GovernanceDoD releases CMMC Version 1.0 for defense contractors
The DoD just released CMMC 1.0—five certification levels ranging from basic cyber hygiene to advanced practices. If you want to work on defense contracts, you'll eventually need a certified third-party assessment. This is the starting gun for the defense industrial base.
Fact-checked and reviewed — Kodi C.
On , the U.S. Department of Defense (DoD) released Cybersecurity Maturity Model Certification (CMMC) Version 1.0, establishing a five-level certification scheme for every company in the defense industrial base. The model blends NIST SP 800-171 requirements with additional controls, elevates process maturity expectations, and requires independent third-party assessments before contractors can receive awards that involve Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
Program managers and compliance leads need to inventory contract portfolios, map security practices to CMMC levels, and plan for a staged rollout that begins appearing in selected requests for information (RFIs) and requests for proposals (RFPs) in fiscal year 2021. Early preparation reduces bid risk, prevents supply-chain bottlenecks, and positions primes to mentor or sponsor sub-tier vendors that must also obtain certification.
What changed in CMMC 1.0
CMMC 1.0 introduced five maturity tiers (Levels 1–5) that progress from basic safeguarding of FCI to advanced/progressive protection of CUI against advanced persistent threats. Each level specifies a combination of practices and processes; for example, Level 1 follows the 17 safeguarding requirements in FAR 52.204-21, while Level 3 requires setup of the full NIST SP 800-171 Rev. 1 control set plus 20 additional practices defined by DoD. Levels 4 and 5 add detection/response and improvement practices that focus on threat-hunting, anomaly detection, and preventive incident management.
The framework integrates process maturity expectations—performed, documented, managed, reviewed, and optimizing—creating a progressive model similar to CMMI. Contractors must show not only control deployment but also institutionalization via policies, plans, resourcing, and performance measurement. Unlike self-attestation under DFARS 252.204-7012, CMMC mandates third-party assessments performed by Certified Third-Party Assessment Organizations (C3PAOs) accredited by the CMMC Accreditation Body (now the Cyber AB). Assessment results are posted to the Supplier Performance Risk System (SPRS) and become eligibility gates for solicitations.
DoD signaled a phased adoption. Initial pathfinder contracts in FY2021 included CMMC clauses for select programs (for example, Navy, Air Force, Missile Defense Agency) with requirements flowed down to subcontractors. DFARS Case 2019-D041 later codified 252.204-7019, -7020, and -7021, requiring interim self-assessments against NIST SP 800-171 and formal CMMC certification at the level specified in the solicitation. This linkage means contract opportunities can specify different levels by information type—Level 1 for FCI-only work packages and Level 3 or higher for CUI-handling tasks.
Who is affected
Prime contractors must align their enterprise security programs to the level(s) required by target contracts and verify that teaming partners and critical subcontractors reach the same or higher level for any work that touches the protected information. Capture teams need to budget for assessments, remediation, and documentation updates during bid/no-bid decisions.
Small and medium suppliers in the defense industrial base face new costs and schedule impacts because C3PAO availability is limited and remediation often requires formalizing processes (for example, configuration management plans, incident response playbooks, continuous monitoring). Managed service providers supporting these suppliers must clarify shared responsibility models and evidence requirements.
Information system owners handling CUI must prove segregation of duties, multifactor authentication, audit logging, and incident response procedures that meet NIST SP 800-171 baseline expectations. Organizations that use cloud services must ensure those environments meet FedRAMP Moderate equivalency and that contractual flow-down captures CMMC obligations.
Immediate action plan
1) Establish target levels by contract. For each active and forecasted DoD opportunity, identify whether the statement of work includes FCI, CUI, or critical technology. Map those information types to required CMMC levels and document rationale. Use this inventory to focus on remediation sequences.
2) Perform a gap assessment. Compare current controls to the CMMC practice tables, including the 20 DoD-added practices at Level 3. Validate that policies exist, procedures are repeatable, and records show institutionalization. Capture findings in a remediation plan with owners and due dates.
