What Is CMMC (the US Defense Security Certification)?
CMMC (Cybersecurity Maturity Model Certification) is the US Department of Defense program that requires a proven level of cybersecurity from anyone who wants to supply the US defense sector. It protects two classes of government information, FCI and CUI, and organizes the requirement into three levels, from the most basic to the most stringent. It is not only for US companies: any supplier in the defense chain, including subcontractors outside the US, must reach the level set in the contract. The final rule took effect in December 2024 and began applying to contracts from November 2025.
How CMMC works in practice
CMMC ties the right to win a defense contract to a proof of cybersecurity. The supplier does not pick the level: it comes from the type of information the contract involves. The cycle has four steps.
Find the level the contract requires
If the work involves only Federal Contract Information (FCI), Level 1 is enough; if it involves Controlled Unclassified Information (CUI), Level 2 or 3 comes into play.
Implement the level's controls
Level 2 rests on the 110 controls of NIST SP 800-171; Level 3 adds controls from NIST SP 800-172 for the most critical programs.
Get assessed at the right rigor
Level 1 allows self-assessment; Level 2 usually requires assessment by an accredited third party (C3PAO); Level 3 is assessed by the government itself.
Affirm and maintain
Compliance is reaffirmed periodically and recorded. Losing the level mid-contract puts the contract itself at risk.
Source: U.S. Department of Defense, the CMMC final rule (32 CFR Part 170) and NIST SP 800-171 / 800-172.
The three CMMC levels
- Level 1 (Foundational) Protects Federal Contract Information (FCI) with 15 basic safeguarding requirements. Allows annual self-assessment.
- Level 2 (Advanced) Protects Controlled Unclassified Information (CUI) with the 110 controls of NIST SP 800-171. Usually requires assessment by an accredited third party.
- Level 3 (Expert) For the most critical programs, adds controls from NIST SP 800-172 to the 110 of Level 2, with an assessment conducted by the government.
Why CMMC became a gate, not an optional item
CMMC turned cybersecurity into a business prerequisite: without the required level, the supplier simply cannot win the defense contract. The reach is large, the Department of Defense estimates between 220,000 and 300,000 companies in its supply chain, of which about 80,000 will need Level 2 certification through an independent assessment. And the chain is global: a technology, engineering or logistics company outside the US that serves a defense contractor faces the same requirement. Because the level propagates down the chain, the prime contractor demands CMMC from its subcontractors, which pushes the requirement onto companies that do not even deal with the government directly.
How a company prepares for CMMC
Preparing for CMMC is less about a last-minute certificate and more about running the base controls before the contract demands them. The most direct path:
- Know whether you touch FCI or CUIThat is what sets the level. Many suppliers underestimate and find out too late that they handle CUI, which requires Level 2.
- Implement the 110 NIST 800-171 controlsThey are the spine of Level 2: access control, incident response, media protection and other domains that also raise the company's overall security.
- Close the gaps with a recorded planWhat is not yet in place goes into a plan of action with a deadline. The assessor wants to see the gap being addressed, not hidden.
- Treat it as a continuous postureThe level has to hold throughout the contract, with evidence collected continuously, not assembled in a rush the night before the assessment.
In practice
The question that reveals the real risk: does the company know today whether any contract it serves involves CUI, or would it find out only when the prime contractor asks for the Level 2 certificate?
How Zamak handles CMMC compliance
Zamak Technologies supports the CMMC and NIST SP 800-171 journey as part of Governance and Compliance in the Zamak Method: mapping the 110 controls, continuous evidence collection and an audit trail on a compliance platform. A good starting point is the Compliance Audit Express, which shows in minutes where the company is most exposed.