We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / CMMC
US Department of Defense · United States

CMMC

Cybersecurity Maturity Model Certification for the US defense supply chain.

Introduction: The Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is the United States Department of Defense's (DoD) unified standard for protecting sensitive but unclassified information across the Defense Industrial Base (DIB). It transforms cybersecurity from a self-attested contractual promise into a verifiable, certified state of assurance. Rather than inventing an entirely new control catalogue, CMMC operationalises long-standing federal requirements — principally the Federal Acquisition Regulation (FAR) clause 52.204-21 and National Institute of Standards and Technology (NIST) Special Publication 800-171 Revision 2 — and, at its highest level, a subset of NIST SP 800-172. The programme's defining innovation is the requirement for independent, third-party assessment for most contractors that handle Controlled Unclassified Information (CUI), replacing the prior honour-system of self-scoring.

This guide is written for chief information security officers, compliance leads, contract managers and technical implementers within organisations that supply — directly or indirectly — to the DoD. It provides an auditor-grade walkthrough of the CMMC 2.0 model as codified in the final programme rule (32 CFR Part 170, effective 16 December 2024) and the acquisition rule (48 CFR / DFARS 252.204-7021). It covers what CMMC is, who must comply, its structure across levels and domains, a master assessment checklist enumerating every control family, scoping guidance, a phased implementation approach, the scoring model, the assessment lifecycle, evidence expectations, roles, key performance indicators, readiness checks, common gaps and mappings to adjacent frameworks.

Copyright and source note
CMMC references and incorporates copyrighted and US Government works, including NIST SP 800-171, NIST SP 800-172, FAR 52.204-21 and the CMMC Assessment Guides and Model Overview published by the DoD Chief Information Officer. This guide is an original, independent interpretation prepared for educational purposes. It paraphrases requirements and does not reproduce the verbatim control text of NIST or DoD publications. Organisations must consult the authoritative primary sources — 32 CFR Part 170, DFARS 252.204-7012/7019/7020/7021, NIST SP 800-171 Rev 2 and the official CMMC Assessment Guides — for compliance decisions. NIST publications are US Government works in the public domain; the CyberSigma commentary herein is proprietary.

What is CMMC?

CMMC is a certification framework that verifies whether a defence contractor has implemented the cybersecurity practices necessary to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) resident on or transiting through the contractor's non-federal information systems. It answers a simple but consequential question that the DoD could not previously answer with confidence: are the companies entrusted with sensitive defence data actually doing what they claimed?

Under the original CMMC 1.0 model announced in 2020, there were five maturity levels and process-maturity requirements layered on top of practices. Following an extensive internal review, the DoD released CMMC 2.0 in November 2021, streamlining the model to three levels, eliminating the standalone maturity-process requirements, and aligning practices directly to established NIST standards. The final 32 CFR Part 170 rule made CMMC 2.0 legally binding, with a phased rollout of contractual requirements beginning in 2025.

Two categories of protected data drive the model. Federal Contract Information (FCI) is information provided by or generated for the Government under a contract that is not intended for public release; it is protected by the fifteen basic safeguarding requirements of FAR 52.204-21. Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation or Government-wide policy requires to be safeguarded; it demands the 110 security requirements of NIST SP 800-171 Rev 2, and at the highest maturity level a subset of NIST SP 800-172's enhanced requirements to counter advanced persistent threats.

  • CMMC does not create new controls at Levels 1 and 2 — it enforces and verifies existing FAR and NIST requirements.
  • Certification is scoped to the specific information systems that store, process or transmit FCI or CUI, not necessarily the entire enterprise.
  • Assessments are conducted by CMMC Third-Party Assessment Organisations (C3PAOs) accredited by the Cyber AB (formerly the CMMC Accreditation Body) for Level 2 certification, and by the Defense Contract Management Agency's DIBCAC for Level 3.
  • Certification results are recorded in the Supplier Performance Risk System (SPRS) and are valid for three years, subject to an annual affirmation by a senior company official.
  • CMMC embeds the concept of the flow-down: prime contractors must ensure subcontractors handling the same information type hold the appropriate certification level.

Who Must Comply

CMMC applies to every organisation in the Defence Industrial Base that will process, store or transmit FCI or CUI on contractor-owned information systems in the course of performing a DoD contract or subcontract. This encompasses primes, subcontractors at all tiers, and suppliers of products and services — but explicitly excludes contractors that provide only Commercial Off-The-Shelf (COTS) items. The required level is determined by the type of information handled and is specified by the contracting officer in the solicitation.

