CMMC Cybersecurity Maturity Model Certification.

CMMC is the cybersecurity maturity model the US Department of Defense imposes on its contractors handling federal contract information and controlled unclassified information. CMMC 2.0 collapsed to three levels (Foundational, Advanced, Expert) aligned with NIST SP 800-171 and 800-172. If you sell to the DoD or sit in their supply chain, you are in scope.

By Christophe Mazzola, Practicing CISO · Founder of Cyber AcademyEU regulationsAll entries

The Cyber Academy take

CMMC is the cybersecurity maturity model the US Department of Defense imposes on its contractors handling federal contract information and controlled unclassified information. CMMC 2.0 collapsed to three levels (Foundational, Advanced, Expert) aligned with NIST SP 800-171 and 800-172. If you sell to the DoD or sit in their supply chain, you are in scope.

What CMMC actually changes for a contractor

For years the US Department of Defense told its suppliers to protect sensitive information and trusted them to do it. Contractors self-attested that they met the required safeguards, and the gap between what was claimed and what was implemented only surfaced after a breach. CMMC closes that gap by turning the existing protection requirements into a verifiable certification. The substance of the controls did not change as much as the burden of proof did: where you once signed a statement, you now hold a certification that an assessment confirms your practices are actually in place. If you handle Federal Contract Information or Controlled Unclassified Information anywhere in the DoD supply chain, this is the mechanism that decides whether you can keep bidding.

The model matters far beyond US borders. European suppliers that subcontract to American primes, manufacture defence components, or process CUI on behalf of a DoD program inherit the same obligation. CMMC is not a framework you choose to adopt for good hygiene; it is a contractual gate. No certification at the level your contract demands, no award. That is what separates it from a voluntary maturity model and puts it in the same practical category as a regulatory requirement: compliance is the price of market access.

The three levels and what sits under them

CMMC 2.0 streamlined an earlier five-level scheme into three, each tied to the sensitivity of the data you handle and to an existing NIST baseline. Level 1 (Foundational) covers the basic safeguarding of Federal Contract Information and is built on the practices in the federal acquisition rules, verified by annual self-assessment. Level 2 (Advanced) protects Controlled Unclassified Information and aligns directly with NIST SP 800-171, the catalogue of controls already required of contractors handling CUI; depending on the contract it is confirmed by a third-party assessment. Level 3 (Expert) is for the most sensitive programs and layers in the enhanced requirements of NIST SP 800-172 to defend against advanced persistent threats, assessed by the government itself.

CMMC 2.0 levels
LevelData protectedBaselineAssessment
Level 1 — FoundationalFederal Contract Information (FCI)Basic safeguarding requirementsAnnual self-assessment
Level 2 — AdvancedControlled Unclassified Information (CUI)NIST SP 800-171Third-party (or self) assessment
Level 3 — ExpertHigh-value CUI, APT exposureNIST SP 800-171 plus 800-172Government-led assessment

The key insight is that CMMC does not invent new controls so much as it enforces ones contractors were already obligated to meet. A supplier that has genuinely implemented NIST SP 800-171 is most of the way to Level 2; the work that remains is producing the evidence, closing the practices that were assumed but never operationalised, and surviving an assessment by someone who is not you.

Where CMMC sits next to NIS2 and ISO 27001

It is easy to file CMMC, NIS2, and ISO 27001 in the same drawer, but they answer different questions. ISO 27001 certifies that you run a risk-based information security management system; it is voluntary, international, and indifferent to whose data you hold. NIS2 is European law that imposes security and incident-reporting duties on essential and important entities across critical sectors. CMMC is narrower and more specific: a US government procurement requirement aimed at one supply chain, mapped to fixed NIST control sets rather than to your own risk assessment. An organisation already certified to ISO 27001 will have built management discipline that makes a CMMC effort easier, but the certifications are not interchangeable and one does not satisfy the other.

Frequently asked questions

01Who has to comply with CMMC?

Any organisation in the US Department of Defense supply chain that handles Federal Contract Information or Controlled Unclassified Information, including non-US subcontractors to American primes. The required level is written into the contract.

02What is the difference between CMMC and NIST SP 800-171?

NIST SP 800-171 is the catalogue of controls for protecting CUI. CMMC is the certification mechanism that verifies those controls are actually implemented. Level 2 of CMMC is built directly on NIST SP 800-171.

03How many levels does CMMC 2.0 have?

Three: Level 1 (Foundational), Level 2 (Advanced) and Level 3 (Expert). The earlier model had five levels; CMMC 2.0 consolidated them and aligned each with an existing NIST baseline.

04Does ISO 27001 certification satisfy CMMC?

No. They are separate schemes. ISO 27001 certifies a risk-based management system, while CMMC verifies specific NIST control sets for the DoD supply chain. ISO 27001 maturity helps, but it does not substitute for a CMMC assessment.

05Can I still self-assess under CMMC 2.0?

Level 1 is verified by annual self-assessment, and some Level 2 contracts allow it, but the more sensitive Level 2 work and all of Level 3 require independent or government-led assessment.

Need more than a definition?

Book a free 20-minute discovery call. We map the cohort that turns this term into an audit-ready practice.