CMMC

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for verifying that defense contractors have adequate cybersecurity protections in place before they can win or keep DoD contracts. Think of it as a cybersecurity inspection program — the DoD wants proof that your company protects sensitive information, not just a promise.

CMMC replaced the old system where contractors could simply self-certify their security. Now, depending on the sensitivity of data you handle, you may need an independent third-party assessor to verify your protections. The framework has three levels, each requiring progressively stronger security measures.

For most small and mid-size defense contractors, CMMC Level 2 is the target — it aligns with the 110 security requirements in NIST SP 800-171 and covers the protection of Controlled Unclassified Information (CUI).