The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s program for verifying that contractors actually protect the federal information they handle. Instead of taking a vendor’s word for it, CMMC ties a contractor’s cybersecurity posture to a defined level — and increasingly makes that level a condition of contract award. If you sell IT, software, or technical services to DoD (or team under a prime that does), CMMC is shifting from “good idea” to “required to bid.” This guide walks the three CMMC 2.0 levels, the rules that put them into contracts, and the difference between being ready and being certified. It’s educational, not legal advice — always verify against the solicitation and talk to a compliance advisor before you commit.
What CMMC actually is
A way for DoD to confirm contractors protect the data they touch — before money changes hands.
CMMC exists to protect two kinds of government data on contractor systems: Federal Contract Information (FCI) — information you generate or receive in the course of a contract that isn’t meant for public release — and Controlled Unclassified Information (CUI), the more sensitive category covering things like technical drawings, controlled research, and certain logistics data.
For years, DoD relied on contractors self-attesting that they met the security requirements in their contracts. CMMC adds verification: depending on the sensitivity of the data and the level a contract calls for, you either self-assess and affirm, hire an accredited third party to assess you, or undergo a government-led assessment. The result — your “CMMC Status” — gets recorded in the DoD Supplier Performance Risk System (SPRS), the same system that already holds NIST 800-171 self-assessment scores.
CMMC 2.0, level by level
Which level applies depends on whether a contract involves FCI, CUI, or the most sensitive CUI.
Foundational
Protects FCI. Built on the 15 basic safeguarding requirements in FAR 52.204-21 — sometimes still cited as “17 practices” from the original CMMC 1.0 model. Verified by an annual self-assessment with results affirmed in SPRS. No third party required.
Advanced
Protects CUI. Aligned to the 110 security requirements of NIST SP 800-171 (Revision 2). Most CUI contracts require a C3PAO third-party assessment on a triennial cycle plus annual affirmation; some programs allow a Level 2 self-assessment. This is where most defense IT firms will land.
Expert
For the most sensitive CUI and highest-priority programs. Adds selected requirements from NIST SP 800-172 on top of Level 2, and is assessed by the government (DoD), not a C3PAO. You must first hold a Level 2 (C3PAO) certification before pursuing Level 3.
A “C3PAO” is a CMMC Third-Party Assessment Organization — an accredited firm authorized to certify Level 2. BrandShyp is not a C3PAO and does not certify anyone; our role is readiness, which we explain below.
How CMMC gets into your contracts
Two separate rules make CMMC real — one defines the program, the other puts it in solicitations.
| Rule | What it does | Status |
|---|---|---|
| 32 CFR Part 170 (CMMC Program rule) | Establishes the program itself — the levels, assessment types, scoring, and the assessor ecosystem. | Final rule effective December 16, 2024. |
| 48 CFR (DFARS) acquisition rule (DFARS Case 2019-D041) | Amends DFARS to actually require a CMMC level in DoD solicitations and bar award to offerors without the required status. | Final rule effective November 10, 2025, with a phased rollout. |
DoD is phasing the acquisition requirement in over roughly three years across four phases, starting from the DFARS rule’s effective date. Early phases lean on Level 1 and Level 2 self-assessment statuses; later phases bring in C3PAO certification and Level 3 as the assessor ecosystem scales. Bottom line: whether a given solicitation requires CMMC today — and at what level — depends on the contract and where it falls in the phase-in. Read the solicitation; don’t assume.
You probably need readiness first
The two words get used interchangeably — they’re not the same thing, and the difference saves money.
Readiness
Getting your house in order: scoping the boundary where FCI/CUI lives, gap-assessing against the 110 requirements, writing a System Security Plan and POA&M, remediating, and posting an honest score in SPRS. You can do this now, on your own timeline, without waiting on a C3PAO.
A formal Level 2 assessment by an accredited C3PAO (or a government-led Level 3 assessment) that produces an official CMMC Status. It costs more, takes scheduling, and only makes sense once a contract — or your phase of the rollout — actually requires it.
For most small businesses today, the right move is readiness: be assessment-ready and have a defensible SPRS score so you can compete and team, then pursue certification when a contract demands it. Use our free SPRS score calculator to estimate where you stand against the 110 controls.
- Scope your CUI boundary so you’re not certifying your whole company by accident.
- Gap-assess all 110 NIST SP 800-171 requirements and document a realistic SSP + POA&M.
- Remediate the cheap, high-weight gaps first, then re-score and post to SPRS.
- Don’t pay for a C3PAO assessment before your contract or rollout phase requires one.
Remember: an estimator or a self-assessment is a floor, not a certification. It tells you where you stand — it does not produce an official CMMC Status. When you’re ready to build a real roadmap, talk to us.