← All posts

What Does CMMC Stand For? A Defense Contractor's Guide

cmmccompliance

CMMC stands for Cybersecurity Maturity Model Certification. It is the Department of Defense’s framework for verifying that defense contractors protect sensitive information before they can bid on contracts.

If you are a defense contractor or subcontractor handling Controlled Unclassified Information (CUI), CMMC certification is no longer optional. Enforcement is live. Without it, you cannot win contracts that require it.

What CMMC replaced

Before CMMC, defense contractors were expected to self-attest their compliance with NIST SP 800-171 under DFARS 252.204-7012. The problem: self-attestation had no verification. Contractors could claim compliance without ever being assessed. Many did.

The DoD found that the majority of the defense industrial base was not actually meeting the security requirements they claimed to meet. CMMC was created to fix this by requiring independent third-party assessments.

The three CMMC levels

Level 1: Foundational

15 basic cybersecurity practices from FAR 52.204-21. Covers Federal Contract Information (FCI), not CUI. Requirements include basic access control, identification and authentication, and physical protection. Self-assessment is allowed.

Most contractors who only handle FCI (not CUI) need Level 1. This is the minimum for any DoD contract.

Level 2: Advanced

110 security practices mapped to NIST SP 800-171 Rev 2. This is the level that matters for contractors handling CUI. It covers 14 control families:

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Risk Assessment (RA)
  • Security Assessment (CA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

Level 2 requires assessment by a certified third-party assessment organization (C3PAO). This is where most small and mid-size defense contractors need to be.

Level 3: Expert

Level 3 adds practices from NIST SP 800-172 on top of Level 2. It is designed for contractors working with the most sensitive CUI and facing advanced persistent threats. Government-led assessments are required. Very few contractors need Level 3.

Who needs CMMC

Any company that bids on DoD contracts where CUI is involved needs CMMC Level 2. This includes:

  • Prime contractors
  • Subcontractors at any tier who handle CUI
  • Companies that store, process, or transmit CUI on behalf of a prime
  • IT service providers managing systems that touch CUI

The requirement flows down through the supply chain. If a prime contractor requires their subcontractors to handle CUI, those subcontractors need CMMC Level 2 certification.

What CUI actually is

Controlled Unclassified Information is government-created or government-owned information that requires safeguarding. It is not classified, but it is not public either. Examples include:

  • Technical drawings and specifications for defense systems
  • Contract performance data
  • Export-controlled technical data (ITAR)
  • Personnel records related to contract work
  • Vulnerability assessments and security plans

If you receive documents marked CUI, FOUO (For Official Use Only), or with ITAR markings, you are handling CUI. Your systems must meet CMMC Level 2 requirements.

For a deeper look at how CUI designation works, read Encrypted CUI Is Still CUI.

What CMMC assessment looks like

A CMMC Level 2 assessment is conducted by a C3PAO (Certified Third-Party Assessment Organization) accredited by the Cyber AB (formerly the CMMC Accreditation Body). The process:

  1. Scoping. You define which systems, people, and processes handle CUI. This becomes your assessment boundary.
  2. Documentation review. The assessor reviews your System Security Plan (SSP) and any Plans of Action and Milestones (POA&Ms). The SSP documents how each of the 110 practices is implemented.
  3. Evidence collection. The assessor examines technical evidence: configurations, logs, policies, and procedures. They verify that your documentation matches reality.
  4. Interviews. The assessor talks to your staff to confirm that security practices are understood and followed, not just written down.
  5. Findings. Each practice is scored as Met, Not Met, or Not Applicable. To pass, all 110 practices must be Met or have an approved POA&M.

The assessment typically takes 1-3 weeks for a small organization, depending on scope and complexity.

Common systems the assessor examines

Your C3PAO will look at every system in your CUI boundary. For most small contractors, the critical systems are:

Email. How is CUI transmitted? Is email encrypted in transit and at rest? Are audit logs captured? Is MFA enforced? For a detailed breakdown of what assessors ask about email, read CMMC Level 2 Email Controls: What Your C3PAO Will Ask.

File storage. Where is CUI stored? Who has access? Are permissions based on least privilege? Is there version history and audit logging?

Endpoints. Are laptops and workstations encrypted? Are they managed? Can data be wiped remotely?

Identity and access management. How are users authenticated? Is MFA enforced? Are accounts disabled when people leave? If you use Active Directory, read how to audit AD for CMMC.

How much CMMC costs

The cost varies widely depending on your current security posture and the tools you choose:

  • C3PAO assessment fees: $20,000 to $100,000+ depending on scope
  • Remediation: Depends on gaps found. Could be minimal or could require new infrastructure.
  • Compliant tools: Email and file storage that meets CMMC requirements ranges from $18 to $93+ per user per month depending on the provider. For a full cost comparison, read CMMC Compliant Email Pricing in 2026.

The biggest hidden cost is time. Getting compliant can take months if your current tools require infrastructure rebuilds (like migrating to GCC High).

How to get started

  1. Determine your level. If you handle CUI, you need Level 2. If you only handle FCI, Level 1 may suffice.
  2. Scope your boundary. Identify every system, person, and process that touches CUI. The smaller your boundary, the simpler your assessment.
  3. Assess your gaps. Compare your current security posture against the 110 NIST 800-171 practices. Sign up for early access to get a free CMMC Level 2 readiness checklist covering 30 items across 11 control families.
  4. Fix your gaps. Start with your email and file storage. These are the systems most likely to fail assessment and the easiest to fix by switching to a compliant platform.
  5. Document everything. Write your SSP. Document how each practice is implemented. Your assessor wants evidence, not promises.
  6. Engage a C3PAO. Schedule your assessment. The sooner you start, the sooner you can bid on contracts that require CMMC.

CMMC is not going away. The contractors who get certified first will have a competitive advantage over those still scrambling to comply.

Get compliant without the GCC High price tag

IRONKEEP bundles encrypted email, file storage, calendar, and contacts under one CMMC-compliant authorization boundary. Three layers of encryption, per-tenant key isolation, zero operator access, US-only infrastructure. Built by the team behind a CMMC environment at a major cloud provider. Get started in hours, not months. Lock in founding member pricing before we launch.

Get early access

Be first in line when we launch. Founding member pricing and a free CMMC Level 2 readiness checklist included.