Organisation / scenarioInformation handledApplicable CMMC levelAssessment type
Contractor handling only FCI (e.g., basic services, no CUI)Federal Contract InformationLevel 1Annual self-assessment + affirmation
Contractor handling CUI, DoD-designated as lower-riskControlled Unclassified InformationLevel 2 (self)Annual self-assessment + affirmation (limited subset of programmes)
Contractor handling CUI on the majority of CUI contractsControlled Unclassified InformationLevel 2 (C3PAO)Triennial third-party assessment by a C3PAO + annual affirmation
Contractor handling CUI critical to national security / APT-targetedCUI with highest priorityLevel 3Triennial Government assessment by DIBCAC + annual affirmation
Subcontractor receiving flowed-down CUISame CUI as primeSame as data type requires (typically Level 2)Per level; verified before award/flow-down
Supplier of COTS items onlyNone (commercial products)Not applicableExempt
Managed Service Provider / External Service Provider handling CUICUI / security protection dataAligned to the client's required level; ESP assessment obligations applyIncluded in or aligned to client assessment scope
  • The contract's DFARS 252.204-7021 clause states the required CMMC level; performing without a current certification at award is prohibited once the clause applies.
  • Foreign suppliers to the DoD are equally subject; there is no geographic exemption for the underlying obligation.
  • Universities, research institutions and non-profits performing DoD work that involves CUI are in scope.
  • External Service Providers (ESPs), including cloud service providers, that handle CUI or Security Protection Data must meet defined conditions; CSPs storing CUI must satisfy FedRAMP Moderate equivalency.

Structure of CMMC

CMMC 2.0 is organised into three cumulative certification levels. Each higher level subsumes the requirements of the levels beneath it. The practices are grouped into fourteen control families (referred to as domains) inherited from NIST SP 800-171, plus the fifteen basic safeguards of FAR 52.204-21 that constitute Level 1. Level 3 adds selected enhanced requirements drawn from NIST SP 800-172. The table below summarises the model's architecture.

LevelBasisNumber of requirementsAssessment cadenceData protected
Level 1 (Foundational)FAR 52.204-2115 basic safeguarding requirementsAnnual self-assessment + affirmationFCI
Level 2 (Advanced)NIST SP 800-171 Rev 2110 security requirementsTriennial C3PAO assessment (self for a small subset) + annual affirmationCUI
Level 3 (Expert)NIST SP 800-171 Rev 2 + subset of NIST SP 800-172110 + 24 enhanced requirementsTriennial DIBCAC (Government) assessment + annual affirmationCUI, high-priority/APT

The fourteen NIST SP 800-171 domains, which structure Levels 2 and 3, are enumerated below with their two-letter identifiers. Requirement numbers throughout CMMC follow the NIST 800-171 convention (family.category.number, e.g., 3.1.1) and are cross-referenced in SPRS scoring.

Domain (family)IdentifierLevel 2 requirements (approx.)Scope of the family
Access ControlAC22Limiting system access to authorised users, processes and devices.
Awareness and TrainingAT3Ensuring personnel are aware of security risks and trained on procedures.
Audit and AccountabilityAU9Creating, protecting and reviewing audit records to enable accountability.
Configuration ManagementCM9Establishing and maintaining secure baseline configurations.
Identification and AuthenticationIA11Verifying the identity of users, processes and devices.
Incident ResponseIR3Detecting, reporting and responding to security incidents.
MaintenanceMA6Performing system maintenance securely, including remote maintenance.
Media ProtectionMP9Protecting, sanitising and controlling media containing CUI.
Personnel SecurityPS2Screening individuals and protecting CUI during personnel actions.
Physical ProtectionPE6Limiting physical access to systems, equipment and environments.
Risk AssessmentRA3Assessing and managing risk to operations and assets.
Security AssessmentCA4Assessing controls and developing/monitoring plans of action.
System and Communications ProtectionSC16Monitoring and protecting communications at system boundaries.
System and Information IntegritySI7Identifying, reporting and correcting flaws; malicious-code protection.

Master Assessment Checklist

This is the core section of the guide. It enumerates every CMMC control family together with the essential requirements within each, expressed as verification statements an assessor would test. For each family a table lists 'What to verify' against 'Typical evidence'. Level 1 (FCI) is covered first because it forms the foundation of every higher level, followed by the fourteen NIST 800-171 domains that comprise Level 2, and finally the enhanced 800-172 requirements introduced at Level 3. No control area is omitted.

Level 1 Foundational — FAR 52.204-21 Basic Safeguarding (FCI)

Level 1 comprises fifteen basic safeguarding requirements mapped to seventeen practice objectives across six domains (AC, IA, MP, PE, SC, SI). These protect Federal Contract Information and are the non-negotiable floor for any DoD contractor.

