ISpectra Technologies
Government · Defense

What is CMMC?

The US Department of Defense program that verifies contractors protect sensitive federal information — required to win many DoD contracts.

Definition

CMMC (Cybersecurity Maturity Model Certification) is a US Department of Defense program that verifies companies in the Defense Industrial Base adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It builds on NIST SP 800-171 and adds independent assessment.

The current model, CMMC 2.0, has three levels; the level a contractor needs depends on the sensitivity of the information they handle. Certification (or self-assessment at Level 1) is becoming a condition of DoD contract awards.

The CMMC 2.0 levels

1

Level 1 (Foundational)

Basic safeguarding of FCI; annual self-assessment.

2

Level 2 (Advanced)

Protection of CUI, aligned to NIST 800-171.

3

Level 3 (Expert)

Enhanced protection against advanced threats.

4

Assessment

Self-assessment or third-party (C3PAO) certification.

5

Affirmation

A senior official affirms ongoing compliance.

Who needs to comply?

Any contractor or subcontractor in the DoD supply chain that handles Federal Contract Information or Controlled Unclassified Information.

How ISpectra helps

ISpectra prepares defense contractors for CMMC — scoping FCI/CUI, implementing NIST 800-171 controls, remediating gaps and readying you for self-assessment or C3PAO certification at your required level.

Talk to an advisor