What Is CMMC Compliance? A Guide for DoD Contractors.
The DoD's Cybersecurity Maturity Model Certification is now contractually mandatory for defense contractors handling CUI. Here is what it requires, who it applies to, and how to prepare for the October 2026 deadline.
CMMC in 60 seconds
CMMC (Cybersecurity Maturity Model Certification) is the DoD's framework for verifying that defense contractors protect Controlled Unclassified Information (CUI) in their environments. It has three maturity levels, with Level 2 — the most common requirement — built on the 110 controls in NIST SP 800-171.
Roughly 300,000 organizations in the defense industrial base fall in scope, from prime contractors to small subcontractors. By October 2026, new DoD contracts involving CUI will require CMMC certification at the specified level before contract performance.
For organizations whose environments include legacy OT, PLCs, or specialized assets, achieving CMMC Level 2 has additional complexity — see our CMMC compliance solution for defense manufacturers with legacy OT for how compensating controls work in practice.
Level 1, 2, and 3 — what they require
Foundational
17 basic safeguarding requirements drawn from FAR 52.204-21. Covers organizations that handle Federal Contract Information (FCI) but not CUI. Verified through annual self-assessment with an Affirming Official attestation submitted to SPRS.
Who is in scope: contractors who handle non-public DoD information but not CUI.
Advanced — most common
All 110 controls from NIST SP 800-171 Rev 2 across 14 control families. Verified through triennial third-party assessment by a Certified Third-Party Assessor Organization (C3PAO), with annual affirmations in between. This is the level most defense contractors will need.
Who is in scope: contractors who process, store, or transmit CUI.
Expert
All 110 NIST 800-171 controls plus a subset of NIST SP 800-172 controls for advanced persistent threat resistance. Verified through assessment by the DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not a C3PAO.
Who is in scope: contractors on the most sensitive DoD programs.
Anyone in the DoD supply chain who touches CUI
CMMC applies across the entire defense industrial base — roughly 300,000 organizations by DoD estimate. The certification level a contractor needs is determined by the type of information they process under their contracts:
- Prime contractors hold contracts directly with the DoD and must meet the level specified in each contract.
- Subcontractors at any tier inherit the CMMC level of any prime contract they support — a Tier 3 vendor selling parts to a Tier 1 prime may be in scope for the same level the prime is.
- IT and cloud service providers that store, process, or transmit CUI on behalf of DIB contractors are themselves in scope. This is why cloud providers serving the DIB have built dedicated enclaves like GCC High.
- Small businesses are not exempt. There is no size threshold — a small machining shop performing CUI work on a single DoD contract has the same baseline obligation as a Tier 1 defense prime.
For more detail on prime/sub flow-down and shared responsibility, see CMMC compliance for defense suppliers.
The 14 NIST 800-171 control families
CMMC Level 2 requires implementation of all 110 controls in NIST SP 800-171 Rev 2, organized into 14 families:
Limit access to authorized users, processes, and devices. 22 controls.
Train users on security responsibilities. 3 controls.
Log security-relevant events with user attribution. 9 controls.
Manage baselines and changes. 9 controls.
Identify users; enforce MFA. 11 controls.
Detect, report, and respond. 3 controls.
Manage equipment maintenance access. 6 controls.
Handle, mark, and sanitize media. 9 controls.
Physical access to systems. 6 controls.
Vet and offboard personnel. 2 controls.
Identify and prioritize risk. 3 controls.
Periodically assess controls. 4 controls.
Protect systems and traffic. 16 controls.
Patch, monitor, detect threats. 7 controls.
For details on which controls are hardest to satisfy on legacy OT — and the compensating controls that cover them — see the CMMC Shared Responsibility Matrix and the CMMC Level 2 requirements for OT specialized assets guide.
October 2026 — when CMMC becomes contractually binding
Oct 2024
CMMC 2.0 final rule published. Three levels formalized.
Late 2025 → 2026
Phased rollout in DoD contracts. Early-adopter contracts begin requiring certification.
By Oct 2026
All new CUI-handling DoD contracts include CMMC clauses. Existing contracts incorporate at renewal.
For organizations starting now, the practical deadline is earlier than October 2026: a C3PAO assessment takes 1-3 months and the queue is constrained — there are fewer than 100 authorized C3PAOs serving over 80,000 contractors expected to seek Level 2. Booking an assessment slot in 2026 means being ready 6-12 months in advance. See our CMMC October 2026 readiness guide for a month-by-month preparation plan.
Four problems most defense contractors hit
1. Legacy OT and specialized assets
PLCs, CNCs, HMIs, and other industrial controllers cannot natively meet many NIST 800-171 controls. They lack identity stacks for MFA, do not generate audit logs, transmit over plaintext industrial protocols, and cannot be patched on monthly cycles. The fix is the Enduring Exception category plus documented compensating controls — see what the Enduring Exception actually requires and our CMMC compliance solution for legacy OT.
