What Is CMMC?

Cybersecurity Maturity Model Certification

CMMC is a U.S. Department of Defense (DoD) program that applies to Defense Industrial Base (DIB) contractors. It is a unifying standard and new certification model to ensure that DoD contractors properly protect sensitive information.

Why is CMMC important?

DIB contractors hold and use sensitive government data to develop and deliver goods and services. CMMC helps ensure that they secure this information the same way that military departments and government agencies do.

What's different about CMMC?

The U.S. government provided cybersecurity guidance for contractors for many years, but there was no way for contractors to prove how strong their cyber programs were. CMMC introduces a new set of certifications, conducted by third-party assessors. Contractors must achieve certification before they can win future government contracts.

Does CMMC apply to all government contractors?

Today CMMC applies only to DoD contractors, and the DoD is now beginning to require certification with certain contracts. In the future, CMMC may apply all non-DoD government contractors as well.

What about colleges and universities?

Many higher education institutions are DoD contractors. They perform basic and applied research under contract and are also subject to CMMC. Helen Patton, former CISO at Ohio State, shares how CMMC affects the higher ed community and explains how to get started with CMMC.

Who pays for the CMMC assessment?

Contractors pay for their CMMC assessments. The costs depend upon several factors, like the target CMMC levels. However, the DoD states that certain cybersecurity contracts can incur "allowable costs" that can help contractors pay for upgrades. CMMC does not allow contractors to perform self-certifications.

Does CMMC apply to every company that does business with the government?

No. For example, companies that solely produce commercial-off-the-shelf (COTS) products do not require a CMMC certification..

Terms to know

Controlled Unclassified Information (CUI)

CUI is information the government creates or possesses that a law, regulation, or governmentwide policy requires to be safeguarded. CUI information can only be handled only when using appropriate security controls.


Defense Federal Acquisition Regulations (DFARs)

DFARs detail the terms and conditions for DoD procurement contracts. CMMC builds upon certain DFAR Supplement (DFARS) clauses that subject contractors to CMMC requirements.


CMMC Third-Party Assessor Organization (C3PAO)

C3PAO is an entity that is authorized and accredited by the government to perform CMMC assessments. The C3PAO also issues CMMC certificates based on the results of the assessments.


Office of the Under Secretary of Defense for Acquisition and Sustainment – OUSD (A&S)

The Office of the Under Secretary of Defense for Acquisition and Sustainment is a DoD organization that led the development of the CMMC program.


NIST Special Publication 800-171

NIST SP 800-171 catalogs a comprehensive set of security controls that CUI requires. CMMC includes these controls in addition to practices, processes, and references from many other standards and sources.