code/+/trust primary logo full color svg

CMMC (Cybersecurity Maturity Model Certification)

Definition

CMMC (Cybersecurity Maturity Model Certification) is the DoD''s third-party verification program for cybersecurity practices on defense contracts. CMMC Level 2 -- required on most DoD contracts handling Controlled Unclassified Information by 2026 -- mandates independent assessment of all 110 NIST SP 800-171 practices by a Certified Third-Party Assessment Organization (C3PAO).

CMMC ends the era of self-attested cybersecurity on DoD contracts. Previously, contractors self-assessed their NIST 800-171 compliance and submitted a score to the SPRS database. CMMC adds mandatory third-party verification -- a C3PAO conducts an independent assessment and certifies the level.

CMMC levels

  • Level 1 (Foundational) -- 17 basic cyber hygiene practices; annual self-assessment; applies to contracts with only FCI (Federal Contract Information), not CUI
  • Level 2 (Advanced) -- 110 practices aligned to NIST 800-171; C3PAO assessment every 3 years; required for most DoD CUI contracts
  • Level 3 (Expert) -- 134+ practices; government-led assessment; applies to the most critical defense programs

CMMC implementation timeline

CMMC requirements began appearing in DoD contracts in 2025. By 2026, most contracts handling CUI require Level 2 certification as a contract award condition -- not a future compliance checkbox. If you are pursuing DoD software work in 2026, your CMMC Level 2 assessment should be underway now.

Related terms

FedRAMP

FedRAMP (Federal Risk and Authorization Management Program) is the U.S. government''s standardized authorization framework for cloud services sold to federal agencies. A FedRAMP Moderate authorization covers 80% of federal civilian use cases, takes 12-24 months to achieve, and costs $500,000-$2,000,000 -- but unlocks a $100 billion+ federal cloud services market with a single reusable authorization.

ATO (Authority to Operate)

An Authority to Operate (ATO) is the formal approval granted by a federal Authorizing Official that allows a software system to operate within a government environment after completing the NIST Risk Management Framework assessment process. ATOs are required before any federal system goes live and must be continuously maintained -- typically reviewed annually and triggered by significant system changes.

Section 508

Section 508 of the Rehabilitation Act requires all software, websites, and electronic content procured, developed, or used by the U.S. federal government to meet accessibility standards equivalent to WCAG 2.0 Level AA. Non-compliance can disqualify a product from federal procurement and expose agencies to civil rights complaints under the Architectural Barriers Act.

NIST SP 800-171

NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. Any company that handles CUI under a DoD contract must implement all 110 requirements and submit a self-assessment score to the Supplier Performance Risk System (SPRS).

← Back to full glossary

Need help implementing this in your business?

Code and Trust translates AI concepts like cmmc (cybersecurity maturity model certification) into working implementations — starting with a workflow audit that shows exactly where it creates ROI.

Schedule AI Audit →