Building a solid foundation in defense contracting means staying ahead of cybersecurity rules. For firms seeking to work with the Department of Defense (DoD), understanding what is expected under the Cybersecurity Maturity Model Certification (CMMC) is essential. This blog unpacks the key requirements so that contractors can prepare effectively and confidently.
Certification levels mapped to FCI and CUI handling scope
The CMMC model aligns certification levels with the type of information an organization handles. For contractors dealing only with Federal Contract Information (FCI), the baseline is the foundational level. Handling Controlled Unclassified Information (CUI) raises the expectation to more advanced certification. The linkage of level to data ensures that security controls scale with risk.
Once a contractor knows whether they handle FCI or CUI, they refer to the official CMMC Scoping Guide and determine the appropriate level under the rules. The contract language may specify whether only a self-assessment suffices or if a full third-party audit is required.
Level 1 baseline practices with annual self-assessment for FCI
Under the entry tier of the framework, contractors working with FCI must implement a set of basic cyber hygiene practices. These response measures are concentrated on straightforward controls like limiting access and establishing simple security awareness. Contractors follow the designated list and then conduct an annual self-assessment to confirm compliance.
That annual self-assessment must be submitted to the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) system via the Supplier Performance Risk System (SPRS). Meeting the requirements for Level 1 provides firms eligibility to pursue contracts involving FCI.
Level 2 full NIST 800-171 implementation with third-party assessment where required
For contractors dealing with CUI, the standard jumps to full implementation of the 110 security controls defined in NIST SP 800‑171. These controls cover areas from access control and incident response to system integrity and configuration management. The requirement signals a higher maturity in cybersecurity posture.
In addition to meeting the controls, some contracts will require certification by a Certified Third‑Party Assessor Organization (C3PAO). This shifts the evaluation from self-assessment to an external audit, reinforcing validation by independent experts. Contractors should evaluate whether the contract mandates a third-party review or allows self-assessment under Level 2.
Documented security program with SSP and assessment-ready evidence trail
Documentation isn’t just paper-work—it proves that controls exist, operate, and are maintained. Each subject must have a formal security program, anchored by a System Security Plan (SSP) that outlines how the 110 controls (for Level 2) are implemented. The SSP should map each control to policy, procedure, and responsible individual.
Alongside the SSP, an evidence trail matters: audit logs, change control records, configuration snapshots and incident reports become proof that the program works. Maintaining this evidence is part of what renders the organization assessment-ready, and many firms rely on consulting for CMMC support to build this trail.
Formal environment scoping of assets, networks, and data flows before evaluation
Proper scoping defines what systems, networks, and data fall under the CMMC review. Without formal scoping, contractors risk evaluating the wrong assets or overlooking systems that handle CUI. This scoping process uses the CMMC scoping guide to decide what’s in or out.
By engaging in scoping early, contractors create clarity for themselves and for assessors. The outcome is a precise boundary: a set of assets that form the certification perimeter. That reduces risk of surprise during the audit and aligns efforts with the real technical environment.
POA&M remediation aligned to phased DoD rollout and DFARS timelines
No cybersecurity program is perfect at first. The framework allows contractors to use a Plan of Action and Milestones (POA&M) to track gaps. This document shows what controls are incomplete, who is responsible, and when they will be completed. It has become a standard remedial tool in CMMC compliance requirements.
Since the DoD is implementing certifications gradually, contractors must align the POA&M with contract award timelines and the associated DFARS Clause 252.204‑7021 milestones. Properly timed remediation avoids contract eligibility issues and supports the phased rollout of required levels.
Core safeguards covering access control, MFA, encryption, logging and patching
At the heart of the technical controls are fundamental safeguards: restricting system access, enforcing multi-factor authentication (MFA), encrypting data at rest and in transit, logging system events, and maintaining timely patching. These safeguards reflect major common CMMC challenges cited by many contractors.
The implementation of these controls often defines whether contractors succeed or fail the assessment. Contractors should assess their environment for each of these key controls and use compliance consulting to fill any gaps. A mature security operation that monitors logs, applies patches, mandates MFA, and encrypts appropriately meets many of the significant CMMC level 2 requirements.
Flow-down obligations enforcing supplier compliance for FCI and CUI work
CMMC doesn’t stop at prime contractors. Suppliers and subcontractors receive flow-down obligations when they handle FCI or CUI. Primes must ensure that their subcontractors meet the appropriate level of compliance based on the downstream data. The requirement underscores that the entire supply chain must be aligned with the certificate level being pursued.
When primes pass compliance requirements on to suppliers, the subcontractors often seek consulting for CMMC to address both subcontract flow-down and own obligations. Failure in the supply chain can jeopardize the prime’s certification status and contract performance, which is why supply-chain compliance flows directly into contractor strategy.
A provider known as MAD Security offers specialized expertise in CMMC compliance consulting, government security consulting and managed services to help contractors meet these requirements efficiently.
