What Is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. It's a Department of Defense (DoD) program that requires defense contractors to meet specific cybersecurity standards before they can bid on or perform DoD contracts.
Before CMMC, contractors could self-attest their cybersecurity compliance — essentially checking their own homework. The problem? Studies found that the vast majority of contractors claiming compliance weren't actually meeting the requirements. CMMC replaces self-attestation with verified assessments conducted by independent third-party organizations called C3PAOs (Certified Third Party Assessment Organizations).
Who Needs CMMC Certification?
If your organization handles DoD contracts or is part of the Defense Industrial Base (DIB) supply chain, you likely need CMMC certification. This includes:
- Prime contractors — Companies that contract directly with the DoD
- Subcontractors — Companies that supply goods or services to prime contractors
- Supply chain vendors — Any organization that processes, stores, or transmits CUI or FCI
Approximately 220,000 defense contractorsneed CMMC certification. CMMC requirements are being phased into DoD contracts — if you don't have the required certification level when a contract requires it, you won't be eligible to bid.
The Three CMMC Levels
CMMC 2.0 simplified the original five-level model into three levels, each building on the previous:
Level 1 — Foundational
For organizations handling Federal Contract Information (FCI) only.
- 15 basic cybersecurity practices from FAR 52.204-21
- Annual self-assessment (no third-party audit)
- Covers basic cyber hygiene: passwords, antivirus, access control
Level 2 — Advanced Most Common
For organizations handling Controlled Unclassified Information (CUI).
- All 110 NIST SP 800-171 Revision 2 security practices
- Third-party assessment by a certified C3PAO (for critical CUI)
- Triennial certification with annual affirmations
- Covers 14 security domains: Access Control, Audit, Incident Response, and more
Level 3 — Expert
For organizations handling the most sensitive CUI (high-value assets, advanced persistent threats).
- All Level 2 requirements plus select NIST SP 800-172 practices
- Government-led assessments (DCMA DIBCAC)
- Designed for programs with nation-state threat exposure
Key Terms You Need to Know
CUI (Controlled Unclassified Information)
Information the government creates or possesses that requires safeguarding — technical drawings, specifications, test results, etc.
FCI (Federal Contract Information)
Information provided by or generated for the government under contract, not intended for public release.
C3PAO
Certified Third Party Assessment Organization — the independent assessors authorized to conduct CMMC Level 2 assessments.
SSP (System Security Plan)
A document describing your security controls, how they're implemented, and the boundaries of your information system. Bedrock CMMC generates your SSP directly from your control implementations.
POA&M (Plan of Action & Milestones)
A document tracking security weaknesses and your remediation plan with target completion dates. Bedrock CMMC includes a built-in POA&M tracker with status workflows and deadline monitoring.
SPRS Score
Your Supplier Performance Risk System score (-203 to 110) reflecting NIST 800-171 implementation status. Required for DoD contracts.
How to Get Started with CMMC
Determine your required CMMC level
Check your contracts for DFARS clauses. If you handle CUI, you'll likely need Level 2. FCI only? Level 1 may suffice.
Conduct a gap assessment
Evaluate your current cybersecurity posture against the required practices. Identify which controls you've implemented and which have gaps. Bedrock CMMC shows your MET/NOT MET status across all 14 domains and calculates your SPRS score automatically.
Remediate gaps and document controls
Implement missing controls, collect evidence, and build your SSP and POA&M. This is where compliance software like Bedrock CMMC accelerates the process.
Schedule your C3PAO assessment
For Level 2, you'll need a certified C3PAO to conduct your assessment. The Bedrock C3PAO Marketplace connects you directly with available assessors.
Get certified and maintain compliance
After passing your assessment, you receive your CMMC certification. Level 2 certification is valid for 3 years with annual affirmations required.
Frequently Asked Questions
What is CMMC?
CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for verifying that defense contractors have adequate cybersecurity practices to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). It replaces self-attestation with verified assessments.
Who needs CMMC certification?
Any company that handles DoD contracts or is part of the Defense Industrial Base (DIB) supply chain needs CMMC certification. This includes prime contractors, subcontractors, and any organization that processes, stores, or transmits CUI or FCI. Approximately 220,000 defense contractors are affected.
What are the CMMC levels?
CMMC has three levels: Level 1 (Foundational) requires 15 basic cybersecurity practices with annual self-assessment. Level 2 (Advanced) requires all 110 NIST SP 800-171r2 practices with third-party assessment by a C3PAO. Level 3 (Expert) adds NIST SP 800-172 requirements with government-led assessments.
How long does CMMC certification take?
Timeline varies based on your current cybersecurity posture. Organizations starting from scratch typically need 12-18 months to implement all controls and prepare for assessment. Those with existing NIST 800-171 compliance may need 3-6 months for gap remediation and assessment preparation.
What is the difference between CMMC and NIST 800-171?
NIST SP 800-171 defines the 110 security requirements. CMMC is the certification framework that verifies you've actually implemented those requirements. Previously, contractors could self-attest to NIST 800-171 compliance. CMMC requires third-party verification through a certified C3PAO assessment.
What happens if I don't get CMMC certified?
Without CMMC certification at the required level, you will not be eligible to bid on or perform DoD contracts that require it. As CMMC requirements roll into more contracts, uncertified contractors will be unable to participate in the defense supply chain.