What to verifyTypical evidence
Access to systems is limited to authorised users, processes and devices (AC.L1-3.1.1).User access matrix, identity directory export, joiner-mover-leaver records.
Transactions and functions are limited to those authorised (AC.L1-3.1.2).Role definitions, least-privilege role mappings, permission review logs.
Connections to and use of external systems are verified and controlled (AC.L1-3.1.20).External connection register, firewall rules, acceptable-use policy.
Information posted on publicly accessible systems is controlled (AC.L1-3.1.22).Public-content approval workflow, web content review records.
Users, processes and devices are identified before access (IA.L1-3.5.1).Account inventory, device registration list, directory records.
Identities are authenticated before granting access (IA.L1-3.5.2).Authentication configuration, password/MFA policy, login logs.
Media containing FCI is sanitised or destroyed before disposal/reuse (MP.L1-3.8.3).Media sanitisation certificates, destruction logs, disposal SOP.
Physical access to systems, equipment and operating environments is limited (PE.L1-3.10.1).Badge access logs, facility access list, visitor register.
The physical facility and support infrastructure are protected (PE.L1-3.10.3/3.10.4/3.10.5).Escort procedures, physical access device inventory, monitoring records.
Communications at external boundaries and key internal boundaries are monitored/controlled (SC.L1-3.13.1).Network diagram, firewall/IDS configuration, boundary control policy.
Publicly accessible components are separated from internal networks (SC.L1-3.13.5).DMZ architecture diagram, subnet/VLAN configuration.
System flaws are identified, reported and corrected in a timely manner (SI.L1-3.14.1).Patch management records, vulnerability remediation tickets.
Malicious code protection is provided at appropriate locations (SI.L1-3.14.2).Anti-malware deployment report, endpoint coverage dashboard.
Malicious code protection mechanisms are updated when new releases are available (SI.L1-3.14.4).AV signature update logs, EDR version report.
Periodic and real-time scans of the system and downloaded files are performed (SI.L1-3.14.5).Scan schedules, scan result logs, quarantine records.

Access Control (AC) — Level 2

What to verifyTypical evidence
Access is limited to authorised users/processes/devices and to permitted transactions (3.1.1, 3.1.2).Access-control policy, RBAC matrix, entitlement review evidence.
The flow of CUI is controlled in accordance with approved authorisations (3.1.3).Data-flow diagrams, DLP rules, network segmentation config.
Duties are separated to reduce risk of malicious activity (3.1.4).Segregation-of-duties matrix, conflicting-role exception log.
Least privilege is applied, including for security functions and privileged accounts (3.1.5, 3.1.6, 3.1.7).Privileged account inventory, PAM logs, non-privileged usage records.
Unsuccessful logon attempts are limited (3.1.8).Account lockout policy configuration, failed-login logs.
Privacy and security notices are displayed; session lock and termination are enforced (3.1.9, 3.1.10, 3.1.11).Logon banner screenshot, session-timeout GPO, idle-lock config.
Remote access is authorised, monitored, encrypted and routed through managed access-control points (3.1.12–3.1.15).VPN configuration, remote-access authorisation register, session logs.
Wireless access is authorised and protected; mobile devices are controlled and encrypted (3.1.16–3.1.19).Wireless config, MDM policy, device-encryption report.
Use of external systems and portable storage is controlled; CUI on public systems is prevented (3.1.20–3.1.22).External-system policy, USB control settings, public-posting review log.

Awareness and Training (AT) — Level 2

What to verifyTypical evidence
Personnel are made aware of security risks and applicable policies/standards (3.2.1).Awareness programme materials, completion records, campaign calendar.
Personnel are trained to carry out their assigned information-security-related duties (3.2.2).Role-based training curriculum, attendance rosters, competency records.
Insider-threat awareness training is provided to personnel (3.2.3).Insider-threat module, sign-off sheets, refresher schedule.

Audit and Accountability (AU) — Level 2

What to verifyTypical evidence
Audit logs are created and retained to enable monitoring, analysis and investigation (3.3.1).Logging policy, log retention settings, SIEM ingestion inventory.
Actions are traceable to individual users to support accountability (3.3.2).Unique-ID mapping, log samples showing user attribution.
Audited events are reviewed and updated; audit process failures are alerted (3.3.3, 3.3.4).Audit-event catalogue, review minutes, log-failure alert config.
Audit records are correlated, reviewed, analysed and reported for suspicious activity (3.3.5, 3.3.6).SIEM correlation rules, alert triage tickets, reporting cadence.
System clocks are synchronised to an authoritative source (3.3.7).NTP configuration, time-source documentation.
Audit information and tools are protected from unauthorised access/modification (3.3.8, 3.3.9).Log access-control list, WORM/immutable storage config, privileged-log audit.

