CMMC — Cybersecurity Maturity Model Certification
Accuracy commitment
Every regulatory reference on this page links to the official source document. REAEGIS does not make claims that cannot be verified against published guidance. If you find an error or outdated reference, email [email protected].
What is CMMC?
CMMC 2.0 is a DoD framework requiring defense contractors to implement and demonstrate cybersecurity practices to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It supersedes CMMC 1.0 and aligns Level 2 requirements directly with NIST SP 800-171 Rev 2 (opens in a new tab).
Rulemaking
32 CFR Part 170 (the CMMC rule) was published as a final rule on October 15, 2024, and became effective November 14, 2024. It establishes the legal authority for CMMC requirements in DoD contracts.
The Three Levels
Level 1 — Foundational
- Practices: 17 practices (Federal Acquisition Regulation Part 52.204-21)
- Applicability: Contractors handling Federal Contract Information (FCI) only
- Assessment: Annual self-attestation by a senior company official
- SPRS: Not required
Level 2 — Advanced
- Practices: 110 practices from NIST SP 800-171 Rev 2 (opens in a new tab)
- Applicability: Contractors handling Controlled Unclassified Information (CUI)
- Assessment: C3PAO third-party assessment (for critical programs) or annual self-attestation (for non-critical programs)
- SPRS: Required — self-assessment score entered within 30 days of assessment
Level 3 — Expert
- Practices: 110 Level 2 practices plus 24 additional practices from NIST SP 800-172
- Applicability: Contractors on DoD's highest priority programs with CUI
- Assessment: Government-led assessment only; no self-attestation permitted
Enforcement Timeline
| Phase | Date | Requirement |
|---|---|---|
| Phase 1 | November 14, 2024 | CMMC rule effective; self-attestations for Level 1 and some Level 2 |
| Phase 2 | November 10, 2025 | Level 2 C3PAO assessments required for critical CUI programs |
SPRS Requirement
Contractors who conduct NIST SP 800-171 self-assessments must enter their score into the Supplier Performance Risk System (SPRS) within 30 days of the assessment.
Source: DFARS 252.204-7021(c) (opens in a new tab)
SPRS portal: sprs.csd.disa.mil (opens in a new tab)
The SPRS score ranges from -203 to +110 based on the DoD NIST SP 800-171 Assessment Methodology (opens in a new tab). A score of +110 means all 110 practices are implemented. Most prime contractor solicitations require a minimum score of 88.
Subcontractor Flow-Down
Prime contractors must flow down CMMC requirements to subcontractors who handle FCI or CUI.
This means prime contractors are responsible for verifying that their CUI-handling subcontractors meet the applicable CMMC level before awarding subcontracts.
Contractor Obligation Under DFARS 252.204-7012
DFARS 252.204-7012 requires contractors to provide adequate security for all covered defense information on their systems. Contractors must implement security requirements in NIST SP 800-171 and report cyber incidents within 72 hours.
The 14 CMMC Practice Domains
CMMC Level 2 practices span 14 domains aligned with the NIST 800-171 Rev 2 practice families. The domain names differ slightly from the NIST family names; the mapping is one-to-one.
| Domain | NIST Family | Practices (L2) |
|---|---|---|
| Access Control (AC) | AC | 22 |
| Awareness and Training (AT) | AT | 3 |
| Audit and Accountability (AU) | AU | 9 |
| Configuration Management (CM) | CM | 9 |
| Identification and Authentication (IA) | IA | 11 |
| Incident Response (IR) | IR | 3 |
| Maintenance (MA) | MA | 6 |
| Media Protection (MP) | MP | 9 |
| Personnel Security (PS) | PS | 2 |
| Physical Protection (PE) | PE | 6 |
| Risk Assessment (RA) | RA | 3 |
| Security Assessment (CA) | CA | 4 |
| System and Communications Protection (SC) | SC | 16 |
| System and Information Integrity (SI) | SI | 7 |
| Total | 110 |
Scoping: what systems are in scope
CUI scope determines which systems require CMMC certification. A system is in scope if it:
- Processes, stores, or transmits CUI
- Provides security protection for systems that process, store, or transmit CUI
- Connects to systems that process, store, or transmit CUI without adequate isolation
The CUI Registry defines which information categories constitute CUI.
Source: CUI Registry — National Archives (opens in a new tab)
FCI scope is broader: any contractor who receives Federal Contract Information in the performance of a contract is subject to CMMC Level 1, regardless of whether CUI is present.
The REAEGIS scoping wizard at reaegis.com/cmmc (opens in a new tab) walks through a 7-step questionnaire to determine your organization's CMMC level requirement and system boundary with no account required.
False Claims Act exposure
The Department of Justice has brought False Claims Act (31 U.S.C. § 3729) enforcement actions against contractors who submitted inaccurate SPRS self-assessments. A self-assessment that overstates implementation — even if not intentional — creates FCA exposure for the contractor and any individual officers who certify it.
