The Department of War administers the Cybersecurity Maturity Model Certification, or CMMC, 2.0 program to strengthen cybersecurity across the defense industrial base, or DIB, and reduce supply chain risk from persistent cyber threats.
The Potomac Officers Club’s 2026 Cyber Summit, scheduled for May 21, will convene government and industry leaders to explore the Department of War’s zero trust compliance and other cybersecurity efforts. Register now!
What Is the CMMC 2.0 Program?
CMMC 2.0 is a streamlined framework used to evaluate the effectiveness of defense contractors in implementing required cybersecurity controls and safeguarding unclassified data throughout the defense supply chain. It is designed to strengthen the protection of federal contract information, or FCI, and controlled unclassified information, or CUI, across the DIB.
Under the final CMMC 2.0 rule, compliance is mandatory for companies seeking to bid on defense contracts. These requirements may be incorporated into solicitations and contracts, mandating independent third-party assessments and replacing the long-standing reliance on contractor self-certification under the Defense Federal Acquisition Regulation Supplement requirements aligned with the National Institute of Standards and Technology Special Publication 800-171.
What Are the CMMC 2.0 Certification Levels?
To align cybersecurity expectations with risk, CMMC 2.0 uses a structured, risk-driven certification model that scales cybersecurity expectations based on the sensitivity of the data a contractor handles. The framework comprises three certification levels verified through recurring self-assessments or independent third-party reviews.
Level 1 applies to contractors handling FCI and requires annual self-assessments against 15 basic Federal Acquisition Regulation-aligned safeguards. Level 2 covers CUI and requires implementation of all 110 NIST SP 800-171 controls, validated through either self-assessments for select programs or independent third-party certification for prioritized acquisitions. Level 3, the most stringent tier, incorporates advanced NIST SP 800-172 measures to safeguard highest-risk programs against advanced cyber threats.
Why Is CMMC Compliance Critical for Defense Contractors?
According to GovCon expert Payam Pourkhomami, president and CEO of OSIbeyond, contractors should meet CMMC compliance standards to remain eligible for DOW contracts. The program reflects the heightened accountability required when handling taxpayer-funded defense work, where participation is voluntary but standards are mandatory.
In addition to preserving eligibility, CMMC provides an advantage by restricting contract awards to certified firms and enabling small businesses to compete on equal security footing with large primes. It also protects contractors’ intellectual property from cyber-enabled theft, while strengthening national security by reducing exploitable weaknesses across the defense supply chain targeted by nation-state adversaries.
What Happens If A Contractor Fails to Comply?
Failure to meet the compliance requirements can result in significant financial consequences, contract cancellations and reputational damage. Knowingly misrepresenting compliance may trigger liability under the False Claims Act, including civil penalties of approximately $10,000 per violation, plus treble damages incurred by the government, as adjusted for inflation under the Federal Civil Penalties Inflation Adjustment Act of 1990. For example, a contractor falsely attesting to compliance while lacking implementation of just 20 controls could face baseline penalties exceeding $200,000.
What Can Companies Outsource to A Third Party?
Although defense contractors cannot fully outsource CMMC compliance, they may delegate particular tasks of the technical implementation and day-to-day security operations to qualified managed service providers or managed security service providers. Commonly outsourced tasks include:
- Firewall and network security management
- Endpoint detection and response
- Vulnerability scanning and patch management
- Government cloud architecture and security
- Audit logging and monitoring configuration
- 24/7 security operations center and managed detection and response, or MDR services
- Security event correlation and analysis
However, ultimate accountability remains with the contractor, meaning governance, access decisions, physical security, system security plan ownership, incident reporting and supply chain oversight must remain internal. The most effective approach is a shared responsibility model, documented through a shared responsibility matrix, that clearly defines which party owns each control—allowing organizations to reduce technical burden while retaining the legal and managerial responsibilities required for successful CMMC certification.
