CMMC

Cybersecurity Maturity Model Certification. A U.S. Department of Defense framework that requires contractors handling Controlled Unclassified Information (CUI) to demonstrate cybersecurity maturity at one of three levels. CMMC Level 2 (equivalent to NIST SP 800-171) applies to most defense contractors and requires a third-party assessment every three years. MSPs serving defense industrial base (DIB) clients must achieve CMMC certification themselves and help clients achieve the appropriate level.

Levels

Level 1 (17 practices, self-assessment), Level 2 (110 practices, third-party assessment), Level 3 (130+ practices, government-led assessment).

Who it applies to

Any DoD contractor or subcontractor handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Why it matters

MSPs serving manufacturing, aerospace, or government clients are increasingly required to demonstrate CMMC compliance as a condition of contract renewal.