CMMC

CMMC is the U.S. Department of Defense program for assessing cybersecurity practices across the Defense Industrial Base, focused on protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Get a demo All frameworks

Governed by U.S. Department of Defense (DoD)

What it is

What CMMC is, in plain terms

CMMC (Cybersecurity Maturity Model Certification) is the U.S. Department of Defense's program to verify that companies in the Defense Industrial Base protect sensitive government information. It anchors its requirements in FAR 52.204-21 (for Federal Contract Information) and NIST SP 800-171 (for Controlled Unclassified Information), and ties the ability to win and keep DoD contracts to demonstrated cybersecurity practices.

Typical effort & timeline

Effort depends on the required level: handling FCI maps to a smaller baseline, while handling CUI requires the full NIST SP 800-171 control set and, at higher levels, an assessment by an authorized C3PAO. Plan around closing gaps documented in your POA&M.

Who needs it

Is this framework for you?

Prime contractors and subcontractors anywhere in the DoD supply chain.
Companies that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
Defense suppliers preparing for a self-assessment or an authorized third-party (C3PAO) assessment.

About the framework

Key facts about CMMC

Structured into maturity levels; higher levels apply to handling Controlled Unclassified Information (CUI).
Level requirements are based on FAR 52.204-21 and NIST SP 800-171 security requirements.
Assessments are performed by authorized third-party assessment organizations (C3PAOs) for the higher levels.
Applies to contractors and subcontractors in the DoD supply chain.

Public information about the framework itself. We don't claim certifications, assessment status, or authorizations for our own product.

With this platform

How we help with CMMC

Track the NIST SP 800-171 requirements that underpin CMMC levels.
Map practices to evidence and monitor them continuously.
Maintain a System Security Plan (SSP) and document gaps for a POA&M.
Keep evidence organized ahead of a third-party assessment.

Step by step

Get and stay compliant

How the platform supports your CMMC program — from first scope to ongoing monitoring.

Determine your level

Identify whether you handle FCI, CUI, or both, which sets the level and the applicable requirements.

Build your SSP

Maintain a System Security Plan describing how each NIST SP 800-171 requirement is implemented.

Track gaps in a POA&M

Document remaining gaps and remediation in a Plan of Action & Milestones, kept current as you close them.

Prepare for assessment

Map practices to evidence and keep it organized so a self-assessment or C3PAO review goes smoothly.

Representative areas

What CMMC covers

Public, high-level control or requirement areas — for orientation, not a complete control list.

Access control

Identification & authentication

Audit & accountability

Configuration management

Incident response

System & communications protection

Do it once

Reuse evidence across frameworks

CMMC shares controls with frameworks you may already run. A passing test can satisfy requirements in more than one place — so adding the next framework means reusing work, not repeating it.

FedRAMP

U.S. program for cloud services used by federal agencies

ISO/IEC 27001

International standard for information security management

SOC 2

Trust Services Criteria for service organizations

FAQ

Common questions about CMMC

Lower-level requirements are based on FAR 52.204-21; CUI-level requirements are based on NIST SP 800-171's security requirements.

Not always. Lower levels can rely on self-assessment, while higher levels require an assessment by an authorized C3PAO.

The System Security Plan documents how you meet each requirement; the Plan of Action & Milestones tracks open gaps and the plan to remediate them.

Get audit-ready for CMMC

Get a guided demo, or start by scanning any domain for free.

Get a demo Compliance automation