Configuration Management (CM) — Level 2

What to verifyTypical evidence
Baseline configurations and inventories are established and maintained (3.4.1, 3.4.2).Configuration baselines, CMDB/asset inventory, hardening standards.
Changes are tracked, reviewed, approved and controlled (3.4.3).Change-management tickets, CAB minutes, change log.
Security impact of changes is analysed before implementation (3.4.4).Security impact assessments attached to change records.
Access restrictions for change are defined, documented and enforced (3.4.5).Change-access ACLs, privileged-change approval evidence.
Least functionality is applied; nonessential programs/ports/services are restricted (3.4.6, 3.4.7).Hardening checklists, disabled-service reports, port scan results.
Application allow/deny listing (blacklisting/whitelisting) is applied (3.4.8).Application control policy, allowlist configuration, exception log.
User-installed software is controlled (3.4.9).Software installation policy, endpoint restriction settings, audit of installs.

Identification and Authentication (IA) — Level 2

What to verifyTypical evidence
Users, processes and devices are uniquely identified (3.5.1, 3.5.2).Identity directory export, device identity records, service-account register.
Multi-factor authentication is used for privileged and network access to non-privileged accounts (3.5.3).MFA configuration, enrolment report, coverage dashboard.
Replay-resistant authentication is employed for network access (3.5.4).Protocol/config evidence (e.g., Kerberos, TLS), authenticator settings.
Identifiers are reused/disabled after defined periods (3.5.5, 3.5.6).Identifier lifecycle policy, disabled-account report.
Password complexity, reuse prohibition and encrypted storage/transmission are enforced (3.5.7–3.5.10).Password policy, hashing/storage configuration, transmission-encryption evidence.
Authentication feedback is obscured (3.5.11).Masked-input screenshots, application configuration.

Incident Response (IR) — Level 2

What to verifyTypical evidence
An operational incident-handling capability exists covering preparation, detection, analysis, containment, recovery and user response (3.6.1).Incident response plan, playbooks, IR team charter.
Incidents are tracked, documented and reported to designated internal and external authorities (3.6.2).Incident register, DIBNET/DoD reporting records, ticket history.
The incident-response capability is tested (3.6.3).Tabletop exercise reports, simulation after-action reviews.

Maintenance (MA) — Level 2

What to verifyTypical evidence
System maintenance is performed, and controls exist over tools, techniques and personnel (3.7.1, 3.7.2).Maintenance schedule, approved-tool list, maintenance logs.
Equipment removed for off-site maintenance is sanitised of CUI (3.7.3).Sanitisation records, off-site maintenance authorisation forms.
Media containing diagnostic/test programs is checked for malicious code (3.7.4).Media-scan logs, diagnostic-media handling procedure.
Multi-factor authentication is required for nonlocal maintenance sessions, which are terminated on completion (3.7.5).Remote-maintenance session logs, MFA config, session-termination evidence.
Maintenance personnel without required access are supervised (3.7.6).Escort/supervision records, maintenance visitor logs.

Media Protection (MP) — Level 2

What to verifyTypical evidence
Media (paper and digital) containing CUI is protected and access is limited to authorised users (3.8.1, 3.8.2).Media handling policy, storage-access controls, media register.
Media is sanitised or destroyed before disposal or reuse (3.8.3).Sanitisation certificates, destruction logs.
Media is marked with necessary CUI markings and distribution limitations (3.8.4).Marking standard, samples of marked media.
Access to media is controlled and its transport is accountable (3.8.5, 3.8.6).Transport logs, chain-of-custody forms, encryption-in-transit evidence.
Removable media use is controlled; media without identifiable owner is prohibited (3.8.7, 3.8.8).Removable-media policy, port control config, exception approvals.
Backups of CUI are protected at storage locations (3.8.9).Backup encryption config, offsite backup access controls.

Personnel Security (PS) — Level 2

What to verifyTypical evidence
Individuals are screened before authorising access to systems containing CUI (3.9.1).Background-check policy, screening completion records.
CUI and systems are protected during and after personnel actions such as termination and transfer (3.9.2).Offboarding checklist, access-revocation timestamps, transfer-review records.

Physical Protection (PE) — Level 2

What to verifyTypical evidence
Physical access to systems, equipment and operating environments is limited to authorised individuals (3.10.1).Access-control list, badge system logs, restricted-area map.
The facility and supporting infrastructure are protected and monitored (3.10.2).CCTV coverage, environmental controls, monitoring logs.
Visitors are escorted and their activity monitored (3.10.3).Visitor log, escort assignment records.
Physical access audit logs are maintained (3.10.4).Access-log retention config, log samples.
Physical access devices are managed and controlled (3.10.5).Key/badge inventory, issuance and return records.
Safeguarding measures are enforced for CUI at alternate work sites (3.10.6).Remote/telework security policy, home-office attestations.

Risk Assessment (RA) — Level 2

What to verifyTypical evidence
Risk to operations, assets and individuals from operating systems with CUI is periodically assessed (3.11.1).Risk assessment report, risk register, methodology documentation.
Vulnerabilities are scanned periodically and when new vulnerabilities are identified (3.11.2).Vulnerability scan reports, scan schedule, tool configuration.
Vulnerabilities are remediated in accordance with risk assessments (3.11.3).Remediation tracker, SLA metrics, re-scan verification.

