The Cybersecurity Maturity Model Certification is a DoD program that requires defense contractors to prove their cybersecurity practices meet specific standards before they can win or keep contracts. It's now law — and enforcement has begun.
Basic safeguarding of Federal Contract Information. 17 practices focused on fundamental cyber hygiene like access control, identification, media protection, physical protection, system integrity, and communications protection.
Comprehensive protection of Controlled Unclassified Information across 14 control families and 320 assessment objectives. This is where most defense contractors need to be.
Enhanced protections against Advanced Persistent Threats (APTs). Adds 24 controls on top of Level 2 for the most sensitive programs. Government-led assessment by DIBCAC.
CMMC enforcement is phased in over three years. Here's what's happening and when.
Level 1 and Level 2 self-assessments required in select contracts. DoD may also require C3PAO certifications at its discretion.
Third-party C3PAO certifications become mandatory for Level 2 contracts. Level 3 DIBCAC assessments may begin.
Level 3 DIBCAC assessments required for applicable contracts. Full enforcement across all three levels.
CMMC requirements included in all applicable DoD contracts. Complete rollout across the Defense Industrial Base.
Take the free readiness check — 8 questions, 3 minutes, instant gap analysis.
Free courses on every CMMC level and control family. Plain-English explainers with real examples.
Start Learning →Searchable directory of verified MSPs, C3PAOs, and consultants. Filter by state, specialty, and level.
Browse Directory →Free templates, checklists, and guides — SSPs, POA&Ms, scoping tools, and more.
Get Resources →