The Cybersecurity Maturity Model Certification (CMMC) is a framework that requires companies contracting with the Department of Defense (DoD) to meet security standards based on the sensitivity of the data they manage. These standards, based on the National Institute of Standards and Technology's (NIST) SP 800-171 standard, have been in place for eight years, but CMMC further formalizes compliance.

As of November 10, 2025, Defense agencies now require at least a Level 1 certification to award any new contract. To meet this requirement, companies must self-certify that they comply with 15 controls--specified by 800-171--that cover basic cyber hygiene. Next November 10 (in 2026), DoD will require that Level 2 status for contracts dealing with Controlled Unclassified Information (CUI), which currently can be self-assessed, be verified through a third-party assessment of compliance with all 110 controls in the NIST standard. Then in 2027, contracting officers can start requiring those seeking Level 3 certification to undergo an assessment by the Defense Industrial Base Cybersecurity Assessment Center. A Level 3 requirement would apply to technology dealing with highly sensitive data or systems, where a breach could have far-reaching impact. Continue reading →