Security Assessment (CA) — Level 2

What to verifyTypical evidence
Security controls are periodically assessed for effectiveness (3.12.1).Control assessment report, assessment methodology.
Plans of action are developed and implemented to correct deficiencies (3.12.2).POA&M document, remediation milestones, closure evidence.
Controls are monitored on an ongoing basis to ensure continued effectiveness (3.12.3).Continuous monitoring plan, metrics dashboards.
A system security plan is developed, documented and periodically updated (3.12.4).System Security Plan (SSP) with boundary, roles and control descriptions.

System and Communications Protection (SC) — Level 2

What to verifyTypical evidence
Communications are monitored/controlled/protected at external and key internal boundaries (3.13.1).Firewall/IDS configuration, boundary architecture diagram.
Architectural designs promote effective information security (3.13.2).Security architecture documentation, design-review records.
User functionality is separated from system management functionality (3.13.3).Management-plane segregation evidence, admin-network diagram.
Unauthorised and unintended information transfer via shared resources is prevented (3.13.4).Resource-isolation configuration, memory/cache clearing settings.
Subnetworks for publicly accessible components are physically/logically separated (3.13.5); deny-all/permit-by-exception applies (3.13.6).DMZ design, default-deny firewall ruleset.
Split tunnelling is prevented; cryptography protects CUI confidentiality in transit (3.13.7, 3.13.8, 3.13.11).VPN split-tunnel config, TLS/IPsec settings, FIPS-validated crypto evidence.
Network connections are terminated at session end (3.13.9); cryptographic keys are managed (3.13.10).Session-timeout config, key management policy, HSM/keystore records.
Collaborative computing devices and mobile code are controlled (3.13.12, 3.13.13).Camera/microphone control settings, mobile-code policy.
VoIP is controlled; communications authenticity is protected; CUI is protected at rest (3.13.14, 3.13.15, 3.13.16).VoIP configuration, session authentication evidence, at-rest encryption report.

System and Information Integrity (SI) — Level 2

What to verifyTypical evidence
System flaws are identified, reported and corrected in a timely manner (3.14.1).Patch management records, remediation SLA metrics.
Protection against malicious code is provided at designated locations (3.14.2), and is updated (3.14.4).Anti-malware/EDR deployment report, signature/version update logs.
Malicious-code protection mechanisms perform periodic and real-time scans (3.14.5).Scan schedules, real-time protection config, scan logs.
System security alerts, advisories and directives are monitored and acted upon (3.14.3).Threat-intel subscription records, advisory action tickets.
Inbound and outbound communications traffic is monitored to detect attacks and indicators (3.14.6).IDS/IPS logs, network monitoring dashboards, alert records.
Unauthorised use of the system is identified (3.14.7).Anomaly detection alerts, UEBA reports, misuse investigations.

Level 3 Enhanced Requirements — NIST SP 800-172 Subset

Level 3 layers a selected subset of NIST SP 800-172 enhanced security requirements on top of the full 110 requirements of Level 2. These target advanced persistent threats and demand penetration-resistant architecture, damage-limiting operations and heightened detection. Level 3 is assessed by the Government's DIBCAC, not by a commercial C3PAO.

What to verifyTypical evidence
Dual authorisation is enforced for the most critical/sensitive operations (AC).Dual-control policy, two-person integrity logs.
Access is restricted to systems/components based on trustworthiness and organisationally defined restrictions.Trust-based access policy, device-trust posture reports.
Security awareness training incorporates advanced social-engineering and APT practical exercises (AT).Advanced training exercise records, phishing-simulation results.
Automated, machine-speed analysis of audit logs supports threat hunting (AU).SOAR/SIEM analytics configuration, threat-hunt findings.
System components are refreshed/reset to a known state periodically to limit persistence (CM/SI).Non-persistent component config, gold-image refresh schedule.
Multifactor and out-of-band or biometric authentication protects privileged and network access (IA).Enhanced MFA configuration, hardware token / biometric enrolment.
A cyber security incident response team is established with a security operations centre capability (IR).CSIRT/SOC charter, staffing and coverage records, runbooks.
Threat intelligence is used to drive design, hunting and response (RA); advanced risk analysis is performed.Threat-intel integration evidence, threat-informed risk assessments.
Penetration testing is conducted leveraging automated and manual, red-team techniques (CA).Independent penetration test reports, red-team exercise findings.
Isolation, segmentation and managed communications limit lateral movement and data exfiltration (SC).Micro-segmentation design, egress filtering, deception/decoy deployment.
Integrity verification and organic/threat-hunting monitoring detect and respond to adversary presence (SI).File-integrity monitoring, threat-hunting cadence, detection engineering records.

