CMMC compliance is a cybersecurity framework introduced by the Department of Defense to protect sensitive government information. The program officially took effect in December 2024, and the framework puts specific compliance requirements on all contractors, suppliers, and manufacturers in the defense industrial base. If your organization works with defense-related goods or services, here’s what you should know.
The Cybersecurity Maturity Model Certification is a U.S. Department of Defense strategy that helps ensure contractors protect sensitive information. It streamlines requirements into three levels: Level 1 covers basic safeguarding of Federal Contract Information, Level 2 addresses Controlled Unclassified Information, and Level 3 adds advanced protections for the most sensitive data.
Understanding CMMC Compliance
The Cybersecurity Maturity Model Certification (CMMC) is a security standard created by the U.S. Department of Defense (DOD) to ensure that any business working in the defense supply chain is properly protecting sensitive government data. It’s specifically designed for the handling of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The DOD introduced CMMC compliance to unify and raise the bar for cybersecurity across the defense supply chain. The framework requires all contractors and subcontractors to meet specific requirements rather than relying on their own claims of compliance.
CMMC 2.0, the latest version, simplifies the framework to three certification levels, each with increasing security expectations.
- Level 1 (Foundational): covers basic cyber hygiene for companies handling FCI and only requires an annual self-assessment.
- Level 2 (Advanced): for organizations managing CUI and mandates a set of 110 security practices, with most needing a third-party assessment every three years.
- Level 3 (Expert): reserved for those working with the most sensitive DOD information, requiring controls and a government-led assessment.
This tiered approach ensures that every organization in the DOD’s supply chain is held to consistent, enforceable cybersecurity standards. It directly addresses gaps and weaknesses that could put national security at risk.
Which Industries Does CMMC Compliance Impact?
CMMC compliance isn’t just for big defense contractors—it applies to any company or organization that works with the Department of Defense in any capacity. This includes not only the main contractors but also their subcontractors, suppliers, and vendors.
While many people may be under the impression that CMMC compliance is just for aerospace and defense companies, it actually impacts a much wider range of businesses.
For example, it can impact:
- Manufacturers who make parts or components for military equipment
- Engineering firms that design products for the DOD
- IT service providers who manage DOD and/or military computer systems
- Software developers who create programs used by defense contractors
All these need to pay attention to CMMC compliance.
The same goes for logistics and communications companies that handle shipping or manage information, as well as universities or consultants working on DOD-funded projects. You could be required to meet CMMC standards even if your business just provides technical support or develops software for a DOD contractor.
There is one main exception: Companies that only sell commercial, off-the-shelf (COTS) products are generally exempt from CMMC. However, if a COTS supplier also handles sensitive DOD information, they may still need to comply.
Because CMMC requirements “flow down” the supply chain, the responsibility doesn’t stop with the main contractor. Every business involved, no matter how small, may need to meet these standards. That’s why it’s expected that organizations across many industries will be affected by CMMC, making it a major shift for anyone connected to DOD contracts.
CMMC 2.0 Overview
CMMC 2.0 establishes three cybersecurity maturity levels, each designed to match the sensitivity of information an organization handles for the Department of Defense. The required level depends on the type of data involved and specific contract requirements.
Level 1 (Foundational)
Level 1 is foundational since it focuses on basic cybersecurity practices for organizations handling Federal Contract Information. It requires 17 practices based on the Federal Acquisition Regulation (FAR) 52.204-21, such as:
- Limiting access to information
- Using antivirus software
- Installing physical security measures
Organizations at this level conduct annual self-assessments and are responsible for attesting to their compliance.
Level 2 (Advanced)
Level 2 is advanced since it’s for organizations that handle Controlled Unclassified Information. This level requires implementing 110 security controls from the NIST SP 800-171 framework, covering areas like:
- Access control
- Incident response
- Risk management
Most organizations at Level 2 must undergo a third-party assessment every three years. However, some contracts may allow for annual self-assessments depending on the sensitivity of the information.
Level 3 (Expert)
The expert Level 3 applies to organizations working with the most sensitive DOD information and facing advanced threats. It builds on Level 2 by adding 24 additional controls from NIST SP 800-172, emphasizing proactive and adaptive security measures. Assessments at this level are led by the government every three years.
Since CMMC requirements flow down the supply chain, subcontractors, vendors, and service providers, along with prime contractors, must comply at the appropriate level if they handle FCI or CUI. Organizations must ensure their partners are also CMMC certified as required.
They can help streamline the path to CMMC compliance by aligning with widely recognized frameworks like NIST SP 800-171, NIST Cybersecurity Framework (CSF), and ISO 27001.
This tiered approach ensures robust and consistent cybersecurity across all organizations supporting DOD contracts.
Partner with TenHats for Cybersecurity and IT MSP Services
TenHats is East Tennessee’s leading provider of cybersecurity and managed IT services. We offer comprehensive, proactive protection against evolving digital threats, backed by real-time monitoring from a dedicated security operations center.
Our team customizes solutions for your business with expert-led:
- Risk assessments
- Policy development
- Ongoing security updates
This ensures that your organization stays resilient and compliant with industry regulations, including HIPAA and GDPR.
Our on-site support, disaster recovery planning, and integrated IT services allow you to focus on core business goals while minimizing risk and operational costs. With deep technical expertise and scalable solutions, TenHats delivers enterprise-grade security for organizations of any size.
