The Cybersecurity Maturity Model Certification (CMMC) program verifies that DoD contractors and subcontractors have implemented cybersecurity measures to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) on their information systems.

To achieve CMMC Level 2, an organization must implement all 110 security requirements from NIST SP 800-171 Rev 2, which apply to systems handling CUI. Compliance can be shown via:

- A certification assessment by a C3PAO (Certified Third-Party Assessment Organization).

Only C3PAOs accredited by the Cyber AB and overseen by the DoD can conduct Level 2 certification assessments. These assessments verify conformance to NIST SP 800-171 and CMMC-specific rules.

- CMMC Level 1 and Level 2 self-assessments must be conducted annually.

- CMMC Level 2 certification assessments must be conducted every three years by a C3PAO.

- Affirmations of continued compliance must be submitted annually into the Supplier Performance Risk System (SPRS).

The process is structured into phases:

1. Pre-Assessment – Review System Security Plan (SSP), confirm scope, evidence readiness.

2. Assessment Execution – Evaluate implementation of controls through interviews, artifact reviews, and testing.

3. Reporting – Assessment team compiles findings and scoring.

4. Post-Assessment – Certification is issued if all requirements are met, or a Plan of Action and Milestones (POA&M) may be permitted under specific conditions.

The organization may be granted a Conditional Level 2 CMMC Status if it achieves at least 80% of requirements and the remaining unmet ones are allowable under a POA&M. These must be remediated within 180 days, followed by a POA&M closeout assessment to achieve Final Level 2 status.

The CMMC Assessment Scope includes all assets that process, store, or transmit CUI. These are categorized into asset types (e.g., CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, etc.) as defined in 32 CFR § 170.19(c). The assessment scope must be clearly documented in the SSP and asset inventory.

Describe the item or answer the question so that site visitors who are interested get more information. You can emphasize this text with bullets, italics or bold, and add links.

Yes. Prime contractors are responsible for ensuring that subcontractors handling FCI or CUI also meet the appropriate CMMC Level and assessment requirements. The CMMC DFARS clause must be flowed down to subcontractors.

- Level 1 protects FCI with 15 basic controls (FAR 52.204-21) and requires only a self-assessment.

- Level 2 protects CUI using 110 controls (NIST SP 800-171) and requires a C3PAO certification, depending on the contract.

- Level 3 applies to more critical environments and includes 24 additional enhanced controls from NIST SP 800-172. It must be assessed by DCMA DIBCAC, not a C3PAO.