CMMC (Cybersecurity Maturity Model Certification): What DoD Contractors Must Know in 2025
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard developed by the U.S. Department of Defense (DoD) to ensure that all contractors in the Defense Industrial Base (DIB) meet appropriate levels of cybersecurity when handling Controlled Unclassified Information (CUI) or participating in federal defense contracts.
As cyber threats against defense suppliers grow more sophisticated, CMMC ensures that DoD partners , from large defense contractors to small subcontractors, follow consistent, enforceable cybersecurity practices across the supply chain.
What This Guide Covers
- What CMMC is and why it matters
- Who needs to comply
- Role of penetration testing in CMMC
What Is CMMC?
CMMC is a tiered certification framework designed to assess and verify an organization’s ability to protect sensitive federal information. It combines existing security standards (such as NIST SP 800-171) with additional maturity requirements based on the criticality of the information handled.
CMMC 2.0, the most current version, simplifies the model to three certification levels and aligns more closely with federal cybersecurity policy.
CMMC 2.0 – Certification Levels
Key Requirements
Documented Practices and Procedures
Organizations must maintain clear, formal documentation describing how they implement each required security control. This includes:
- Written security policies
- Standard operating procedures (SOPs)
- Incident response and system maintenance workflows
This documentation is used as evidence during assessments and is a key maturity indicator at Levels 2 and 3.
Implementation of Technical and Administrative Controls
CMMC Level 2 requires full implementation of the 110 security controls outlined in NIST SP 800-171. These include:
Access control (who can access systems and data)
System and communications protection (e.g., encryption)
Configuration management, audit logging, and incident response
Controls must be actively in use, not just planned or documented.
At Level 3 (forthcoming), additional advanced protections from NIST SP 800-172 will be required.
Third-Party Assessments (C3PAOs)
For most Level 2 and all Level 3 contracts, companies must undergo an official audit performed by a CMMC Third-Party Assessment Organization (C3PAO). These assessments verify:
Control implementation
Policy documentation
Staff awareness and training
Incident handling capability
Successful completion results in a formal CMMC certificate, valid for three years.
Annual Self-Assessments
Some Level 1 and select Level 2 contractors may be permitted to complete annual self-assessments, depending on contract type. These must:
Follow a standardized DoD methodology
Include scoring using the SPRMM (Supplier Performance Risk System)
Be signed off by a senior official
Even for self-assessments, proper documentation and demonstrated implementation are required.
Who Needs CMMC?
CMMC applies to all organizations within the Department of Defense (DoD) supply chain, regardless of size or role. If your organization handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of a DoD contract, you will need to meet the appropriate CMMC level.
Prime contractors and subcontractors
All tiers of contractors participating in DoD projects, including subcontractors and small businesses, must achieve CMMC certification. Compliance is required at the time of contract award.
Cloud service providers supporting DoD workloads
CSPs that store, process, or transmit DoD data must comply with CMMC, typically at Level 2 or higher. This includes providers offering IaaS, PaaS, or SaaS models for defense-related workloads.
MSPs and MSSPs handling CUI
Any MSP or MSSP with access to systems containing CUI or supporting clients under DoD contracts, must also meet the applicable CMMC level. This ensures secure management of client environments.
Software vendors and integrators supplying to DoD programs
Companies delivering software or integrating solutions into DoD infrastructure must secure both their development environments and the software supply chain. CMMC ensures these vendors uphold federal cybersecurity standards.
Research institutions and academic partners receiving DoD funding
Universities, research labs, and academic institutions receiving DoD funding or grants (such as through DARPA, DTRA, or ONR) must also comply, especially when handling sensitive research classified as CUI.
Not sure if your current security controls meet CMMC requirements?
Let’s walk through it together.
- Call 1-877-805-7475
Penetration Testing and CMMC
While CMMC is not a penetration-testing framework, regular testing plays a critical role in demonstrating control effectiveness and cyber maturity, especially for organizations aiming for Level 2 or Level 3 certification.
Why It Matters:
- Verifies NIST 800-171 Controls
Confirms that required technical safeguards (e.g., access controls, logging, encryption) are properly implemented and effective. - Demonstrates Ongoing Risk Management
Shows assessors that you’re proactively identifying and remediating real-world threats—not just checking boxes. - Supports Third-Party Assessment Readiness
Helps build audit-ready documentation that validates your security posture ahead of C3PAO reviews. - Reduces Risk of Findings
Identifies and resolves vulnerabilities early, minimizing delays or corrective actions during certification.
Want to know how to choose the right testing provider for CMMC readiness? Download our Buyer Guide to learn what to ask, what to avoid, and how to align testing with NIST 800-171 and CMMC goals.
How CMMC Maps to Other Frameworks
NIST SP 800-171
CMMC Level 2 directly maps to all 110 controls in NIST SP 800-171, making it the foundation for protecting Controlled Unclassified Information (CUI) in non-federal systems.
NIST SP 800-172
Level 3 of CMMC incorporates advanced protections from NIST SP 800-172, targeting sophisticated threats like advanced persistent threats (APTs).
FedRAMP
Cloud providers already FedRAMP-authorized can reuse much of their control documentation and technical safeguards when preparing for CMMC — especially when handling DoD data in cloud environments.
ISO/IEC 27001
While not DoD-specific, ISO 27001 shares common elements such as risk management, asset control, and access policies. Organizations certified under ISO can map many existing policies to CMMC requirements.
SOC 2
SOC 2’s trust criteria—particularly around security and availability—align with many CMMC practices. Companies with SOC 2 reports can use existing testing and documentation as a baseline.
Ready to Start? Get Fast, CMMC-Ready Penetration Testing Pricing Today.
Answer a few questions regarding your needs, project scope and objectives to quickly receive a tailored quote. No engagement.
- You can also call us directly: 1-877-805-7475
Featured Cybersecurity Compliance Resources
Gain insight on emerging hacking trends, recommended best practices and tips to improve your cybersecurity:
