New: Autonomous AI risk intelligence is live — your compliance program in 12 minutes. Get started →
← Glossary · Compliance

CMMC

The DoD's Cybersecurity Maturity Model Certification, mandatory across the defense supply chain.

CMMC 2.0 has three levels. Level 1 covers Federal Contract Information (FCI). Level 2 covers Controlled Unclassified Information (CUI) and maps to NIST SP 800-171's 110 controls. Level 3 adds Enhanced controls from NIST 800-172.

Most DoD subcontractors handling CUI need Level 2, which usually requires third-party assessment by a C3PAO. Self-attestation is allowed for Level 1 and a limited subset of Level 2.

The CMMC final rule phases in through 2026; DoD contracts progressively add certification requirements, and primes are flowing them down early.

Related terms

See how Scarlet Risk covers CMMC.

One platform for compliance, cyber, crypto, and world-watch risk.

Schedule Live Demo