AuditArmer logoAuditArmer
All guides

Cybersecurity Maturity Model Certification

CMMC, explained simply

Mandatory cyber maturity for the US defence supply chain.

In a nutshell

CMMC is the US Department of Defense's framework that requires contractors to prove their cybersecurity maturity before winning DoD work. It builds on NIST SP 800-171.

The case for action

Why your organisation needs CMMC

No CMMC certification at the required level means you cannot bid on or keep DoD contracts. Misrepresenting compliance can trigger False Claims Act penalties.

The upside

What your organisation gains

Stay eligible for DoD contracts and flow-down work from primes.

Avoid False Claims Act exposure and contract termination.

Build a defensible, audit-ready security posture for CUI.

Open doors to higher-value federal opportunities.

Scope

Who it covers — and where

Who it applies to

Every company in the Defense Industrial Base — primes, subcontractors, and suppliers — even if you only sell screws or software to a DoD supplier.

Where it applies

United States — applies to any company in the DoD supply chain worldwide.

Timing

When you need to act

Phased rollout began in 2025 and ramps through 2028. Check your contract for the required level (1, 2 or 3) and the assessment deadline.

The path forward

Your roadmap to compliance

A practical journey — not a bureaucratic checklist. Tackle these stages in order and you'll move from "we should look into this" to ready.

  1. 1

    Determine your CMMC Level (1, 2 or 3) from your contract clauses (DFARS 252.204-7021).

  2. 2

    Define your scope — only the systems handling FCI or CUI need to be assessed.

  3. 3

    Run a self-assessment against the relevant NIST 800-171 controls.

  4. 4

    Close gaps: MFA, encryption, FIPS-validated crypto, incident response, training.

  5. 5

    Document a System Security Plan (SSP) and Plan of Action & Milestones (POA&M).

  6. 6

    Engage a C3PAO (for Level 2+) and book a formal assessment.

Reality check

Common struggles (and how to fix them)

The struggle

Confusion over what counts as CUI vs FCI.

The fix

Ask your prime for the marking guide and isolate CUI to a small, well-controlled enclave.

The struggle

Cloud tools aren't FedRAMP-aligned.

The fix

Move CUI workloads into GCC High or a FedRAMP Moderate-equivalent environment.

Quick answers

Frequently asked questions

Need a head start on CMMC?

Use our ready-to-go tools and templates to skip the blank page.

Browse the store

Rate this guide

Be the first to rate.

Keep exploring

ISO 27001

Information Security Management

NIS2 Directive

EU cybersecurity for essential & important entities

NIST CSF

NIST Cybersecurity Framework

Cyber Essentials

UK government-backed cyber baseline