Scoping

Scoping determines which assets fall within the CMMC assessment boundary and, therefore, which controls apply to them. Correct scoping is the single most consequential planning decision in a CMMC engagement: an overly broad scope inflates cost and assessment burden, while an overly narrow scope invites a failed assessment or, worse, a false attestation. The DoD publishes dedicated Scoping Guides for Level 1 and Level 2. The methodology categorises every asset in the environment into defined types.

Asset categoryDefinitionAssessment treatment (Level 2)
CUI AssetsAssets that process, store or transmit CUI.Fully assessed against all 110 requirements.
Security Protection AssetsAssets that provide security functions to the CUI environment (e.g., SIEM, firewalls, MFA).Assessed against requirements relevant to the protection they provide.
Contractor Risk Managed Assets (CRMA)Assets that can, but are not intended to, handle CUI and are managed by policy.Assessed for policy/config governance; spot-checked, not fully assessed if properly documented.
Specialised AssetsIoT, OT, government furnished equipment, restricted information systems, test equipment.Documented in the SSP and network diagram; managed by policy; limited assessment.
Out-of-Scope AssetsAssets that cannot process/store/transmit CUI and are logically/physically separated.Not assessed, provided separation is demonstrated.
  • Segmentation is the primary lever for reducing scope — an enclave dedicated to CUI can dramatically shrink the boundary versus a flat network.
  • External Service Providers, including cloud, must be accounted for; CSPs storing CUI require FedRAMP Moderate authorisation or equivalency.
  • The System Security Plan and an accurate, current network diagram are mandatory scoping artefacts and are the first documents an assessor examines.
  • People, facilities and processes that touch CUI are in scope, not merely technology assets.
  • Every asset must be inventoried and categorised; unlabelled or 'shadow' assets are a frequent cause of assessment findings.

Implementation Approach

A defensible CMMC programme is delivered in phases. The following five-phase roadmap moves an organisation from ambiguity to a sustained, certifiable state. Each phase lists its key activities and the deliverables that evidence completion.

Phase 1 — Discovery and Scoping

  • Activities: identify all FCI and CUI flows; interview data owners; classify contracts and required levels; inventory assets; draft the CUI data-flow map; categorise assets per the scoping guide.
  • Deliverables: CUI data-flow diagram, asset inventory, preliminary scope statement, target CMMC level confirmation, stakeholder RACI.

Phase 2 — Gap Assessment

  • Activities: assess current state against all applicable requirements; score against the SPRS methodology; identify deficiencies and dependencies; estimate remediation effort and cost.
  • Deliverables: gap-analysis report, current SPRS score, prioritised remediation backlog, draft Plan of Action and Milestones (POA&M).

Phase 3 — Remediation and Control Implementation

  • Activities: implement or reconfigure technical controls (MFA, encryption, logging, segmentation); write and ratify policies and procedures; deploy security tooling; deliver training; establish continuous monitoring.
  • Deliverables: implemented controls, policy and procedure library, configuration baselines, training completion records, closed POA&M items.

Phase 4 — Documentation and Pre-Assessment

  • Activities: finalise the System Security Plan; assemble the evidence library mapped to each requirement; conduct a mock/readiness assessment; remediate residual gaps.
  • Deliverables: complete and current SSP, evidence matrix, readiness-assessment report, updated SPRS score meeting the required threshold.

Phase 5 — Certification and Sustainment

  • Activities: engage a C3PAO (Level 2) or coordinate with DIBCAC (Level 3); support the assessment; close conditional POA&M items within 180 days; submit the annual affirmation; operate continuous monitoring.
  • Deliverables: CMMC certificate recorded in SPRS, annual affirmation, continuous-monitoring metrics, three-year sustainment plan.

Scoring Model

For Level 2, CMMC uses the NIST SP 800-171 DoD Assessment Methodology to derive an SPRS score. The maximum score is 110, one point per satisfied requirement. Unmet requirements deduct weighted points — most subtract 1 point, but certain high-impact controls subtract 3 or 5 points, meaning a low score can quickly fall below zero. A perfect implementation yields 110; the minimum floor for score reporting is -203. To achieve certification, an organisation must meet all requirements, though a limited set may be deferred via a conditional POA&M.

Weighting / statusPoint impact per unmet requirementRationale
Standard requirement-1Baseline weighting for most of the 110 requirements.
Higher-impact requirement-3Controls with significant effect on the ability to protect CUI.
Highest-impact requirement-5Foundational controls (e.g., multifactor authentication, FIPS-validated cryptography, external boundary protection).
Partially met with compensating factor-1 (or partial per methodology)Some requirements permit partial credit where a defined element is in place.
Fully met requirement0 (contributes +1 toward 110)No deduction; counts toward the score.
LevelCertification decision basisPOA&M allowance
Level 1All 15 requirements met (self-assessed).No POA&M permitted; must be fully met.
Level 2Score of 110 for full certification; conditional status if minimum score met with POA&M on eligible items.Conditional certification allowed on non-critical items; close within 180 days.
Level 3All Level 2 requirements plus the 800-172 subset, assessed by DIBCAC.Conditional POA&M on eligible enhanced requirements; close within 180 days.

