Reference · Cybersecurity & CMMC
CMMC
Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's program for verifying that defense contractors protect federal contract information and controlled unclassified information. It sets tiered assessment levels and, once phased into contracts, makes certification a condition of award.
What it is
CMMC has three levels. Level 1 (Foundational) covers basic safeguarding of Federal Contract Information — the 15 requirements of FAR 52.204-21. Level 2 (Advanced) aligns to the 110 controls of NIST SP 800-171. Level 3 (Expert) adds a subset of NIST SP 800-172. Depending on level, an assessment is a self-assessment, a third-party assessment by a C3PAO, or government-led.
Why it exists
DoD found that self-attestation alone did not reliably protect CUI across the defense industrial base. CMMC adds independent verification for the contracts that carry the most sensitive information.
Who it applies to
Contractors and subcontractors that handle Federal Contract Information or CUI, once the CMMC clause (DFARS 252.204-7021) appears in their contract. The required level is set by the contract.
Regulatory dates and requirements in this area change. Confirm the current guidance against the official sources below before you rely on it.
Frequently asked
What are the CMMC levels?
CMMC has three levels: Level 1 (Foundational) for basic safeguarding of Federal Contract Information, Level 2 (Advanced) aligned to NIST SP 800-171's 110 controls, and Level 3 (Expert) adding enhanced controls from NIST SP 800-172. The required level is set by the contract.
Does CMMC replace NIST 800-171?
No — CMMC builds on NIST SP 800-171 rather than replacing it. CMMC Level 2 is an assessment against the same 110 controls; CMMC adds the verification — self, third-party, or government — that a contractor actually meets them.
This is the kind of compliance signal Longlead reads to infer which upcoming defense projects will need cleared or compliance-ready scope — delivered as a cited evidence dossier with your confidence and lead time, 12–24 months before it surfaces as a named solicitation. You make the call, from your own channels; nothing leaves the system.
Or just see what Longlead finds for your scope.
Tell us what you sell and what you don't — and see the demand Longlead is inferring for you right now.