CMMC — the Cybersecurity Maturity Model Certification — is the U.S. Department of Defense's program for verifying that the companies in its supply chain actually protect sensitive government information. If you do business with the DoD and handle controlled data, CMMC is about to become a condition of winning and keeping work.
What CMMC actually is
For years, defense contractors were allowed to self-attest that they met federal cybersecurity requirements. Too many didn't, and adversaries exploited the gap through the weakest links in the supply chain. CMMC closes that loophole by requiring contractors to prove their security — in many cases through an independent third-party assessment — before they can be awarded covered contracts.
The three levels
| Level | Protects | Standard | How it's verified |
|---|---|---|---|
| Level 1 | Federal Contract Information (FCI) | 17 basic safeguards (FAR 52.204-21) | Annual self-assessment |
| Level 2 | Controlled Unclassified Information (CUI) | 110 controls of NIST SP 800-171 | Third-party (C3PAO) assessment for most |
| Level 3 | CUI under advanced threats | 800-171 plus a subset of NIST 800-172 | Government (DIBCAC) assessment |
Most of the defense industrial base lands at Level 2 — because most contractors and subcontractors touch CUI. That's the level our work centers on.
Who needs CMMC
Any organization in the DoD supply chain that stores, processes, or transmits FCI or CUI — primes and their subcontractors. Requirements flow down the supply chain: if a prime wins covered work, it must ensure its subs are compliant too. A small machine shop three tiers down can be in scope.
- CMMC Level 2 is built on NIST SP 800-171 Revision 2 — 110 controls across 14 families.
- It applies to CUI, the most common category of protected data in defense work.
- Certification lasts three years, with an annual affirmation in between.
- The requirement is phasing into contracts now — and becomes broadly enforced in November 2026.
What it takes to comply
Getting to Level 2 means implementing all 110 controls and producing the evidence an assessor expects: a documented control set, a System Security Plan (SSP), a Plan of Action & Milestones (POA&M) for any gaps, and a scored SPRS entry. The work is real, but it's a known quantity — and it's far cheaper than losing your contracts.
How Davidson Cyber Defense fits
We're a readiness firm. We assess you against all 110 controls, write the documentation, build your remediation roadmap, and get you assessment-ready — fast, fixed-fee, and fully remote. We are not a C3PAO and we don't issue certifications; an authorized C3PAO and the DoD do that. Our job is to make sure that when they show up, you pass.
Find out where you stand.
A fixed-fee gap assessment maps you against all 110 controls and gives you your SPRS score.