CMMC

Cybersecurity Maturity Model Certification is a US Department of Defense framework that certifies contractors handling controlled unclassified information.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a US Department of Defense framework that certifies the cybersecurity posture of contractors in the Defense Industrial Base. CMMC 2.0 (the current version, rule finalized late 2024) organizes requirements into three levels: Level 1 (basic, self-assessment, ~17 practices), Level 2 (advanced, third-party assessment for most cases, aligned with NIST 800-171's 110 controls), and Level 3 (expert, government-led assessment, NIST 800-172 enhanced controls).

Who needs it

Any prime or subcontractor handling Controlled Unclassified Information (CUI) on a DoD contract. The phase-in began with select contracts in 2025 and ramps through 2028. AI vendors selling to DoD primes typically need at least Level 2; vendors handling CUI directly may need Level 2 or Level 3 depending on contract specifics. CMMC is binary at the contract level — without the required certification, you're not eligible to bid.

Buyer-side checks

Ask the vendor: which CMMC level they're certified at, the C3PAO (third-party assessor) that issued the certification, the assessment date and expiration, the system boundary, and whether the certification covers the specific service you'll be procuring. CMMC certifications are listed in the SPRS (Supplier Performance Risk System) and the CMMC Marketplace. For services not requiring CUI handling, an alternative is FedRAMP Moderate — overlap but not equivalence.