The risk is structural: self-assessments are submitted to SPRS based on a contractor's own interpretation of "implemented." But the DoD Assessment Methodology is specific about what "implemented" means for each of the 110 practices. Claiming a practice is implemented when it only partially meets the methodology's criteria can constitute a false claim.
REAEGIS mitigates this risk by:
- Evidence-backed status. Each of the 110 practices can be linked to scanner evidence, configuration records, or penetration test findings that independently support the implementation claim.
- FCA exposure dashboard. REAEGIS flags AI tools, AI-assisted development environments, and practices with AI dependencies that create additional FCA exposure under the DoD's emerging AI governance requirements.
- Signed evidence packages. All evidence is Cosign-signed and anchored to Rekor, providing a verifiable record of what was claimed and when.
Preparing for a C3PAO assessment
CMMC Level 2 critical CUI programs require a third-party assessment by a C3PAO (CMMC Third Party Assessment Organization). A C3PAO assessment follows the DoD Assessment Methodology and results in a CMMC certificate valid for three years.
What assessors examine:
C3PAOs use the CMMC Assessment Process (CAP) to examine each of the 110 practices. For each practice, they will request:
- Documented policy or procedure
- Technical evidence that the policy is implemented (configuration screenshots, scan results, logs)
- Interview responses from personnel responsible for the control
Common assessment findings:
The following practice domains generate the highest frequency of C3PAO findings based on assessment reports:
| Domain | Common finding |
|---|---|
| AC | Excessive privileged access; shared accounts; missing MFA |
| AU | Audit log retention under 90 days; gaps in audit coverage |
| CM | Baseline configurations not documented; unauthorized software installed |
| IA | Password policies not enforced; weak authenticator management |
| SC | Unencrypted CUI in transit; insufficient network segmentation |
| SI | Vulnerability patches more than 30 days old; no malware scanning |
REAEGIS maps each of the 9 RAMPART gates to the domains above. A gate failure in VULNERABILITY directly maps to an SI finding in the domain most frequently cited in C3PAO reports.
CMMC Level 3 — Expert
Level 3 requires implementation of all 110 Level 2 practices plus 24 additional practices from NIST SP 800-172 (Protecting CUI in Nonfederal Critical Information Systems and Organizations). The additional practices focus on advanced persistent threat (APT) resilience.
The 24 additional practices span:
- Enhanced configuration management and change control
- Penetration testing requirements
- Deception technologies
- Advanced threat hunting
- Critical program protection
Level 3 assessments are conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) — not C3PAOs.
NIST 800-171 Rev 3 transition
NIST published SP 800-171 Rev 3 in May 2024. It replaces the 110 requirements of Rev 2 with 98 active requirements (some were removed, some were reorganized). CMMC Level 2 is currently anchored to Rev 2; the DoD has not yet published a CMMC rulemaking that mandates Rev 3.
Contractors should:
- Complete Rev 2 compliance first (required now)
- Conduct a gap analysis between Rev 2 and Rev 3 (REAEGIS generates this automatically)
- Plan Rev 3 transition for when DoD updates CMMC requirements
See the NIST 800-171 Rev 3 transition guide for the delta analysis and REAEGIS transition tooling.
How REAEGIS Supports CMMC
| Capability | How it works |
|---|---|
| SPRS Score Calculator | Computes your score live from 110 control implementation records; shows gap-to-88 remediation path |
| Free CMMC Scoping Wizard | 7-step guided assessment with no account required — reaegis.com/cmmc (opens in a new tab) |
| Subcontractor Portal | DFARS 252.204-7021-compliant portal for CUI-handling subcontractors to attest 110 practices |
| CMMC UID Management | Tracks CMMC unique identifiers per system across assessment cycles |
| 110 Control Tracking | Full NIST 800-171 Rev 2 control catalog with implementation status, narratives, and evidence |
| NIST 800-171 Rev 3 Transition | Delta engine with readiness score; 88 ODP definitions for DoD-defined values |
| FCA Risk Dashboard | Flags AI tools and practices that create False Claims Act exposure |
| C3PAO Assessment Prep | Evidence packages, control narratives, and practice attestation per CAP methodology |
| Penetration Test Integration | ACAS/Nessus and manual pentest PDF import; findings mapped to CA-8 |
| OSCAL Output | SSP, POA&M, and assessment results in NIST OSCAL format |
Related guides
- NIST SP 800-171 Rev 2 — Full 110-practice breakdown and SPRS scoring
- NIST SP 800-171 Rev 3 — Rev 3 requirements and transition from Rev 2
- RAMPART Engine — How RAMPART gates map to CMMC domains
- ARE Engine — Autonomous remediation for open CMMC findings