CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's framework requiring defense contractors to implement and verify cybersecurity practices that protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Who needs CMMC certification?

Any company that works on DoD contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must meet CMMC requirements. This includes prime contractors, subcontractors, and suppliers in the Defense Industrial Base.

What is the difference between CMMC Level 1, Level 2, and Level 3?

CMMC Level 1 requires 17 foundational practices for companies handling FCI. Level 2 requires 110 practices aligned with NIST SP 800-171 for companies handling CUI. Level 3 adds additional practices for companies working on the most sensitive programs, assessed by the government.

Do I need a third-party assessor for CMMC?

It depends on your level. Level 1 allows annual self-assessment. Level 2 requires either self-assessment or a third-party assessment by a C3PAO (CMMC Third-Party Assessment Organization), depending on the sensitivity of the programs you support. Level 3 requires a government-led assessment.

What is CMMC? Cybersecurity Maturity Model Certification Explained

Why Does CMMC Exist?

For years, the DoD relied on defense contractors to self-certify that they were following cybersecurity requirements under DFARS clause 252.204-7012 and NIST SP 800-171. The problem: self-certification created no accountability, and adversaries — most notably nation-state actors — were actively exploiting unprotected contractors to steal sensitive defense technology, program data, and technical specifications.

CMMC was developed to solve this. Under CMMC 2.0, contractors must demonstrate compliance through verified assessments — not just sign a document saying they comply. The program requires contractors to be assessed by credentialed third-party organizations and assessors, ensuring that protections are actually in place.

Two Types of Sensitive Information

Which CMMC level applies to you depends on what type of information your organization handles:

FCI — Federal Contract Information

Information provided by or generated for the Government under a contract to develop or deliver a product or service. If you handle FCI, you need at minimum CMMC Level 1.

Examples: Contract deliverables, procurement data, pricing information

CUI — Controlled Unclassified Information

Government-created or government-handled information that requires safeguarding under law or policy, but is not classified. If you handle CUI, you need CMMC Level 2 or Level 3.

Examples: Technical specifications, export-controlled data, DoD program information, engineering drawings

The Three CMMC Levels

CMMC 2.0 simplified the original five-level model into three levels, each with distinct requirements and assessment methods.

LEVEL 1

Foundational

17 basic cybersecurity practices from FAR 52.204-21, focused on protecting Federal Contract Information (FCI).

Assessment: Annual self-assessment
Handles: FCI only
Practices: 17

LEVEL 2

Advanced

110 security practices fully aligned with NIST SP 800-171, protecting Controlled Unclassified Information (CUI).

Assessment: Self-assessment or C3PAO
Handles: CUI
Practices: 110

LEVEL 3

Expert

110+ practices including NIST SP 800-172 requirements, for the most critical DoD programs facing advanced persistent threats.

Assessment: Government-led (DCSA)
Handles: CUI on critical programs
Practices: 110+

The vast majority of DIB contractors will require CMMC Level 2. This is the level TenGuard Security specializes in.

The 17 CMMC Level 2 Domains

CMMC Level 2's 110 practices are organized across 17 domains derived from NIST SP 800-171:

AC Access Control

AT Awareness & Training

AU Audit & Accountability

CM Configuration Management

IA Identification & Authentication

IR Incident Response

MA Maintenance

MP Media Protection

PE Physical Protection

PS Personnel Security

RA Risk Assessment

CA Security Assessment

SC System & Comms Protection

SI System & Info Integrity

PM Program Management

PL Planning

SA System & Services Acquisition

Who Needs CMMC?

If your company does any of the following, CMMC likely applies to you:

Holds a prime contract or subcontract with the Department of Defense
Receives, processes, stores, or transmits technical data or CUI as part of a DoD contract
Provides products, services, or IT infrastructure that touches DoD information systems
Is a supplier in the defense supply chain, even several tiers down
Works on programs involving export-controlled data, engineering specs, or DoD program information

CMMC requirements flow down through the supply chain. Even if you are a subcontractor or sub-tier supplier, if the prime's contract requires CMMC and you handle FCI or CUI, you must comply. Primes are responsible for ensuring their subcontractors meet CMMC requirements.

The CMMC Assessment Process

For Level 2 organizations requiring a third-party assessment, here is how the process typically works:

Step 1

Scoping & CUI Identification

Define your assessment boundary — which systems, people, and locations handle CUI — and document your CUI data flows.

Step 2

Gap Analysis

Evaluate your current security practices against all 110 CMMC Level 2 requirements. Identify what is compliant, partially compliant, or missing.

Step 3

Remediation & Documentation

Implement required controls, develop your System Security Plan (SSP), and create a Plan of Action & Milestones (POA&M) for any remaining gaps.

Step 4

Third-Party Assessment (C3PAO)

A CMMC Third-Party Assessment Organization conducts the official assessment. The Lead Assessor reviews your documentation, interviews staff, and tests controls.

Step 5

Cyber AB Submission

Assessment results are submitted to the Cyber AB's CMMC Enterprise Mission Assurance Support Service (eMASS). Upon approval, your certification is issued.

Step 6

Ongoing Compliance

CMMC Level 2 certification is valid for three years. You must maintain your controls and documentation continuously and prepare for your next assessment cycle.

CMMC Timeline & Enforcement

CMMC 2.0 Is Being Phased In Now

CMMC 2.0 was finalized as a federal rule and is being phased into DoD contracts. The phased rollout means that contract clauses are appearing in new solicitations and renewals at increasing frequency. The DoD has communicated a clear trajectory: CMMC requirements will be universal across all applicable defense contracts.

Many contractors are already seeing CMMC requirements appear in their RFPs and contract renewals. If you are waiting for "your contract" to require it, you may find yourself without time to prepare when it does.

The typical timeline to achieve CMMC Level 2 compliance from scratch is 6 to 18 months. Starting now protects your ability to compete for contracts.

How TenGuard Security Can Help

TenGuard Security provides end-to-end CMMC support — from understanding where your organization stands today to achieving formal certification. As a Lead Certified CMMC Assessor (Lead CCA), Johnny Roye brings both the authority to conduct official assessments and the consulting expertise to help you prepare for them.

Whether you need a gap analysis to understand your compliance gaps, help developing your SSP and POA&M, guidance on scoping your CUI environment, or a pre-assessment review before your formal C3PAO assessment — TenGuard provides qualified, straightforward support tailored to small and mid-sized defense contractors.

Take the CMMC Self-Assessment Tool Schedule a Free Consultation