What Is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification, the Department of Defense program that verifies whether contractors meet the cybersecurity standards required to handle sensitive government information. It applies to companies across the Defense Industrial Base that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC replaced a system of self-attestation, where contractors claimed compliance without independent verification, with a model that requires demonstrated and, at higher levels, third-party-verified cybersecurity.
The Three Levels
CMMC 2.0 defines three levels, reduced from five under the original model, and the level you need depends on the sensitivity of the information you handle. Level 1, Foundational, applies to contractors that handle FCI and requires a set of basic safeguarding practices drawn from FAR clause 52.204-21, verified by annual self-assessment. Level 2, Advanced, applies to contractors that handle CUI and aligns with the 110 security controls in NIST SP 800-171, verified by self-assessment or by a certified third-party assessor depending on the contract. Level 3, Expert, applies to the most sensitive programs, adds controls from NIST SP 800-172, and is assessed by the government.
The Rollout
CMMC became an enforceable contract requirement through two rules. The 32 CFR Part 170 program rule took effect December 16, 2024, and the DFARS acquisition rule took effect November 10, 2025, beginning a phased rollout. Phase 1, starting November 2025, introduced self-assessment requirements in new solicitations. Phase 2, beginning November 10, 2026, expands third-party Level 2 certification requirements for contractors handling CUI. Phase 3 in 2027 introduces Level 3, and full implementation follows in 2028. Contractors post their status in the Supplier Performance Risk System (SPRS), and contracting officers verify it before award. Requirements flow down to subcontractors, so a prime's obligations extend through its supply chain. Because assessor capacity is limited and preparation commonly takes 6 to 12 months, teams that wait for CMMC to appear in a solicitation often cannot achieve it before the bid is due.
Why It Matters
CMMC is a condition of award. A contractor that cannot demonstrate the required level at award time is ineligible for the work, and that eligibility now extends to option periods on existing contracts. For most companies in the defense supply chain, CMMC is no longer a future concern but a present requirement tied to the contracts they are pursuing today.
Tips for Approaching CMMC
- Identify whether your contracts involve FCI or CUI, since that drives your required level.
- Scope your environment early. A defined CUI enclave can reduce compliance cost and effort.
- Assess your posture against NIST SP 800-171 and build your SSP and POA&M before you need them.
- Book a C3PAO assessment well in advance, since assessor availability is constrained.
- Track flow-down obligations to subcontractors so the whole team stays eligible.
CMMC raises the cybersecurity bar for the entire defense supply chain, and eligibility now depends on it. GovDash is not CMMC certified. GovDash holds FedRAMP Moderate Equivalency, audited by a C3PAO, which satisfies the supply chain and procurement requirements CMMC customers ask about. For specific compliance questions, contractors should consult a CMMC Registered Practitioner or qualified advisor.
This overview is educational and is not legal or compliance advice. CMMC requirements vary by contract, scope, and the data you handle.
What Is GovDash?
GovDash is the AI-powered platform built for government contractors. It connects capture, pricing, proposal writing, and contract management in one system, so teams can find better opportunities, price them accurately, write stronger proposals, and manage performance without switching tools. Book a demo to see how GovDash works for your team.