CMMC is the Department of Defense's way of saying "prove your cybersecurity is real before we let you near our data" — and as of November 10, 2025, it's no longer optional.

Filed under the NerdSquad IT Dictionary: the series where we decode the alphabet soup of IT. Today's term has been looming over defense contractors for years, finally went live in late 2025, and is now triggering a wave of confused phone calls from business owners who aren't even sure whether it applies to them.

If you've heard "CMMC" tossed around and felt your eyes glaze over — or worse, gotten an email from a prime contractor asking about your "CMMC level" — this one's for you.

What does CMMC stand for?

Cybersecurity Maturity Model Certification.

• Cybersecurity — protecting data, systems, and networks from attack
• Maturity Model — a framework that measures how developed your cybersecurity practices are, not just whether you have a checklist
• Certification — an actual, verifiable credential issued after assessment (not a self-declared sticker)

The "maturity" part is what makes CMMC different from a typical compliance checklist. It's not asking "do you have antivirus?" It's asking "is your entire security program operating at a level appropriate for what you're being trusted with?"

The simple way to think about it

CMMC is like a tiered driver's license system for handling DoD information.

You don't need the same license to drive a sedan as you do to drive an 18-wheeler full of hazardous materials. The vehicle is bigger, the cargo is more dangerous, and the consequences of getting it wrong are much worse — so the licensing requirements scale up accordingly.

CMMC works the same way:

• Handling basic federal contract info? You need the equivalent of a regular driver's license — Level 1.
• Handling Controlled Unclassified Information (CUI)? You need a commercial license — Level 2.
• Handling high-value CUI tied to critical defense programs? You need the hazmat endorsement — Level 3.

And just like a driver's license, you can't issue it to yourself. Someone official has to verify you actually know how to drive before they hand you the keys.

A quick history: CMMC 1.0 vs. CMMC 2.0

The original CMMC, announced in 2019 and rolled out in early 2020, had five levels and was widely criticized as too complex and too expensive for small contractors. The DoD paused it in 2021, did a top-to-bottom review, and relaunched it as CMMC 2.0 in November 2021 — this time with three levels and the option for self-assessment at the lower tier.

The legal scaffolding then took years to finalize:

• December 2024: 32 CFR Part 170 (the "program rule") published — defines the actual CMMC structure, levels, and assessment process.
• September 2025: 48 CFR final rule (the "acquisition rule") published — the piece that authorizes DoD contracting officers to put CMMC requirements into actual contracts.
• November 10, 2025: Both rules in effect. CMMC is no longer hypothetical.

Phase 1 of the rollout (starting Nov 10, 2025) requires self-assessments at Levels 1 and 2 for new DoD contracts. Phase 2 (starting Nov 10, 2026) requires third-party Level 2 certifications. Full enforcement across all applicable contracts is expected by November 10, 2028.

The DoD estimates 338,000 contractors are affected — including roughly 230,000 small businesses. If you're a small shop that thought CMMC was a "big defense contractor" problem, the math says otherwise.

The three levels of CMMC 2.0

Level 1 — Foundational (Self-Assessed)

• Audience: contractors handling Federal Contract Information (FCI) — basically, any info generated for or provided under a federal contract that isn't intended for public release.
• Estimated affected contractors: ~210,000 (the vast majority).
• Requirements: 17 basic safeguarding controls (think: passwords, antivirus, limiting access to authorized users).
• Assessment: annual self-assessment with executive affirmation.
• Driver's license analogy: standard Class E. Anyone can get one, but you still have to take the test honestly.

Level 2 — Advanced (Self-Assessed or Third-Party Assessed)

• Audience: contractors handling Controlled Unclassified Information (CUI) — sensitive but unclassified info like technical drawings, specifications, or personnel data.
• Requirements: 110 controls aligned to NIST SP 800-171 (the same standard contractors have been supposed to meet for years under DFARS 252.204-7012).
• Assessment: triennial — most contracts will require a C3PAO (Certified Third-Party Assessment Organization) audit; some lower-risk contracts may allow self-assessment.
• Driver's license analogy: commercial driver's license. Bigger vehicle, more responsibility, a real test administered by a real examiner.

