CMMCCybersecurity Maturity Model Certification
A DoD framework requiring defense contractors to meet specific cybersecurity standards before handling federal contract information.
In-Depth
CMMC was developed by the Department of Defense to ensure that contractors in the Defense Industrial Base (DIB) protect sensitive unclassified information. The model has three levels: Level 1 (Foundational) with 17 practices, Level 2 (Advanced) aligned with NIST SP 800-171's 110 controls, and Level 3 (Expert) adding NIST SP 800-172 requirements. Starting in 2025, CMMC compliance is being phased into DoD contracts through DFARS clause 252.204-7021.
Related Terms
CUI
Government-created or -owned information that requires safeguarding controls per law, regulation, or government-wide policy, but is not classified.
FCI
Information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service.
NIST SP 800-171
The NIST standard specifying 110 security requirements for protecting CUI in non-federal systems. Forms the basis of CMMC Level 2 and DFARS 252.204-7012 compliance.
DFARS
DoD-specific supplement to the FAR that implements defense acquisition policies, including cybersecurity clauses like DFARS 252.204-7012 for CUI protection.
SPRS
The Supplier Performance Risk System score (-203 to 110) reflecting a contractor's self-assessed compliance with NIST SP 800-171. Required for DoD contracts involving CUI.