If you work with the Department of Defense (redesignated the Department of War by executive order, September 2025) and someone just dropped "CMMC" into a conversation or contract requirement and you are not sure what it means, this is the article for you.
CMMC is not optional for defense contractors handling sensitive government data. As of November 2025, it is a legal requirement. What follows is a plain-English explanation of what it is, why it exists, and what it means for your organization.
CMMC is the Department of Defense's program for verifying that defense contractors have implemented the cybersecurity controls required to protect sensitive government information.
The key word in that sentence is "verifying." Before CMMC, contractors were required to implement security controls, but verification was largely self-reported. A contractor signed a contract clause saying they would protect sensitive data, submitted a score into a government database, and the government mostly had to take their word for it.
CMMC changes that model. For contracts involving the most sensitive data, contractors must now be assessed by an independent third party, not just self-certify.
The defense supply chain is massive. Over 300,000 companies hold DoD contracts. These range from the large prime contractors you see in the news to small machine shops, software developers, IT service providers, and specialty manufacturers that make up the broader Defense Industrial Base (DIB).
Many of these companies were handling sensitive government data on systems with minimal security controls. Nation-state adversaries, particularly China and Russia, identified the defense supply chain as a softer target than the DoD's own classified networks. By penetrating small and mid-sized contractors, they could gain access to technical designs, acquisition data, and operational information without ever touching a classified system.
The F-35 program is the canonical example. Intelligence reporting indicated that adversaries obtained technical data about the aircraft through defense contractor networks. The data that moves through the supply chain is sensitive enough to cause real damage if compromised, even if it is not classified.
The DoD needed a way to verify that contractors were actually protecting this data, not just checking a box. CMMC is that verification mechanism.
CMMC is built around two categories of sensitive government data.
The type of data you handle determines which CMMC level applies to your organization.
CMMC 2.0 organizes requirements into three levels:
The CMMC program was established through a process that started with the National Defense Authorization Act (NDAA) for Fiscal Year 2020. After years of development and revision (CMMC 1.0 in 2020, CMMC 2.0 announced in 2021), the final rule was published in 32 CFR Part 170 and DFARS 252.204-7021 took effect on November 10, 2025.
From that date forward, CMMC requirements can appear in DoD solicitations and contracts. The program rolls out in four phases through November 2028, with Phase 1 (November 2025 through November 2026) focused primarily on self-assessments, and later phases phasing in mandatory C3PAO third-party assessments.
If your contract includes DFARS 252.204-7021, you are in scope for CMMC.
CMMC certification is an official determination that your organization meets the requirements for a specific CMMC level. Here is what that looks like in practice:
If you hold a DoD contract that includes DFARS 252.204-7012 (the clause requiring NIST 800-171 compliance for CUI), you are already subject to CMMC requirements or will be shortly. CMMC applies to both prime contractors and subcontractors throughout the defense supply chain.
Prime contractors are responsible for flowing CMMC requirements down to subcontractors. If you are a prime handling CUI and you pass that CUI to a subcontractor, that subcontractor needs at minimum Level 2 certification. Before sharing CUI with any subcontractor, you are required to verify their SPRS submission.
CMMC applies to all companies performing under applicable DoD contracts, both domestic and international. Company size is not an exemption factor.
CMMC does not apply to contracts outside the DoD, classified systems, or contracts where the only government data involved is hardcopy CUI that is never placed on an IT system.
CMMC has legal teeth beyond the risk of losing a contract. Under the False Claims Act (31 U.S.C. § 3729), any contractor who misrepresents their CMMC compliance status can face treble damages and civil penalties. The Act allows private individuals (often former employees) to file qui tam lawsuits on behalf of the government.
The Aerojet Rocketdyne case settled for $9 million after an employee alleged the company misrepresented its cybersecurity posture on DoD and NASA contracts. That settlement established that cybersecurity compliance is a material contract requirement, meaning misrepresentation creates actionable False Claims Act liability.
Every senior official who affirms a CMMC self-assessment is personally attesting to its accuracy. The affirmation is not a formality.
If you just learned about CMMC and you are not sure where your organization stands, start with three things:
Starting now, before a C3PAO requirement appears in your solicitations, is the only way to avoid being squeezed out of contract awards during the Phase 2 and Phase 3 rollout.
This article is part of the NR Labs CMMC 101 content series. For a complete, end-to-end resource on the CMMC program, read our CMMC 101: The Complete Guide to CMMC Compliance for Defense Contractors.
Related articles in this series:
Ready to understand where your organization stands? NR Labs provides CMMC gap assessments, SSP development, and SPRS submission support for defense contractors at every level of the supply chain. Contact us to schedule a readiness conversation.
