Cybersecurity Maturity Model Certification

CMMC Level 1 is the lowest of the three CMMC certification tiers, covering contractors who handle Federal Contract Information (FCI) but not CUI. It requires implementing the 15 safeguarding requirements in FAR 52.204-21(b)(1), an annual self-assessment, and an annual senior-official affirmation posted in SPRS.

CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.

CMMC Level 3 is the highest CMMC certification tier, reserved for DoD programs involving CUI of the highest priority. It requires implementing NIST SP 800-171 plus 24 enhanced controls drawn from NIST SP 800-172, and triennial assessments performed by the DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

32 CFR Part 170 is the Department of Defense final rule that established the CMMC program — defining the three certification levels, the assessment regime, the senior-official affirmation requirement, and the role of C3PAOs and the CMMC Accreditation Body. It became effective December 16, 2024.

DFARS 252.204-7021 is the contract clause that makes a CMMC certification or self-assessment a material condition of award and continued performance on covered DoD contracts. It took effect November 10, 2025 as part of the 48 CFR final rule, and triggers the annual senior-official affirmation requirement under 32 CFR 170.22.