The Cybersecurity Maturity Model Certification (CMMC) has moved from planning to enforcement and if your company is in the Department of Defense (DoD) supply chain, it’s going to apply to you. CMMC establishes baseline cybersecurity requirements for all contractors, from large primes to small subcontractors, and everyone in between. The specific requirements vary depending on the type of information you handle—but whether it’s sensitive or not, some level of compliance will be expected.

The framework was first introduced by the DoD in 2020, but after concerns about cost and complexity—especially for small businesses—it was revised and streamlined into CMMC 2.0 in 2021. That version reduced the number of levels, aligned requirements with existing NIST standards, and introduced options for self-assessment at lower levels.

In late 2024, the DoD issued the Final Rule, formally putting CMMC 2.0 into motion. As of 2025, implementation is underway. Requirements are already starting to appear in DoD contracts, and enforcement will continue to roll out in phases. If you haven’t started preparing, now is the time to get ahead of it.

This article will help you understand the framework, determine whether it applies to your company, and introduce the three levels of compliance.

What Is CMMC?

CMMC is a federally mandated cybersecurity framework for companies that do business with the DoD. It defines a set of practices companies must follow based on the sensitivity of the information they handle, ranging from basic contract data to Controlled Unclassified Information (CUI) and other sensitive material.

The purpose of CMMC is to raise the cybersecurity baseline across the defense supply chain and reduce the risk of compromise. CMMC 2.0 streamlined the model, going from five to three levels and aligned it with existing federal standards like NIST SP 800-171 and 800-172. It also introduced annual affirmations and a conditional certification path for companies still closing gaps.

Learn how we help companies simplify CMMC Compliance

Who Needs to Be CMMC Compliant?

CMMC applies to all organizations that are part of the DoD supply chain. That includes prime contractors, subcontractors, and smaller companies that may only touch a limited portion of a project. Whether you’re a major defense integrator or a niche provider in construction, engineering, or manufacturing, CMMC is intended to apply across the board.

That doesn’t mean every company has to meet the same standard. The level of compliance you’ll need depends on the kind of information your contract involves. But regardless of company size or role, compliance is not optional.

The Three Levels of CMMC

CMMC 2.0 defines three levels of compliance. Each level corresponds to a different category of contract data and comes with a specific set of requirements.

Level 1 applies to companies that handle Federal Contract Information (FCI), data not intended for public release but not considered sensitive. This level includes 17 basic cybersecurity practices, such as keeping software up to date, managing user access, and using strong passwords. The process is a self-assessment, affirmed annually by a senior executive.

Level 2 is for companies working with Controlled Unclassified Information (CUI), which is more sensitive and requires stronger protections. This level includes roughly 110 security controls aligned with NIST SP 800-171, covering areas like encryption, multi-factor authentication, and employee security training.

Level 3 is reserved for contractors working with the most sensitive government data. Requirements are aligned with NIST SP 800-172 and include advanced security measures like continuous monitoring and threat detection. Assessments are led by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), and most small and midsize businesses won’t need to meet this level.

How Do You Know What Level You Need?

Your contract will specify the required CMMC level. If your work involves only FCI, Level 1 will likely be enough. If your company handles CUI, you’ll probably need Level 2. But sometimes the requirements aren’t clearly defined, especially in early contract stages.

This is where coordination between departments matters. Whoever’s responsible for submitting bids or managing compliance should work with IT to determine what type of data your company processes and what that means for certification.

It’s also important to understand that even companies operating at the same level may have very different compliance paths. While CMMC sets a common framework, the specific security practices you’ll need to implement—and how you implement them—depend on how your company operates. Your IT systems, internal processes, and the way you handle contract data all influence what compliance looks like for you.

Start Early to Stay Competitive

CMMC is already appearing in DoD contracts, and more enforcement is coming. Companies that delay compliance risk missing opportunities or scrambling under pressure when requirements show up in active bids.

Even for Level 1, preparing for a self-assessment and executive affirmation takes time. For Level 2 and above, the preparation required to support a third-party audit is even more involved. The earlier you start, the more strategic and less reactive your path to compliance will be.

XPERTECHS is a CMMC Registered Provider Organization

Not sure what level you need—or how to get started? As a CMMC Registered Provider Organization with Registered Practitioners on staff, we help companies attain and maintain CMMC standards so they can stand out as a trusted link in the DoD supply chain.

Learn more about how we work with companies to attain and maintain CMMC compliance.