Cyber guide
What Is CMMC 2.0? The DoD Cybersecurity Compliance Guide for Defense Contractors
CMMC is the Defense Department's framework for verifying that contractors protect sensitive unclassified information. The right level depends on the information and systems named in a solicitation or contract.

What CMMC is — and what it verifies
The Cybersecurity Maturity Model Certification program is the Department of Defense framework for assessing whether a contractor has implemented the safeguards required for Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The program rule lives in 32 CFR part 170; contract clauses make a required CMMC status an award and performance condition when a solicitation includes it. [1][2]
CMMC does not replace the underlying security requirements. It adds a defined assessment and affirmation mechanism so DoD can verify that the required safeguards are operating in the contractor information systems that will process, store, or transmit FCI or CUI. [1]
FCI, CUI, and the boundary that matters
FCI is information provided by or generated for the government under a contract that is not intended for public release. CUI is unclassified information that law, regulation, or government-wide policy requires to be handled with safeguarding or dissemination controls. A company should identify which systems, people, cloud services, and external providers actually touch that information before defining its CMMC assessment scope. [1]
The required level is not chosen by a consultant or by the contractor alone. The program office or requiring activity identifies the CMMC level for the solicitation, and the contracting officer verifies the corresponding current status in the Supplier Performance Risk System before award. [2]
The three CMMC levels
Level 1 addresses basic safeguarding of FCI and uses an annual self-assessment with an annual affirmation. Level 2 protects CUI through the 110 security requirements in NIST SP 800-171 Revision 2; the solicitation determines whether the applicable status is a self-assessment or a C3PAO certification assessment. Level 3 adds selected enhanced safeguards and a government assessment by the Defense Industrial Base Cybersecurity Assessment Center. [1][3]
Some Level 2 and Level 3 assessments may initially produce a conditional status when the rule permits a limited plan of action and milestones. The remaining items must be closed within the program's allowed period; a conditional status is not an indefinite substitute for implementing the required safeguards. [1][2]
CMMC 2.0 versus NIST SP 800-171
NIST SP 800-171 defines security requirements for protecting CUI in nonfederal systems. CMMC Level 2 uses the Revision 2 requirements incorporated into the CMMC program rule, then adds assessment, status, affirmation, and contractual enforcement. A NIST implementation project and a CMMC assessment therefore overlap, but they are not interchangeable labels. [3][1]
A practical contractor preparation sequence
Start with the solicitation and contract clauses, identify the information type and required CMMC status, draw the system boundary, and verify every in-scope requirement against evidence. Record gaps in a system security plan and use a plan of action only where the applicable rules allow one; then confirm the assessment result and affirmation are current in SPRS before the award decision. [2][1]
The LongLead connection
How LongLead AI helps
LongLead AI reads dated public records and surfaces projects that may create demand for a specialist's scope, typically 12–24 months before that scope is named depending on the signal and project. Every opportunity carries its source and an estimated lead-time window. LongLead prepares a cited evidence dossier naming the likely counterparty; the customer makes the call from its own channels, and nothing leaves the system.
Official sources
- [1]Cybersecurity Maturity Model Certification Program, 32 CFR part 170Department of Defense / Federal Register
- [2]DFARS subpart 204.75 — Cybersecurity Maturity Model CertificationAcquisition.gov
- [3]NIST SP 800-171 Revision 2, including January 2021 updateNational Institute of Standards and Technology
FAQ
- What is CMMC?
- CMMC is the Department of Defense program for assessing whether contractors have implemented required safeguards for FCI and CUI. A solicitation identifies the level and status required for the systems used on that contract.
- What does CMMC stand for?
- CMMC stands for Cybersecurity Maturity Model Certification. The current program uses three levels tied to the sensitivity of information handled by contractor systems.
- What is CMMC 2.0?
- CMMC 2.0 is the current three-level version of the DoD verification program codified in 32 CFR part 170. It combines self-assessments, third-party assessments, government assessments, and recurring affirmations according to the required level.
- What is the difference between CMMC and NIST 800-171?
- NIST SP 800-171 defines security requirements, while CMMC defines how DoD assesses and enforces implementation for covered contracts. CMMC Level 2 currently incorporates the Revision 2 requirements.
- What CMMC level do I need?
- You need the CMMC level and assessment type stated in the applicable DoD solicitation or contract. The answer depends on whether your in-scope systems process FCI, CUI, or information requiring enhanced protection.