Skip to Content
Governance and Compliance

What Is CMMC (the US Defense Security Certification)?

CMMC (Cybersecurity Maturity Model Certification) is the US Department of Defense program that requires a proven level of cybersecurity from anyone who wants to supply the US defense sector. It protects two classes of government information, FCI and CUI, and organizes the requirement into three levels, from the most basic to the most stringent. It is not only for US companies: any supplier in the defense chain, including subcontractors outside the US, must reach the level set in the contract. The final rule took effect in December 2024 and began applying to contracts from November 2025.

Zamak TechnologiesUpdated on July 10, 2026

How CMMC works in practice

CMMC ties the right to win a defense contract to a proof of cybersecurity. The supplier does not pick the level: it comes from the type of information the contract involves. The cycle has four steps.

1

Find the level the contract requires

If the work involves only Federal Contract Information (FCI), Level 1 is enough; if it involves Controlled Unclassified Information (CUI), Level 2 or 3 comes into play.

2

Implement the level's controls

Level 2 rests on the 110 controls of NIST SP 800-171; Level 3 adds controls from NIST SP 800-172 for the most critical programs.

3

Get assessed at the right rigor

Level 1 allows self-assessment; Level 2 usually requires assessment by an accredited third party (C3PAO); Level 3 is assessed by the government itself.

4

Affirm and maintain

Compliance is reaffirmed periodically and recorded. Losing the level mid-contract puts the contract itself at risk.

Source: U.S. Department of Defense, the CMMC final rule (32 CFR Part 170) and NIST SP 800-171 / 800-172.

The three CMMC levels

  • Level 1 (Foundational) Protects Federal Contract Information (FCI) with 15 basic safeguarding requirements. Allows annual self-assessment.
  • Level 2 (Advanced) Protects Controlled Unclassified Information (CUI) with the 110 controls of NIST SP 800-171. Usually requires assessment by an accredited third party.
  • Level 3 (Expert) For the most critical programs, adds controls from NIST SP 800-172 to the 110 of Level 2, with an assessment conducted by the government.

Why CMMC became a gate, not an optional item

220,000+
companies in the US defense industrial base fall within CMMC's reach (DoD estimate)
~80,000
of them will need Level 2 certification through an independent assessment (DoD initial estimate)
110
controls from NIST SP 800-171 form the base of CMMC Level 2 (DoD, 32 CFR 170)

CMMC turned cybersecurity into a business prerequisite: without the required level, the supplier simply cannot win the defense contract. The reach is large, the Department of Defense estimates between 220,000 and 300,000 companies in its supply chain, of which about 80,000 will need Level 2 certification through an independent assessment. And the chain is global: a technology, engineering or logistics company outside the US that serves a defense contractor faces the same requirement. Because the level propagates down the chain, the prime contractor demands CMMC from its subcontractors, which pushes the requirement onto companies that do not even deal with the government directly.

How a company prepares for CMMC

Preparing for CMMC is less about a last-minute certificate and more about running the base controls before the contract demands them. The most direct path:

  1. Know whether you touch FCI or CUIThat is what sets the level. Many suppliers underestimate and find out too late that they handle CUI, which requires Level 2.
  2. Implement the 110 NIST 800-171 controlsThey are the spine of Level 2: access control, incident response, media protection and other domains that also raise the company's overall security.
  3. Close the gaps with a recorded planWhat is not yet in place goes into a plan of action with a deadline. The assessor wants to see the gap being addressed, not hidden.
  4. Treat it as a continuous postureThe level has to hold throughout the contract, with evidence collected continuously, not assembled in a rush the night before the assessment.

In practice

The question that reveals the real risk: does the company know today whether any contract it serves involves CUI, or would it find out only when the prime contractor asks for the Level 2 certificate?

How Zamak handles CMMC compliance

Zamak Technologies supports the CMMC and NIST SP 800-171 journey as part of Governance and Compliance in the Zamak Method: mapping the 110 controls, continuous evidence collection and an audit trail on a compliance platform. A good starting point is the Compliance Audit Express, which shows in minutes where the company is most exposed.

Frequently asked questions about CMMC

Does CMMC only apply to US companies?
No. It applies to any company that wants to supply the US defense sector, including subcontractors outside the US. If the contract requires a CMMC level, the supplier must reach it, wherever it is.
What is the difference between FCI and CUI?
FCI (Federal Contract Information) is non-public contract information; CUI (Controlled Unclassified Information) is more sensitive controlled information, without being classified. Touching CUI requires a higher CMMC level.
What is the relationship between CMMC and NIST SP 800-171?
CMMC Level 2 is, in practice, the implementation of the 110 controls of NIST SP 800-171, with a formal assessment on top. A company already following 800-171 is well along the way.
Do I need a third-party assessment or can I self-assess?
It depends on the level. Level 1 allows self-assessment; Level 2 usually requires an accredited third-party assessor (C3PAO); Level 3 is assessed by the government.
Does a small company also need CMMC?
Yes, if it is in the defense chain. The required level depends on the information the company touches, not on its size. Small subcontractors that handle FCI need at least Level 1.
Is CMMC the same as the NIST CSF?
No. The NIST CSF is a voluntary cyber risk management guide; CMMC is a contractual requirement specific to US defense, with formal assessment and certification. They complement each other, but play different roles.

Related terms

Endpoint and Identity
MFAPAM (privileged access)SSO (single sign-on)
Detection and Response
EDRMDRXDRMITRE ATT&CKSIEMSOC (security operations center)
Network and Access
ZTNAFirewallVPNSASE
Governance and Compliance
LGPDISO 27001SOC 2NIST CSFShadow ITCyber maturity assessmentHIPAAPCI DSSGDPRCMMCCIS ControlsISO 42001 (AI management)NIST AI RMFNIST 800-171FTC SafeguardsISO 27701 (privacy)FedRAMPGRC (governance, risk, compliance)vCIOvCISO
Concepts and Fundamentals
Deep webZero TrustDefense in depthAttack surfaceEndpointLeast privilege
AI and Security
Shadow AIAI governancePrompt injectionOWASP LLM Top 10Deepfake