CMMC stands for Cybersecurity Maturity Model Certification. It is a framework developed by the United States Department of Defense (DoD) to assess and enhance the cybersecurity posture of organizations participating in DoD contracts. The CMMC framework consists of a set of cybersecurity standards and best practices that aim to protect sensitive information, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

CMMC compliance is required for contractors and all downstream contractors that create, consume, process or store CUI of FCI.  The goal is to ensure that they meet the required cybersecurity standards and practices appropriate for the sensitivity of the information they handle. The CMMC model is structured into three maturity levels, ranging from basic cyber hygiene practices at Level 1 to advanced, proactive cybersecurity measures at Level 3.

Organizations at Level 1 who only work with FCI are required to do self assessments every year.  For organizations who handle CUI they must achieve Level 2 or Level 3 compliance and must undergo assessments conducted by accredited third-party assessors (3CPAO) to achieve certification at the appropriate CMMC level for their contracts. Compliance with CMMC is becoming mandatory to participate in DoD contracts.  The final Rule is expected to be released in late 2024.