Most defense contractors don't think of themselves as cybersecurity companies. A machine shop thinks about tolerances and lead times. A small AEC firm thinks about project deadlines and CAD files. An engineering sub thinks about specs and deliverables.
The DoD, on the other hand, thinks about all the sensitive data moving through those businesses every day, and what happens when it ends up in the wrong hands.
That gap is exactly what CMMC compliance was built to close. And as of November 2025, it's not a future concern for the defense supply chain. It's a current condition of contract award. Whether you're a manufacturer, a subcontractor two tiers down the supply chain, or a business owner who just heard this acronym for the first time, here's what you actually need to know.
Key Takeaways
CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's mandatory cybersecurity framework for every company in the defense supply chain. If you handle federal contract information or controlled unclassified information, you must be certified at the appropriate level to win or keep DoD contracts. Enforcement is active as of November 2025. Phase 2 third-party assessments begin November 10, 2026. This post breaks down what CMMC is, who it applies to, and what you need to do right now.
Table of Contents
- What Is CMMC Compliance?
- Who Has to Get Certified?
- What Are FCI and CUI?
- The Three CMMC Levels, Explained Simply
- Where Do You Even Start?
- Frequently Asked Questions
What Is CMMC Compliance?
CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's mandatory cybersecurity framework that requires defense contractors to verify their cybersecurity practices before they can win or maintain DoD contracts. It has three levels tied to data sensitivity. Enforcement began November 10, 2025. Self-attestation is no longer an option for most contractors.
For years, the DoD relied on contractors to self-report their cybersecurity compliance. A 2019 Inspector General report found that contractors routinely claimed compliance without ever implementing the required controls. Adversaries from China and Russia exploited those gaps to steal critical defense data, including F-35 fighter jet designs and submarine warfare systems.
CMMC was the DoD's answer. Instead of trusting contractors to self-grade, the framework requires structured assessments, documented evidence, and in many cases, independent third-party certification.
For our complete breakdown of every level, requirement, and timeline, read our full CMMC compliance guide for defense contractors.
Who Has to Get Certified?
CMMC applies to every organization in the defense supply chain that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). That includes prime contractors and every subcontractor below them. If sensitive defense data touches your systems, CMMC applies to you.
More than 220,000 companies in the Defense Industrial Base are subject to CMMC, and over 70% of them are small and mid-sized businesses.
The "flow-down" principle is what makes this so urgent for subcontractors. Under DFARS 252.204-7021, prime contractors are legally responsible for verifying that their entire supply chain is compliant before flowing CUI to any sub. Primes aren't waiting for contract language to catch up. Lockheed Martin and Boeing have already issued supply chain compliance directives to their suppliers, independent of what individual contracts technically require.
If you support DoD-adjacent programs or work in the defense supply chain, head over to our defense contractor IT support page to see how we help companies in your position.
What Are FCI and CUI?
FCI (Federal Contract Information) is data provided by or generated under a government contract that is not intended for public release. CUI (Controlled Unclassified Information) is more sensitive: defense technical data, engineering specifications, export-controlled information, proprietary designs, and personnel records tied to government work. The type of information you handle determines your required CMMC level.
The most common and costly mistake we see is contractors who assume they only handle FCI when they actually handle CUI. If your work involves defense-related technical data, engineering drawings, or design specifications, you are almost certainly handling CUI and need Level 2 certification, not Level 1.
Not sure which category you fall into? Our CMMC Level 1 vs. Level 2 guide walks through the exact criteria and what each level actually requires.
The Three CMMC Levels, Explained Simply
CMMC 2.0 has three certification levels. Here's the plain-English version:
- Level 1 – Foundational: For contractors handling only FCI. Requires 17 basic cybersecurity practices. Annual self-assessment submitted to the DoD's SPRS database. No third-party assessor required. Achievable in one to three months for most organizations.
- Level 2 – Advanced: For contractors handling CUI. Requires all 110 security controls from NIST SP 800-171 across 14 security families. As of November 10, 2026, a formal third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) is required. This is where most defense contractors land, and it takes 18 to 24 months to implement from scratch.