Level 3 — Expert (Government-Assessed)

• Audience: contractors working with high-value CUI on critical DoD programs.
• Requirements: all of Level 2's 110 controls plus a subset of controls from NIST SP 800-172 (advanced protections against persistent threats).
• Assessment: triennial assessment conducted by DIBCAC (the Defense Industrial Base Cybersecurity Assessment Center) — i.e., the government does it directly, not a third party.
• Driver's license analogy: CDL with hazmat endorsement. Background-checked, retested, scrutinized.

Who actually needs CMMC?

Short version: if you're in the DoD supply chain — even three or four layers down — you need CMMC.

This trips up a lot of small businesses. You might not have a direct DoD contract, but if you're a subcontractor (or a sub-sub-contractor) supplying parts, services, software, IT support, or even printing for a company that does have a DoD contract, you may be obligated to meet the level your prime is required to meet.

The general rule:

• Handle FCI? Level 1 minimum.
• Handle CUI? Level 2 minimum.
• Work on flagged high-priority defense programs? Level 3.

If you're not sure what category your data falls into, that's the first conversation to have — because the level you need dictates everything else about your IT environment.

Why CMMC matters even if you're not a defense contractor

A few reasons this matters beyond the DIB:

• Federal frameworks tend to spread. NIST 800-171 was originally a DoD-flavored standard. It now shows up in non-DoD federal contracts, state government RFPs, cyber insurance applications, and large enterprise vendor questionnaires. CMMC will follow the same path.
• Supply chain creep is real. If your largest customer is in defense, manufacturing, aerospace, or critical infrastructure, expect CMMC-style requirements to flow downhill to you eventually.
• CMMC is built on NIST 800-171, which is built on the broader NIST library. If you're already trying to align with the NIST Cybersecurity Framework, most of the foundational work overlaps.

In other words: CMMC is the first federal cybersecurity regime with real teeth. It won't be the last.

What the assessment process actually looks like

For Level 2 (the level most contractors will land on), the process roughly goes:

1. Scope your environment. Figure out exactly where CUI lives, who touches it, and what systems process it. This is where most contractors realize their environment is bigger and messier than they thought.
2. Build or document your System Security Plan (SSP). A written description of how you meet each of the 110 controls.
3. Run a gap assessment. Compare what you actually do to what NIST 800-171 requires. Document every gap.
4. Remediate. Close the gaps — sometimes with new technology, often with new policies, procedures, and training.
5. Self-assess or schedule a C3PAO assessment. Depending on the contract, you either submit a self-assessment score to SPRS (the DoD's Supplier Performance Risk System) or hire a Certified Third-Party Assessment Organization to audit you.
6. Maintain continuously. CMMC is not a one-and-done. You're attesting to ongoing compliance for the life of the contract, and you have to notify contracting officials when significant changes happen to your in-scope systems.

Most organizations need 6 to 12 months of prep before they're ready for a third-party assessment. Starting later than that is a common (and expensive) mistake.

The cheat sheet

• CMMC = the DoD's tiered cybersecurity certification program for contractors.
• Three levels: Foundational (FCI), Advanced (CUI), Expert (high-value CUI).
• Built on NIST 800-171 (and 800-172 at the top tier).
• Effective November 10, 2025, with full enforcement by November 10, 2028.
• Self-assessment is allowed at Level 1 forever, and at Level 2 only until Phase 2 kicks in on November 10, 2026. After that, most Level 2 contracts require a third-party (C3PAO) audit.
• No certification, no contract. If you can't show the right level when a contract is awarded, you're ineligible.

How we approach this

NerdSquad isn't a C3PAO — we don't perform the formal assessment that issues your certification. What we do is the work that gets you ready for one (and keeps you compliant afterward).

That looks like: scoping your CUI environment, building and maintaining the System Security Plan, deploying the controls NIST 800-171 actually requires (access management, audit logging, encryption, endpoint detection and response, secure backup, zero trust architecture), training your team, and producing the documentation an assessor will actually want to see.

We've done this kind of work for financial services firms, medical practices, and other regulated environments across South Florida for years. The regulator changes — the discipline doesn't. If you're a small-to-mid-sized contractor staring down a CMMC deadline and not sure where to start, that's a conversation worth having before Phase 2 turns the screws.

Got questions?

• 📞 Call or text: (239) 465-0079
• 💻 Contact us online: nerdsquad.net/contact-nerdsquad
• 🛡️ Learn more about our cybersecurity services: nerdsquad.net/services/cybersecurity