and corresponding certification requirements will appear in DoW documents (contract, procurement, and solicitation documents). Sometimes those documents will define required minimum CMMC level for subcontractors (those who have/will have access to CUI) in a given context. As a rule of thumb, any entity, prime or sub, that stores, processes, transmits, generates, or has access to CUI will be at least Level 2, is an OSC (not an OSA), and should plan accordingly.
What are External Service Providers (ESPs)?
An External Service Provider (ESP), as defined by Part 170.4, is:
External people, technology, or facilities that an organization utilizes for provision and management of comprehensive IT and / or cybersecurity services on behalf of the organization.
Per that same section,
“In the CMMC Program, CUI or Security Protection Data (e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP.”
ESPs are in scope for CMMC assessments and must hold at least the same CMMC certification level as the OSA/OSC. This is arguably the largest risk and challenge for OSCs because ESPs may not be fully aware of the compliance and attestation requirements they are inheriting as a result of the OSC’s CMMC compliance mandate.
What are Cloud Service Providers (CSPs)?
A Cloud Service Provider (CSP), as defined by Part 170.4 and NIST SP 800-145, is:
An external company that provides cloud services based on cloud computing. Cloud computing is a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
All in-scope CSPs are ESPs, but not all ESPs are CSPs.
CSPs processing, storing, or transmitting CUI must be FedRAMP Moderate Authorized (and appear on the FedRAMP Marketplace Web site accordingly) OR hold FedRAMP Moderate equivalency. Requirements for demonstrating FedRAMP Moderate equivalency are defined in a December 2023 DoW memo. CSPs cannot inherit any FedRAMP authorization or equivalency from the platforms on which they run; the actual product/solution itself must hold the authorization or equivalency.
Why should I care about CMMC?
The CMMC Program Rule went into effect on December 16, 2024; the CMMC Acquisition Rule formally connecting the Program to the DFARS regulation went into effect on November 10, 2025. As of that date, the DoW can start adding, into any of its contracts at its discretion, clauses requiring entities to hold a CMMC certification as a condition of contract award. However, the program is technically being phased in over a three-year period. By November 10, 2028, all DoD solicitations will include the requirement that contractors bidding on same will be required to achieve, at time of award, a CMMC status at the CMMC level specified in the solicitation, or higher, for all information systems used in the performance of the contract, task order, or delivery order that will process, store, or transmit FCI or CUI. Prime contractors must require subcontractors to comply with and to flow down CMMC requirements, such that compliance will be required throughout the supply chain at all tiers with the applicable CMMC level and assessment type for each subcontract.
What is in scope for CMMC?
The CMMC assessment scope varies by CMMC Level and is defined in Part 170.19.
| Level 1 | Level 2 | Level 3 |
| Information systems which process, store, or transmit FCI | CUI Assets: Information systems which process, store, or transmit CUI | CUI Assets: Includes BOTH Level 2 CUI Assets and Contractor Risk Managed Assets |
| Security Protection Assets: Information systems* which provide security functions or capabilities to the above | CUI Assets: Includes BOTH Level 2 CUI Assets and Contractor Risk Managed Assets | |
| Contractor Risk Managed Assets: Can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place | Specialized Assets: Same as Level 2 | |
| Specialized Assets: Information systems that can process, store, or transmit CUI but cannot be fully secured |
“Information system” include people, technology, facilities, and ESPs.
“Contractor Risk Managed Assets” do not have to be physically or logically separated from other asset classes.
“Specialized Assets” are further defined in Part 170.19 as Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment.
Regardless of CMMC Level, assets must not meet any of these criteria AND must be physically or logically separated to be considered fully out of scope.
All in-scope assets must be documented in an asset inventory, a System Security Plan (SSP), AND network diagrams.
How often must I be assessed, and who has to perform the assessment?
Level 1 OSAs must perform a self-assessment against Level 1 requirements annually and enter the assessment results into the DoW Supplier Performance Risk System (SPRS). All Level 1 requirements must be fully met; use of a Plan of Action and Milestones (POA&M) for non-compliant conditions is prohibited.
The corresponding DoW documentation requires Level 2 OSAs/OSCs to do one of the following every three (3) years:
- Perform a self-assessment and enter the assessment results into SPRS.
- Undergo an assessment by a CMMC Certified 3rd Party Assessor Organization (C3PAO), who will enter the assessment results into the DoW Enterprise Mission Assurance Support Service (eMASS). This option will be required of the vast majority of Level 2 OSCs.
Level 3 OSCs must undergo an assessment every three (3) years by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), who will enter the assessment results into eMASS.
Regardless of assessment type, OSAs/OSCs may leverage a POA&M for only certain requirements (specified in Part 170.21); all POA&M items must be fully addressed and closed out via re-assessment within 180 days after the original assessment.
All OSAs/OSCs, regardless of CMMC Level or assessment type, must have a senior official formally affirm compliance annually, under penalty of perjury via the False Claims Act.
Level 2 (C3PAO) and Level 3 (DIBCAC) OSCs must retain all evidence and artifacts related to the assessment, with file integrity monitoring (FIM) controls implemented.
Next Steps
- Figure out if you process, store, transmit, or generate FCI and/or CUI. If you are a prime contractor, your DoD Contract Officer and Program Office must provide you this information in contract documentation. If you are a subcontractor, work with your prime.
- Identify all assets in scope for CMMC and make environmental changes if desired to reduce scope. The CMMC scoping rules can be found in Part 170.19 of the Program Rule.
- Start building asset inventories and a maintenance process for same. This is required by CMMC practice CM.L2-3.4.1 and is necessary for accurate and complete assessments.
- Perform a CMMC gap assessment to identify control gaps. If only FCI is confirmed to be present in the in-scope environment, assess against CMMC Level 1; otherwise, assess against CMMC Level 2 at minimum.
GuidePoint is a CMMC Registered Provider Organization (RPO), has experience and expertise with regard to this standard, and can assess and advise your organization to best leverage it in line with your organizational needs. For more information, visit https://www.guidepointsecurity.com/cybersecurity-maturity-model-certification-cmmc-readiness/.