On September 10, 2025, the Department of Defense (As all the documents we address use the Department of Defense naming, we will go by that to prevent confusion.) (DoD) implemented the acquisition rules for the Cybersecurity Maturity Model Certification program at DFARS subpart 204.75. This follows the federal government’s institution of the CMMC program last year (We explored this a bit with a review of the proposed rules some time before that and noted that initial rules have been in place since 2020.) These rules are present at 32 C.F.R. Part 170. Despite these rules having now been in place for a little while, the scope and complexity of the CMMC program can nonetheless be daunting for contractors to deal with. In this first in a series of posts, we will explore the basics of the CMMC program and what it means for you.
A Refresher on FCI and CUI
As we noted in our preview on the program, the CMMC Program is about protecting two types of information that are otherwise unclassified: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FCI is basically information provided by or for the government under a federal contract that is otherwise not intended for public release, per FAR 52.204-21. CUI is basically information that, while unclassified, agencies must or are allowed to control in terms of dissemination, per 32 C.F.R. § 2002.4. The CMMC Program seeks to makes sure both types of information are properly protected by federal contractors.
The Basic CMMC Structure
Initially implemented via a phase-in program starting in 2020, the final form of the CMMC Program is a tiered structure with three separate levels. Each level has different security and assessment requirements that a contractor must meet to be certified under that level.
Level 1 is, naturally, the simplest level. Under Level 1, the contractor must meet 15 separate security requirements under FAR 52.204-21 to secure FCI. At this level, contractors self-assess their compliance with those requirements and self-certify with the Supplier Performance Risk System (SPRS). This must be done annually.
Level 2 is split into two parts. In either case, the contractor must meet 110 Level 2 security requirements derived from NIST SP 800-171 R2 (also required by DFARS 252.204-7012) for CUI in addition to the 15 requirements of Level 1 for FCI. The contractor then can either self-assess and certify its compliance or can have its compliance assessed and certified by a CMMC Third-Party Assessment Organization (C3PAO). The C3PAO is viewed as a higher form of Level 2 (Level 2 (C3PAO)) than self-assessed and certified Level 2 (Level 2 (Self)). 32 C.F.R. § 170.17. As such, having Level 2 (Self) will not qualify a contractor for a contract that requires Level 2 (C3PAO), but having Level 2 (C3PAO) will qualify a contractor for Level 2 (Self) contracts. Both forms of Level 2 certifications last for 3 years, although the contractor must affirm their compliance every year.
Level 3 is the most rigorous level. Under Level 3, the contractor must meet a further 24 security requirements provided in NIST SP 800-171 R2 along with the requirements for Levels 2 and 1. There is no option for self-assessment and certification with Level 3. The Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct the assessment. The certification will last for 3 years with the contractor affirming compliance each year, much like Level 2.
Conditional Status
For Level 2 (Self), Level 2 (C3PAO), and Level 3, there is a “conditional” status that the contractor can achieve if it meets a certain percentage of, but not all, of the requirements for that level. 32 C.F.R. § 170.21. For Level 2 (Self) and Level 2 (C3PAO), if the contractor
- meets 80% or more of the Level 2 security requirements;
- none of the requirements it missed have a point value greater than 1 (3 if a certain encryption requirement) in CMMC Scoring Methodology (32 C.F.R. § 120.24); and
- none of the requirements it missed are on the list of mandatory security requirements in 32 C.F.R. § 170.21(a)(2)(iii)
that contractor will receive conditional Level 2 (Self) or (C3PAO) status, depending on which path it has taken. For Level 3, the contractor must
- meet all Level 2 requirements;
- meet 80% or more of the Level 3 security requirements; and
- none of the requirements it missed are on the list of mandatory security requirements in 32 C.F.R. § 170.21(a)(3)(ii)
that contractor will receive conditional Level 3 status. This status lasts for 180 days, in which time the contractor will have a plan of action and must meet the remaining requirements. If it does, it will achieve the full status. If it fails to accomplish that, it will not receive the full status and lose the conditional status.
Who Does It Apply To?
The CMMC is a DoD-implemented system. It applies to DoD contracts, not civilian agency procurements. 32 C.F.R. § 170.3. Not every DoD contract requires CMMC certification. It is only required where the contractor and/or its subcontractors are processing, storing, or transmitting FCI or CUI. Prime contractors must flow down the CMMC requirements for the given contract to their subcontractors. 32 C.F.R. § 170.23. If only FCI is involved with a contract, then only Level 1 certification should be required. If CUI is involved, whether Level 2 (Self), Level 2 (C3PAO), or Level 3 status is required will depend on the agency’s determination. 32 C.F.R. § 170.5.
Summary
This is just a basic overview of the CMMC Program. In our next post in this series, we’ll dive into the acquisition policies in DFARS that were issued in September 2025 to get a further understanding of how the CMMC Program affects procurements, solicitations, and awards, along with looking at some changes made to the CMMC Program between the original proposed rule of December 2023 and the final rules from October 2024 and September 2025.
Questions about this post? Email us. Need legal assistance? Call us at 785-200-8919.
Looking for the latest government contracting legal news? Sign up for our free monthly newsletter, and follow us on LinkedIn, Twitter and Facebook.