What is CMMC? A plain-English guide for contractors who didn't sign up for this.
CMMC — the Cybersecurity Maturity Model Certification — is the DoD's framework for verifying that defense contractors handle sensitive government information correctly. It is real, it has deadlines, and almost every contractor in the DIB is affected.
L1, L2, L3 — what's the difference?
Basic safeguarding of Federal Contract Information (FCI). 17 controls from FAR 52.204-21. Annual self-assessment.
Protection of Controlled Unclassified Information (CUI). 110 controls from NIST SP 800-171. Triennial C3PAO assessment + annual affirmation.
Enhanced protection for the highest-priority CUI. Adds controls from NIST SP 800-172. DIBCAC-led government assessment. Rare.
What's already in force, what's coming.
- NowSPRS self-score is required in the DoD supplier portal for anyone handling CUI.
- 2025Phase 1 contracts include CMMC clauses with self-assessment requirements.
- 2026Phase 2 — C3PAO assessments begin appearing as a contract requirement for new Level 2 awards.
- Nov 2026Full L2 enforcement target — most CUI contracts require certified status.
- 2027+Phase 3 — CMMC requirement flows into all applicable DoD solicitations.
Dates per published DoD rulemaking and CMMC program office guidance as of 2025. Subject to change — verify against the current 32 CFR Part 170 and DFARS 252.204-7021 text.