- Level 3 – Expert: For contractors on the most sensitive DoD programs. Requires 134 controls based on NIST SP 800-172. Assessed by the government directly through DIBCAC. Most contractors will never reach this level, and it requires an existing valid Level 2 certification as a prerequisite.
For a full side-by-side breakdown, visit our full CMMC compliance guide.
Where Do You Start?
Start by figuring out which CMMC level applies to you. If your work involves any defense technical data, engineering specifications, or information tied to DoD programs, assume Level 2 until a qualified partner confirms otherwise. Then get a gap assessment against NIST SP 800-171 so you know exactly where you stand before committing to a timeline or budget.
From there, the path is clear: scope your environment, build your System Security Plan (SSP), close your gaps, and schedule your C3PAO assessment before the backlog grows further. Every week of delay costs you options.
Our compliance management services are built for exactly this. We work alongside your team as a true partner throughout the whole process, from initial gap assessment through C3PAO preparation and beyond. We help you scope your environment correctly, implement the technical controls, build audit-ready documentation, and prepare your staff for the assessment itself.
We also bring something most IT firms can't offer: a relationship with an established C3PAO assessor and over 25 years of experience supporting manufacturers and defense contractors in the Denver Metro area. Our cybersecurity services are embedded into every layer of what we do, so CMMC preparation doesn't start from scratch.
The Bottom Line on CMMC Compliance
CMMC 2.0 is not a future problem. It's an active requirement that's already deciding which defense contractors win work and which ones don't. If you handle CUI and haven't started, you're behind the Phase 2 deadline. If you handle FCI and haven't filed your SPRS assessment, your next bid may already be at risk.
The good news is that this is solvable. With the right partner and a realistic plan, most organizations can compress the timeline and protect their contract eligibility. But that window gets smaller every month.
Download our CMMC Level 1 vs. Level 2 guide to figure out exactly which level applies to you, or reach out to our team and let's figure out where you stand.
Frequently Asked Questions
What is CMMC compliance?
CMMC compliance (Cybersecurity Maturity Model Certification) is the process of meeting the DoD's mandatory cybersecurity standards for defense contractors and their supply chains. The framework has three levels based on the type of information a contractor handles. As of November 10, 2025, CMMC requirements are appearing in DoD solicitations and contract awards are conditioned on meeting the required level.
Does CMMC apply to small businesses and subcontractors?
Yes. CMMC applies to any organization in the defense supply chain that handles FCI or CUI, regardless of size or tier. Prime contractors are required to verify subcontractor compliance before flowing down CUI. If you're a sub, your prime is already looking at your SPRS profile.
What is the difference between FCI and CUI?
FCI (Federal Contract Information) is contract-related data not intended for public release. CUI (Controlled Unclassified Information) is more sensitive and includes defense technical data, engineering specs, export-controlled information, and personnel records tied to government contracts. FCI triggers Level 1. CUI triggers Level 2. Getting this wrong is one of the most expensive mistakes in CMMC preparation.
What are the three levels of CMMC 2.0?
Level 1 (Foundational) covers 17 basic controls for contractors handling FCI and requires annual self-assessment. Level 2 (Advanced) covers 110 controls for contractors handling CUI and requires a C3PAO third-party assessment as of November 2026. Level 3 (Expert) covers 134 controls for the most sensitive programs and is assessed by the government directly.
When is the CMMC Level 2 deadline?
Phase 2 begins November 10, 2026. At that point, mandatory C3PAO third-party certification is required for most Level 2 contracts. Because Level 2 takes 18 to 24 months to implement from scratch, and C3PAO backlogs are running 6 to 12 months, organizations that haven't started are already behind the Phase 2 deadline.
What happens if I miss the CMMC deadline?
Your bids will be rejected. DoD contracting officers are required to verify CMMC status before award. If your SPRS profile doesn't reflect a current compliant assessment at the required level, you can't win the contract. Prime contractors are also auditing their supply chains, and non-compliant subs are being dropped from consideration before solicitations are even issued.
How do I know which CMMC level I need?
If your work involves any defense technical data, engineering specifications, export-controlled information, or personnel records tied to a government contract, you almost certainly handle CUI and need Level 2. When in doubt, assume Level 2.