2. GCC High vs on-premise enclave decisions
GCC High (Microsoft's government cloud) is the most common CUI handling path, but it is expensive, slow to deploy, and does not cover OT or specialized assets. The on-premise CUI enclave pattern is increasingly competitive — see CUI enclave architecture: on-premise alternatives to GCC High.
3. Evidence collection and SSP rigor
C3PAOs do not accept narrative descriptions of controls. They want policy configurations, session logs, denied-access records, segmentation baselines, and time-correlated evidence — for every control claimed. Most organizations underestimate this. See what a C3PAO looks for in an OT environment.
4. C3PAO availability
Fewer than 100 authorized C3PAOs are serving over 80,000 expected Level 2 contractors. The booking queue is the bottleneck for 2026 deadlines — not the technical work. See the C3PAO bottleneck analysis.
CMMC compliance for defense manufacturers with legacy OT.
Access Gate is the on-premise architecture that enforces 87 of 110 NIST 800-171 controls directly, generates audit-ready evidence for C3PAO assessment, and handles the legacy OT and specialized assets that GCC High cannot. Three-week pilot, no rip-and-replace, no agents on PLCs.
See the solutionCMMC compliance FAQ
Contractually binding for new CUI contracts
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for verifying that defense contractors protect Controlled Unclassified Information (CUI) in their environments. It defines three levels of cybersecurity maturity (Level 1, Level 2, Level 3) and requires self-assessment or third-party certification depending on the contract. CMMC is built on the controls in NIST SP 800-171 and applies to virtually every company in the defense industrial base that handles federal contract information or CUI.
Any organization in the defense industrial base (DIB) that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under a DoD contract. The DoD estimates roughly 300,000 organizations — including prime contractors, subcontractors at any tier, and IT/cloud service providers — fall into scope. Subcontractors inherit the CMMC level of the prime contract they support. There is no minimum size threshold: a small machining shop with one DoD contract is subject to the same baseline as a Tier 1 prime.
Level 1 (Foundational) covers 17 basic safeguarding requirements drawn from FAR 52.204-21 and is verified through annual self-assessment. Level 2 (Advanced) requires implementation of all 110 NIST SP 800-171 Rev 2 controls and is verified through triennial third-party assessment by an authorized C3PAO. Level 3 (Expert) adds a subset of NIST SP 800-172 controls for the most sensitive contracts and is assessed by the DoD's DIBCAC. Most DIB contractors will fall under Level 2.
The CMMC 2.0 rule was published in October 2024 and contract enforcement begins phasing in starting late 2025 and into 2026. By October 2026, all new DoD contracts that involve CUI are expected to include CMMC clauses, and contractors will need certification at the appropriate level to bid or perform work. Existing contracts will incorporate CMMC at renewal. Self-attesting compliance is no longer sufficient — for Level 2 contracts, a certified C3PAO must perform the assessment.
NIST SP 800-171 is the underlying standard — a list of 110 security controls in 14 control families that protect CUI in non-federal systems. CMMC is the assessment and certification framework built on top of NIST 800-171: it adds maturity levels, formal third-party verification, and an Affirming Official requirement. In practice, achieving CMMC Level 2 means implementing all 110 NIST 800-171 Rev 2 controls and producing the evidence to prove it to a C3PAO assessor.
Two categories of risk. (1) Contract risk: organizations without the required CMMC level cannot bid on or perform DoD contracts that require it — losing eligibility for the relevant pipeline. (2) False Claims Act exposure: submitting a CMMC score to the Supplier Performance Risk System (SPRS) that overstates your compliance posture is a federal misrepresentation. The DoD has stated it will use FCA enforcement for CMMC misrepresentation, with penalties including treble damages and per-claim fines.
Realistically 12 to 24 months for an organization starting from a baseline IT-only security program. Implementation breaks into roughly four phases: gap analysis (1-3 months), control implementation (6-12 months), evidence collection and System Security Plan (SSP) drafting (3-6 months), and the C3PAO assessment itself (1-3 months including remediation cycles). Organizations with significant legacy OT or specialized assets typically take longer because of compensating-control documentation requirements.
CMMC explicitly recognizes that some assets — PLCs, CNCs, HMIs, embedded controllers — cannot natively meet every NIST 800-171 control. The Enduring Exception and Specialized Asset categories let you document why a control cannot be implemented on a specific device and apply a compensating control that provides equivalent protection at the network or process layer. This is where most defense manufacturers struggle: the documentation is rigorous and the compensating controls must be technically verifiable.