Solutions
Modern IT
Advanced Cybersecurity
Compliance
AI and Automation
Company
About Us
Leadership
Careers
Our Companies
M&A
Knowledge Center
Get in Touch
Contact us
30 Cooper Square, Floor 10

New York, NY 10003
contact@propulsiontech.com
CMMC compliance explained: A practical guide to the Cybersecurity Maturity Model Certification

If your organization works with—or plans to work with—the U.S. Department of Defense (DoD), cybersecurity isn’t just a best practice. It’s a requirement. Enter CMMC: the Cybersecurity Maturity Model Certification.

CMMC was developed by the DoD to ensure that every contractor in its supply chain is doing their part to protect sensitive information. Whether you’re bidding on defense contracts, handling Controlled Unclassified Information (CUI), or supporting a prime as a subcontractor, CMMC sets the bar for what strong security looks like—and enforces it.

In this guide, we’ll unpack what CMMC is, how CMMC 2.0 has changed the game, and what your business needs to do to prepare for certification—especially if you’re a small or mid-sized business (SMB) aiming to win and retain government work.

What is CMMC?

The Cybersecurity Maturity Model Certification is a security framework developed by the U.S. Department of Defense to safeguard sensitive government data across its supply chain—also known as the Defense Industrial Base (DIB). This includes thousands of contractors and subcontractors who support DoD missions.

CMMC builds on existing requirements—especially NIST SP 800-171, a set of controls for protecting sensitive government information—but goes even further by introducing third-party assessments and tiered levels of compliance.

Why was it created? In short: to strengthen national security. Too many contractors were self-attesting their cybersecurity practices but falling short in reality. CMMC raises the bar by requiring verifiable cybersecurity maturity, especially for organizations handling:

  • Federal Contract Information (FCI): information provided by or generated for the government under a contract that’s not intended for public release
  • Controlled Unclassified Information (CUI): sensitive but unclassified data such as engineering drawings, R&D results, or financial details

Compared to earlier approaches that relied heavily on self-attestation and inconsistent implementation, CMMC brings three major shifts to the table:

  • It’s standardized: every contractor is measured against the same cybersecurity criteria
  • It’s tiered: you only need to implement controls that match the sensitivity of the information you handle
  • It’s enforceable: instead of self-attesting, most organizations will need to pass audits conducted by accredited third-party assessors (called C3PAOs)

Key objectives of CMMC

CMMC is a fundamental shift in how the Department of Defense approaches cybersecurity, raising the baseline across every layer of its supply chain. Whether you're a prime contractor or a small subcontractor, CMMC ensures that you’re equipped to protect sensitive information in your work with the DoD.

Here are the core goals behind the CMMC framework:

  • Standardize cybersecurity requirements. CMMC replaces the old patchwork of self-assessments with a consistent set of expectations for all contractors. Everyone is measured against the same baseline—regardless of size or role.
  • Verify implementation through audits. No more “trust but don’t verify.” For most organizations, CMMC requires third-party assessments by certified assessors, bringing transparency and accountability to cybersecurity claims.
  • Strengthen supply chain resilience. Cybersecurity gaps at any point in the supply chain put national security at risk. CMMC addresses this by requiring compliance not just from prime contractors, but from subcontractors and vendors as well.
  • Protect controlled information before it’s compromised. By focusing on proactive controls and maturity (rather than reactive fixes), CMMC aims to reduce risk before a breach occurs—especially when it comes to CUI.

Together, these shifts turn cybersecurity into a shared responsibility and a strategic advantage for contractors who are prepared.

CMMC 2.0: A streamlined approach

Since its original release, the CMMC framework has undergone major updates. In 2021, the Department of Defense introduced CMMC 2.0—a simplified but strengthened version that’s now being phased into contracts in 2025.

CMMC 2.0 reduces the original five-tier model to just three clearer, more actionable levels:

Level 1: Foundational

For companies that handle only Federal Contract Information (FCI)—non-public data provided by or generated for the government.

  • Requires 17 basic cybersecurity practices (based on FAR 52.204-21)
  • Annual self-assessment required
  • No third-party certification needed

Level 2: Advanced

For contractors that handle Controlled Unclassified Information (CUI)—sensitive government-related data that isn’t classified but still needs protection.

  • Requires full implementation of the 110 security controls in NIST SP 800-171
  • Third-party certification required for most contracts
  • Some organizations may qualify for self-assessment, depending on the contract’s risk level

Level 3: Expert

For companies supporting the most sensitive and mission-critical DoD programs.

  • Builds on Level 2 with additional controls from NIST SP 800-172
  • Assessed by DoD personnel (not third-party assessors)
  • Still in development, with additional guidance forthcoming

CMMC 2.0 gives contractors greater clarity, flexibility, and alignment with existing federal standards, but it also makes compliance more enforceable. If your business handles CUI, a third-party audit will likely be required to win or renew DoD contracts.