Assessment and Audit Approach

The CMMC assessment lifecycle follows a structured, evidence-driven sequence. Whether self-performed (Level 1) or conducted by a C3PAO (Level 2) or DIBCAC (Level 3), the underlying methodology mirrors the NIST SP 800-171A assessment objectives, using the examine, interview and test methods.

  1. Define and confirm the assessment scope, including the CUI boundary, asset categories and the System Security Plan.
  2. Engage the appropriate assessor — a certified C3PAO for Level 2 or coordinate the DIBCAC assessment for Level 3 — and agree the assessment plan and timeline.
  3. Conduct a readiness or pre-assessment review to identify and close residual gaps before the formal assessment begins.
  4. Perform the assessment using three methods: examine documents and configurations, interview responsible personnel, and test control operation directly.
  5. Evaluate each of the assessment objectives underlying every requirement, scoring MET, NOT MET or NOT APPLICABLE with supporting rationale.
  6. Document findings, including any deficiencies eligible for a conditional POA&M, and calculate the resulting SPRS score.
  7. Issue the assessment result; a conditional certification is granted where eligible POA&M items exist, converting to final upon closure within 180 days.
  8. Record the certification and score in SPRS, and submit the senior-official annual affirmation attesting to continued compliance.
  9. Sustain compliance through continuous monitoring, re-affirming annually, and re-assessing on the three-year cycle.

Evidence Request List

Assessors expect a curated evidence library mapped requirement-by-requirement. Evidence is typically grouped into the following categories.

  • Governance and policy: information security policy, acceptable-use policy, access-control policy, incident-response plan, media-protection policy, configuration-management plan, risk-management policy.
  • System documentation: System Security Plan (SSP), current network and data-flow diagrams, asset inventory with categorisation, hardware/software baselines, CUI marking guide.
  • Identity and access: user/privileged account inventories, RBAC/entitlement matrices, joiner-mover-leaver records, MFA enrolment reports, access-review evidence.
  • Technical configuration: firewall and IDS/IPS rulesets, encryption (FIPS-validated) configuration, patch-management reports, hardening checklists, DLP and endpoint policies.
  • Logging and monitoring: SIEM configuration, log retention settings, audit-review records, alert triage tickets, NTP/time-sync evidence.
  • Operational records: change-management tickets, vulnerability scan and remediation reports, penetration test reports (Level 3), backup and recovery test results.
  • Training and personnel: security-awareness completion records, role-based training rosters, insider-threat training, background-screening confirmations, offboarding checklists.
  • Third-party and cloud: ESP/MSP agreements, CSP FedRAMP Moderate authorisation or equivalency letters, subcontractor flow-down and certification verification.
  • Assessment artefacts: prior gap-analysis and readiness reports, POA&M with milestones, SPRS score record, annual affirmation records.

Roles and Responsibilities

RolePrimary responsibilityCMMC-specific duties
Senior Company Official / Affirming OfficialExecutive accountability for compliance.Signs the annual affirmation in SPRS attesting to continued compliance.
Chief Information Security OfficerOwns the security programme and strategy.Approves the SSP, risk decisions and remediation priorities.
CMMC Programme / Compliance LeadCoordinates the certification effort.Manages scope, evidence library, POA&M and assessor liaison.
System / Network AdministratorsImplement and operate technical controls.Configure MFA, encryption, logging, segmentation and hardening baselines.
Security Operations / Monitoring TeamDetects and responds to threats.Runs SIEM, incident response and continuous monitoring.
Contracts / Procurement ManagerManages DoD contractual obligations.Ensures DFARS clauses are met and flows requirements down to subcontractors.
Data / CUI OwnersOwn the information and its handling.Identify CUI, define handling rules and validate data flows.
HR / Personnel SecurityManages workforce security.Conducts screening, training assignment and offboarding revocation.
C3PAO / Certified Assessor (external)Independent verification.Conducts the Level 2 assessment and issues the certification decision.
External Service Provider / MSPDelivers outsourced IT/security services.Meets ESP obligations and provides shared-responsibility evidence.

KPIs to Track

  • SPRS assessment score against the 110 maximum and its trend over time.
  • Percentage of applicable requirements fully met, partially met and not met.
  • Number of open POA&M items and mean time to closure against the 180-day limit.
  • Mean time to detect (MTTD) and mean time to respond (MTTR) to security incidents.
  • Patch and vulnerability remediation SLA compliance rate, by severity.
  • Multi-factor authentication coverage across privileged and remote access.
  • Percentage of assets inventoried, categorised and mapped to the SSP.
  • Security-awareness and role-based training completion rates.
  • Phishing-simulation failure rate and trend.
  • Percentage of subcontractors with verified flow-down certification.
  • Log coverage — proportion of in-scope assets forwarding audit logs to the SIEM.
  • Days remaining until certification expiry and next annual affirmation due date.

