← Glossary·Frameworks

CMMC

Also known as: Cybersecurity Maturity Model Certification · CMMC 2.0
CMMC

DoD certification model required of defense contractors handling FCI / CUI; three levels (Foundational, Advanced, Expert).

CMMC 2.0 is the US Department of Defense's tiered certification model for contractors in the Defense Industrial Base. Level 1 (Foundational) maps to FAR 52.204-21 (17 practices for FCI); Level 2 (Advanced) aligns to NIST SP 800-171 (110 practices for CUI); Level 3 (Expert) adds NIST SP 800-172 controls and is assessed by DIBCAC.

Why it matters
No CMMC level, no DoD contract. The 32 CFR Part 170 final rule took effect December 2024 — clauses are now appearing in solicitations.

Related terms

NIST SP 800-53
NIST catalogue of 1000+ security and privacy controls for federal information systems (Rev 5).
CUI (Controlled Unclassified Information)
Federal information requiring safeguarding or dissemination controls per Executive Order 13556; protected by NIST SP 800-171.
FCI (Federal Contract Information)
Non-public information provided by or generated for the federal government under a contract; protected by FAR 52.204-21.
FedRAMP
Standardised US government program for cloud-service authorisation, based on NIST 800-53.

Does your program actually cover CMMC?

Run a free ComplianceIQ audit against CMMC and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free CMMC auditBack to glossary