CMMC Compliance: a Guide for DoD Contractors

The Cybersecurity Maturity Model Certification (CMMC) became mandatory on December 16, 2024, allowing CMMC requirements to be formally incorporated into Depart of Defence (DoD) solicitations and contracts. From that date, CMMC requirements are officially included in all DoD contracts, meaning compliance is no longer optional. For businesses that want to bid on or continue supporting defense work, CMMC is an undisputable contract requirement.

For many organizations, CMMC certification becomes challenging not because of a lack of security effort, but because of uncertainty. Companies struggle to determine which requirements apply to them, how far the CMMC scope extends, and what level of effort is actually expected . 

Without clear direction, businesses risk over-scoping their environment, underestimating their obligations, or investing time and budget in controls that do not move them closer to compliance.

This guide helps remove CMMC uncertainty by clarifying who the requirements apply to, how to identify your required level, how scope works in practice, and what to expect during assessment and certification.

What is CMMC?

‍

The Cybersecurity Maturity Model Certification (CMMC) is the security framework mandated by DoD to evaluate and enhance cybersecurity within the Defense Industrial Base (DIB). The framework is intended to become a verification mechanism ensuring that DIB organizations possess appropriate cybersecurity practices and processes to protect data within their environments. Any organization that holds DoD contracts or acts as a subcontractor should prepare to obtain CMMC certification.

‍

CMMC incorporates several practices and standards, but its key pillar is NIST SP 800-171. The other important references of the framework are NIST SP 800-53, National Aerospace Standard (NAS) 9933, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM). Based on these references, the framework measures an organization’s cybersecurity maturity and controls to ensure that all necessary processes and practices are in place. The initial implementation of the CMMC for all DoD contractors is mandated through Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021.

‍

Before developing CMMC, specific cybersecurity requirements within DoD were identified by DFARS 252.204-7008 and 252.204.7012. The regulations required DoD contractors to adopt NIST’s necessary cybersecurity processes and standards (especially NIST SP 800-171)  while not providing specific audit or certification requirements. The vague requirements led to slow, unsatisfactory adoption of DFARS (252.204-7008 and 252.204.7012), as most DoD contractors achieved only a minimal level of cybersecurity hygiene practices. 

‍

Thus, to strengthen data security in the DoD, the CMMC security framework was introduced. This framework is expected to be more effective than the previous approach because it requires a strict audit process and third-party certification as the primary conditions for CMMC compliance. Furthermore, the CMMC framework offers greater assurance that appropriate levels of cybersecurity protections and processes are in place. 

What data does CMMC protect?

‍

CMMC aims at protecting sensitive unclassified information shared by the DoD with its contractors and subcontractors. It primarily focuses on safeguarding two main categories of data:

Federal Contract Information (FCI) refers to non-public information related to a U.S. government contract that is provided by or generated for the government during contract performance and is not intended for public release.

In practical terms, FCI represents routine government contract information that must be safeguarded using fundamental cybersecurity practices. From a business perspective, FCI typically includes everyday contractual data such as:

• contract terms, schedules, pricing details;
• statements of work (SOWs);
• technical requirements in DoD contracts;
• basic contractual requirements.

Controlled Unclassified Information (CUI) is non-public government or defense-related information that must be protected because its exposure could harm national security, contract integrity, or regulatory compliance. It requires proper safeguarding or dissemination controls that are in accordance with and consistent with laws, regulations, and governmental policies. The common CUI examples include: 

• engineering drawings and technical specs;
  
  
• system architectures and design documentation;
  
  
• test results, vulnerability data;
  
  
• defense-related R&D data;
  
  
• export-controlled information (ITAR/EAR)

There are many specific categories and subcategories of the CUI that the Executive branch protects. The CUI Registry provides a complete list of those. We, however, show only some of the organization index groupings such as: Critical Infrastructure, Defense, Export Control, Immigration, Intelligence, NATO, Nuclear, Statistical, Tax, etc.

Who Needs the CMMC Certification?

CMMC certification is required for any organization that supports the U.S. defense supply chain and handles non-public DoD contract data. This obligation goes far beyond prime defense contractors and affects a wide range of business models and cooperation scenarios.

The following cooperation scenarios typically make CMMC compliance mandatory:

Prime DoD contractors
Companies that contract directly with the DoD to deliver products or services. The required level of CMMC compliance depends on whether the company handles Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or both. CMMC compliance for such companies is a #1 condition for bidding and contract continuation.

Subcontractors
CMMC applies just as clearly to companies that do not contract with the DoD directly, but support a prime contractor. If a company receives specifications, schedules, technical documentation, or access to defense-related systems, it is likely handling FCI or CUI. Even limited or occasional access requires the appropriate level of CMMC certification.