3) Implement and evidence remediation. Close technical gaps (for example, implement MFA on privileged accounts, enable centralized logging, enforce secure configuration baselines) and procedural gaps (for example, configuration management plans, incident playbooks, training records). Preserve evidence such as tickets, screenshots, and system configurations that show control operation.
4) Prepare for assessment logistics. Select a prospective C3PAO, confirm scope boundaries, and stage documentation—system security plans, network diagrams, asset inventories, vulnerability management records, and continuous monitoring artifacts. Align internal teams to support interviews and evidence walkthroughs.
5) Align subcontractors. Flow down CMMC requirements in subcontracts where CUI/FCI is shared. Provide templates and readiness checklists to critical suppliers. Consider sponsoring assessments for high-risk vendors to protect program schedules.
6) Monitor policy evolution. Track DFARS updates, DoD guidance on reciprocity (for example, FedRAMP Moderate equivalency for cloud services), and the transition path toward CMMC 2.0 to adjust control baselines and contract language.
Operational readiness checklist
- Map contracts and information types to required CMMC levels; record justifications.
- Inventory systems that store or process CUI/FCI; verify FedRAMP alignment for cloud environments.
- Enable MFA, least privilege, secure configurations, audit logging, and vulnerability management aligned to NIST SP 800-171.
- Publish and enforce policies for configuration management, change control, incident response, and personnel security; collect training acknowledgments.
- Stage evidence packages (plans, tickets, logs) and designate points of contact for assessments.
- Flow down CMMC clauses to subcontractors and assess high-risk vendors for readiness.
- Set a cadence to review DFARS rulemaking and CMMC Accreditation Body updates.
Timeline and contract implications
Near-term pilots. DoD planned approximately 10 pathfinder solicitations in FY2021 across the Army, Navy, Air Force, and Missile Defense Agency to validate assessment workflows and supply-chain coverage. These pilots informed training for C3PAOs and clarified evidence expectations for future procurements.
Five-year phase-in. Department statements showed a multi-year ramp to full adoption by FY2026, with an increasing percentage of solicitations requiring CMMC certification each year. Contractors should treat certification lead time as part of capture strategy and avoid assuming waivers for late-stage bids.
SPRS score alignment. The DFARS interim rule requires NIST SP 800-171 self-assessment scores to be posted to the Supplier Performance Risk System before contract award. Even when a solicitation specifies a future CMMC assessment, contracting officers can use SPRS scores to gauge interim readiness, so you should maintain evidence to support both self-assessments and formal certifications.
Maturity Model Framework
CMMC 1.0 established five maturity levels with increasing cybersecurity requirements. Level 1 addresses basic cyber hygiene while Level 5 encompasses advanced practices for protecting controlled unclassified information. Third-party assessment requirements ensure independent verification of contractor security posture.
Defense Supply Chain Impact
All DoD contractors handling CUI must achieve appropriate CMMC certification. Prime contractors flow down requirements to subcontractors processing defense information. Assessment costs and preparation timelines require early planning and resource allocation.
Evolution to CMMC 2.0
CMMC 2.0 streamlined the model to three levels, reducing assessment burden while maintaining security objectives. Organizations should align implementation efforts with current program requirements and timeline updates.
Continue in the Governance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Board Oversight Governance Blueprint
Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.
-
Third-Party Governance Control Blueprint
Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.
-
Public-Sector Governance Alignment Playbook
Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…
Coverage intelligence
- Published
- Coverage pillar
- Governance
- Source credibility
- 91/100 — high confidence
- Topics
- CMMC · CUI · third-party risk · defense procurement · supply chain security
- Sources cited
- 3 sources (acq.osd.mil, csrc.nist.gov, acquisition.gov)
- Reading time
- 6 min
Source material
- DoD CMMC 1.0 — osd.mil
- NIST SP 800-171 — nist.gov
- DFARS 252.204-7012 — acquisition.gov
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.