Readiness Checklist

  • CUI and FCI data flows have been identified, documented and mapped.
  • The required CMMC level for each relevant contract has been confirmed.
  • A complete asset inventory exists with every asset categorised per the scoping guide.
  • A current, accurate network and data-flow diagram is maintained.
  • A System Security Plan covering all applicable requirements is complete and up to date.
  • Multi-factor authentication is enforced for privileged and remote/network access.
  • FIPS-validated cryptography protects CUI in transit and at rest.
  • Centralised logging and monitoring capture in-scope assets with defined retention.
  • Security-awareness and role-based training are delivered and evidenced.
  • An incident-response plan exists and has been tested within the review period.
  • Vulnerability scanning and timely remediation are operational.
  • A gap assessment has been completed and the SPRS score calculated.
  • A POA&M exists for any eligible open items with realistic milestones.
  • An evidence library is assembled and mapped requirement-by-requirement.
  • Cloud/ESP providers meet FedRAMP Moderate equivalency where CUI is involved.
  • Subcontractor flow-down certification has been verified.
  • A senior official is prepared to submit the annual affirmation in SPRS.

Common Gaps

  • Incomplete or outdated System Security Plan that fails to describe every applicable requirement — the most frequently cited deficiency.
  • Missing or partial multi-factor authentication, a high-weighted (-5) control that alone can sink an SPRS score.
  • Use of non-FIPS-validated cryptography for protecting CUI, which does not satisfy the requirement despite encryption being present.
  • Poor scoping and asset categorisation, leaving 'shadow' assets or an over-broad boundary.
  • Cloud services storing CUI without FedRAMP Moderate authorisation or documented equivalency.
  • Inadequate audit logging — logs not centralised, not retained long enough, or not reviewed.
  • Treating requirements as policy-only without evidencing operational implementation and testing.
  • No tested incident-response capability or missing DoD reporting mechanisms.
  • Failure to flow down requirements to subcontractors and verify their certification.
  • Neglecting the annual affirmation and continuous-monitoring obligations after certification.
  • Overuse of POA&Ms for ineligible or critical controls that cannot be deferred.
  • CUI not marked or handled consistently, undermining media-protection and access controls.

CMMC Mapped to Other Frameworks

CMMC elementNIST SP 800-53ISO/IEC 27001:2022NIST CSF 2.0Relationship
Access Control (AC)AC familyA.5.15–A.5.18, A.8.2–A.8.5PR.AA, PR.ACDirect conceptual overlap on identity and least privilege.
Audit and Accountability (AU)AU familyA.8.15, A.8.16DE.CM, PR.PSLogging and monitoring correspond closely.
Configuration Management (CM)CM familyA.8.9, A.8.32PR.PS, ID.AMBaselines and change control align.
Identification and Authentication (IA)IA familyA.5.16, A.8.5PR.AAMFA and identity assurance map directly.
Incident Response (IR)IR familyA.5.24–A.5.28RS, RCIncident lifecycle and reporting overlap strongly.
Risk Assessment (RA)RA familyA.5.7, Clause 6.1ID.RA, GV.RMRisk-driven approach shared across frameworks.
System and Communications Protection (SC)SC familyA.8.20–A.8.26PR.DS, PR.IRBoundary protection and cryptography align.
System and Information Integrity (SI)SI familyA.8.7, A.8.8DE.CM, PR.PSMalware, flaw remediation and monitoring correspond.
Level 3 enhanced (800-172)Overlay / advanced controlsExtended controls / threat intelDE.AE, RS.ANMaps to advanced threat-hunting and APT resistance.
How CyberSigma helps
CyberSigma delivers end-to-end CMMC readiness and certification support for defence supply-chain organisations. Our CERT-In empanelled and QSA-qualified assessors run structured discovery and scoping to right-size your CUI boundary, followed by a rigorous NIST SP 800-171 gap assessment with an accurate SPRS score. We remediate technical controls — multi-factor authentication, FIPS-validated cryptography, segmentation, centralised logging — author your System Security Plan and POA&M, and assemble a requirement-mapped evidence library. Through a formal readiness assessment we ensure you enter the C3PAO or DIBCAC assessment with confidence, then sustain certification with continuous monitoring, annual-affirmation support and subcontractor flow-down governance. Talk to CyberSigma to move from uncertainty to a certified, contract-eligible state.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

What is the difference between CMMC and NIST 800-171?
CMMC Level 2 is essentially an assessed-and-certified implementation of NIST SP 800-171’s 110 requirements; CMMC adds the certification and assessment programme on top.
Official documents

Need help with CMMC?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.