Software development and IT service providers
Software vendors, SaaS providers, and MSPs often underestimate their CMMC compliance obligations. If developers, support engineers, or administrators can access, process, or store DoD project data (during development, testing, deployment, or support) CMMC requirements apply. This includes work performed in shared environments, such as cloud services, ticketing systems, or team cooperation platforms.

Engineering, manufacturing, and industrial companies
Companies involved in design, prototyping, testing, production, or quality assurance for defense-related products frequently handle data that qualifies as CUI. Technical drawings, test reports, and system architectures fall within the CMMC scope, even when the end product is commercialized for use beyond defense.

Professional and advisory services
Consulting, compliance, cybersecurity, logistics, and program management firms that review, process, or store DoD contract documentation or technical data as part of their services.

How to determine your CMMC Level?

CMMC is structured around compliance levels that reflect the type of data a business handles and its role in the defense supply chain. Determining the right level starts with understanding what information flows through your contracts, systems, and people.
To determine the CMMC level, start by identifying the type of information your organization handles;: 

CMMC Level 1 (Foundational) applies to DoD contractors and subcontractors that handle FCI (Federal Contract Information), such as non-public contract details or delivery schedules. Under Level 1, organizations must implement 15 basic cybersecurity controls specified in FAR Clause 52.204-21.  

CMMC Level 2 (Advanced) applies to current and potential DoD contractors and subcontractors that handle Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), and ITAR- or export-controlled data, including engineering drawings, technical documentation, or system data. To achieve Level 2, organizations must implement all 110 security controls listed in NIST SP 800-171,

CMMC Level 3 (Expert) is reserved for cases where significant security threats, including advanced persistent threats (APTs), must be considered. The “Expert” level of CMMC compliance requires contractors to implement all 110 controls in NIST SP 800-171 and the specific controls in NIST SP 800-172 for triannual C3PAO assessments. The enhanced security controls outlined in NIST SP 800-172 add an additional layer of protection for CUI associated with critical government programs or high-value federal assets.

What is the CMMC assessment and certification process?

CMMC is the DoD’s way of verifying that its partners and contractors can properly protect sensitive data. The CMMC assessment and certification process is level-based: some companies self-assess, while others must undergo an independent third-party certification assessment.

Confirm the required CMMC level and scope

The starting point for CMMC certification is answering the questions “what data you touch (FCI vs CUI) and where it lives (email, cloud, shared drives, etc). Level 1 generally maps to safeguarding FCI; Level 2 applies when your environment processes, stores, or transmits CUI. 

Choose the right assessment path

The character of data processes further defines the CMMC assessment and certification roadmap. As it is already mentioned above:

• Level 1 organizations perform a self-assessment and submit the required results to  DoD’s Supplier Performance Risk System (SPRS).
• Level 2 organizations are required to undergo certification assessment performed by a C3PAO (Certified Third-Party Assessment Organization).
• Level 3 organizations must undergo government-led assessment and must first hold a valid Level 2 certificate.

Engage a C3PAO and run the assessment

For a Level 2 certification assessment, organizations must engage a C3PAO, align on the assessment plan and team, and go through a structured process defined in the CMMC Assessment Process (CAP), including conflict-of-interest handling and formal assessment execution steps. The output is a set of findings that must be addressed to reach a “pass” outcome.

Record and constantly update your status

Certification is a long-term process rather than a one-and-done activity. The CMMC ecosystem is designed around ongoing accountability. CMMC compliance status is used as a condition for DoD contract awards. So, certifications must be maintained and renewed on the required cycle (Level 2 certification is tied to a three-year cadence in program guidance). ‍

Achieve CMMC compliance with Planet 9

As CMMC 2.0 raises security expectations across the defense supply chain, many DoD contractors and subcontractors need expert assistance to prepare. Planet 9 provides CMMC certification readiness services, helping companies understand what applies to them and prepare for assessments without unnecessary complexity.

We support organizations by:

• Defining the scope of systems, users, and tools where Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) is handled
• Clarifying which CMMC level applies based on your contracts and daily operations
• Assessing your current security posture to understand where you already meet requirements and where gaps exist
• Preparing you for self-assessments or third-party certifications, including documentation and evidence readiness

Whether you are new to CMMC or preparing for an upcoming assessment, Planet 9 helps maintain compliance and move forward with confidence.

Book a free consultation to discuss your CMMC readiness, or contact the Planet 9 team to get practical support with your security and compliance efforts.

Website: https://planet9security.com

Email:  info@planet9security.com

Phone: 888-437-3646