Already working with the DoD? You may already be partway down the path to CMMC Level 2. Many contractors are familiar with the Supplier Performance Risk System (SPRS)—a government database where contractors submit self-assessed scores based on NIST SP 800-171. Those same controls form the foundation of CMMC Level 2, which means organizations with solid SPRS scores may already be part-way there.

The CMMC 2.0 rollout begins on November 10, 2025, and is expected to reach full implementation by November 10, 2028. The process will unfold in four phases over three years, starting with self-assessments and progressing to third-party certifications for higher-risk contracts. Preparing now gives your business a critical head start, and helps you stay competitive in the federal contracting space before CMMC compliance becomes a mandatory barrier to entry.

CMMC 2.0 compliance levels

Level Who it's for Data type handled Requirements Assessment
Level 1
Foundational		 Contractors that handle only FCI Federal Contract Information (FCI) 17 basic practices (FAR 52.204-21) Annual self-assessment
Level 2
Advanced		 Contractors that handle CUI Controlled Unclassified Information (CUI) 110 controls from NIST SP 800-171 Third-party certification for most, self-assessment in limited cases
Level 3
Expert		 Contractors working on the most sensitive DoD programs High-value CUI and mission-critical systems NIST SP 800-171 + selected NIST SP 800-172 practices Assessed by DoD personnel

Who needs to comply with CMMC?

CMMC compliance isn’t just for large defense primes. The framework applies to any organization that works with the U.S. Department of Defense—directly or indirectly—including:

  • Prime contractors bidding on or executing DoD contracts
  • Subcontractors supporting larger DoD projects—even if they don’t directly handle sensitive data
  • Vendors and service providers who process, store, or transmit Federal Contract Information or Controlled Unclassified Information

Even if your company doesn’t currently handle CUI or bid on prime contracts, CMMC will soon become unavoidable. Requirements are expected to appear in all DoD contracts over time, and questions about your cybersecurity posture are already part of many vendor onboarding and renewal processes. Understanding where you fit and what level applies is the first step toward staying competitive in the federal contracting space.

How to prepare for CMMC compliance

Getting ready for CMMC isn’t just about passing an audit; it’s about building a cybersecurity program you can stand behind. Whether you’re aiming to meet Level 1 requirements or preparing for a third-party assessment at Level 2 or 3, here’s how to lay the groundwork:

  • Conduct a gap analysis: Compare your current cybersecurity posture to the requirements of your target CMMC level. Identify which practices are already in place and where you need to improve.
  • Implement required controls: Use NIST SP 800-171 (for Level 2) or NIST SP 800-172 (for Level 3) as your guide. This may involve tools like multi-factor authentication, endpoint protection, access management, and encrypted communications, as well as supporting policies and procedures.
  • Document everything: CMMC emphasizes documentation and repeatability. It’s not enough to say you’re secure—you need to prove it with consistent, auditable evidence.
  • Train your team: Your staff plays a critical role in maintaining security. Provide ongoing training to help them handle sensitive data properly, recognize phishing attempts, and follow internal protocols.
  • Engage a C3PAO (Level 2+): If a third-party certification is required, you’ll need to work with a Certified Third-Party Assessor Organization. Start building relationships early and learn what to expect from the audit process.

Preparing for CMMC can feel daunting, but it’s also an opportunity to strengthen your security posture, reduce risk exposure, and position your business for long-term growth in the federal space.

Need help connecting the dots? Tools like the CIS-CMMC mapping guide can help you identify which of your current controls already align with CMMC 2.0—making it easier to prioritize gaps.

Final thoughts: Why CMMC compliance matters now

The cybersecurity landscape for DoD contractors is changing—and fast. CMMC marks a shift from suggested best practices to enforceable standards, and it’s reshaping how companies prove their security readiness.

Whether you’re a small subcontractor or a prime contractor managing sensitive data, demonstrating strong cybersecurity practices is no longer optional. And even outside of DoD work, CMMC-aligned practices—especially those grounded in NIST SP 800-171—can help your organization reduce risk, earn trust, and build a foundation for long-term resilience.

Exploring other frameworks? CMMC aligns closely with NIST SP 800-171, but it’s not the only standard worth knowing. The NIST Cybersecurity Framework offers a flexible foundation that many SMBs build on before pursuing certification. The CIS Controls provide a practical starting point for cyber hygiene, while HITRUST certification may apply if you also handle healthcare data. If your business processes payments, our PCI DSS compliance guide breaks down what’s required to protect cardholder data. And if you’re still getting your arms around the big picture, our cybersecurity guide for SMBs offers a helpful overview.

Not sure where to begin? Propulsion partners with SMBs to make CMMC compliance manageable—and meaningful. Let’s chart your path forward.

Contact us
30 Cooper Square, Floor 10

New York, NY 10003

phone: +1.720.647.6942
contact@propulsiontech.com
© 2025 Propulsion.

All rights reserved.
About
Leadership
Legal
Get in Touch
Please provide your information to access the requested content.
Thank you!
See content
Oops! Something went wrong while submitting the form.