CMMC
The DoD's Cybersecurity Maturity Model Certification, mandatory across the defense supply chain.
CMMC 2.0 has three levels. Level 1 covers Federal Contract Information (FCI). Level 2 covers Controlled Unclassified Information (CUI) and maps to NIST SP 800-171's 110 controls. Level 3 adds Enhanced controls from NIST 800-172.
Most DoD subcontractors handling CUI need Level 2, which usually requires third-party assessment by a C3PAO. Self-attestation is allowed for Level 1 and a limited subset of Level 2.
The CMMC final rule phases in through 2026; DoD contracts progressively add certification requirements, and primes are flowing them down early.
Related terms
NIST 800-171
The 110-control baseline for protecting Controlled Unclassified Information (CUI).
CUI
Controlled Unclassified Information — unclassified but protected government data.
SPRS
The DoD's Supplier Performance Risk System — where your NIST 800-171 score lives.
POA&M
Plan of Action & Milestones — the roadmap for closing security control gaps.
See how Scarlet Risk covers CMMC.
One platform for compliance, cyber, crypto, and world-watch risk.
Schedule Live Demo