Understanding Cybersecurity Maturity Model Certification: The New Standard for Doing Business with the Department of Defense
For anyone working with or hoping to work with the Department of Defense (DoD), cybersecurity compliance is no longer optional. It’s now a condition of doing business. The DoD created the Cybersecurity Maturity Model Certification (CMMC) to solve a growing problem within the defense supply chain: inconsistent protection of sensitive information and unreliable self-reporting of compliance.
CMMC changes that equation. It replaces self-attestation with formal certification, holding every defense contractor to clearly defined technical and legal standards. For thousands of organizations across the Defense Industrial Base (DIB), those standards are both explicit and non-negotiable.
Why Cybersecurity Maturity Model Certification Exists
The DoD depends on a vast network of suppliers, subcontractors, and service providers. These organizations handle two main types of information:
- Federal Contract Information (FCI): Data generated under government contracts not meant for public release
- Controlled Unclassified Information (CUI): Sensitive but unclassified material such as technical drawings, specifications, or export-controlled data
Before CMMC, the government relied on contractors to self-report compliance with the NIST SP 800-171 cybersecurity framework. However, assessments revealed large gaps—particularly around encryption and data protection.
The result was predictable. The outcome was inconsistent safeguards across the supply chain. With this comes increased risk to national security.
CMMC aims to correct that, ensuring accountability through verified audits and standardized certification.
The Three Levels of Compliance
CMMC 2.0 organizes requirements into three tiers:
Foundational: Level 1
- Defines the basic safeguards for contractors handling FCI only.
- Directs organizations to self-assess their compliance with 17 core practices.
Advanced: Level 2
- Applies to contractors handling CUI.
- Requires full implementation of 110 cybersecurity controls across 14 domains, covering everything from access control to system integrity.
- Involves a third-party assessment usually.
Expert: Level 3
- Pertains to companies working on the DoD’s most sensitive programs.
- Includes additional enhanced protections and a government-led evaluation.
CMMC requirements began appearing in contracts in late 2025. By the end of 2026, most Level 2 contractors will need third-party certification. The DoD expects to establish full enforcement by 2028.
The Technical Backbone: NIST SP 800-171
At the heart of CMMC Level 2 is NIST SP 800-171, a set of 110 detailed cybersecurity requirements grouped into 14 domains. These domains address how organizations manage access, secure data, respond to incidents, and ensure system integrity.
Compliance requires technology, policy, and people working in tandem. It’s not enough to install software. You must document, implement, and prove that every control works as intended.
Encryption and CMMC Compliance
One of the most critical (and challenging) requirements involves encryption. To properly protect CUI, organizations must encrypt data both at rest and in transit. Many encryption tools do not have the capability to meet this standard.
Solutions like BitLocker only encrypt data at rest, leaving files exposed the moment they leave the hard drive or a system is breached. Legacy encryption tools also tend to disrupt workflows, break applications, and lock users out of the files they need to do their jobs.
Organizations should not have to choose between productivity and compliance. Encryption must work in the background to allow seamless access for authorized users and applications without interrupting day-to-day work. Persistent, file-level protection keeps CUI encrypted throughout its lifecycle on endpoints, as it traverses a network, or when exchanged with partners and the DoD. The result is security that follows the data to meet this CMMC requirement.
What Cybersecurity Maturity Model Certification Looks Like
Most contractors seeking Level 2 certification will work with a Certified Third-Party Assessor Organization (C3PAO), accredited by the Cyber AB. These assessors evaluate three things:
- The organization’s documentation (policies, procedures, security plans)
- Interviews with personnel responsible for implementation
- Testing of actual controls in the environment
Assessors verify, not assume. Organizations must demonstrate compliance in practice. Organizations submit assessment results to the DoD’s Enterprise Mission Assurance Support Service (eMASS) system. Once approved, certification is valid for three years.
What It Means for the Defense Industry
For companies that have treated CMMC as a future issue, time is running short. With compliance language now embedded in contracts, preparation must begin immediately. Implementing all 110 NIST controls can take 12–18 months of focused work.
But there’s good news: CMMC brings clarity. By defining exact requirements and requiring proof, contractors have a roadmap for secure operations and long-term eligibility to work with the DoD.
CMMC isn’t just another cybersecurity checklist. It’s an enforceable standard that ties directly to the rule of law in federal contracting. Companies that understand and embrace that standard could be in a better position to protect national interests. They are also more likely to continue doing business in one of the most demanding, high-stakes environments in the world.
Want to learn more about achieving CMMC compliance with PKWARE? Explore how we support it with data-centric encryption.
For anyone working with or hoping to work with the Department of Defense (DoD), cybersecurity compliance is no longer optional. It’s now a condition of doing business. The DoD created the Cybersecurity Maturity Model Certification (CMMC) to solve a growing problem within the defense supply chain: inconsistent protection of sensitive information and unreliable self-reporting of compliance.
CMMC changes that equation. It replaces self-attestation with formal certification, holding every defense contractor to clearly defined technical and legal standards. For thousands of organizations across the Defense Industrial Base (DIB), those standards are both explicit and non-negotiable.
Why Cybersecurity Maturity Model Certification Exists
The DoD depends on a vast network of suppliers, subcontractors, and service providers. These organizations handle two main types of information:
- Federal Contract Information (FCI): Data generated under government contracts not meant for public release
- Controlled Unclassified Information (CUI): Sensitive but unclassified material such as technical drawings, specifications, or export-controlled data
Before CMMC, the government relied on contractors to self-report compliance with the NIST SP 800-171 cybersecurity framework. However, assessments revealed large gaps—particularly around encryption and data protection.
The result was predictable. The outcome was inconsistent safeguards across the supply chain. With this comes increased risk to national security.
CMMC aims to correct that, ensuring accountability through verified audits and standardized certification.
The Three Levels of Compliance
CMMC 2.0 organizes requirements into three tiers:
Foundational: Level 1
- Defines the basic safeguards for contractors handling FCI only.
- Directs organizations to self-assess their compliance with 17 core practices.
Advanced: Level 2
- Applies to contractors handling CUI.
- Requires full implementation of 110 cybersecurity controls across 14 domains, covering everything from access control to system integrity.
- Involves a third-party assessment usually.
Expert: Level 3
- Pertains to companies working on the DoD’s most sensitive programs.
- Includes additional enhanced protections and a government-led evaluation.
CMMC requirements began appearing in contracts in late 2025. By the end of 2026, most Level 2 contractors will need third-party certification. The DoD expects to establish full enforcement by 2028.
The Technical Backbone: NIST SP 800-171
At the heart of CMMC Level 2 is NIST SP 800-171, a set of 110 detailed cybersecurity requirements grouped into 14 domains. These domains address how organizations manage access, secure data, respond to incidents, and ensure system integrity.
Compliance requires technology, policy, and people working in tandem. It’s not enough to install software. You must document, implement, and prove that every control works as intended.
Encryption and CMMC Compliance
One of the most critical (and challenging) requirements involves encryption. To properly protect CUI, organizations must encrypt data both at rest and in transit. Many encryption tools do not have the capability to meet this standard.
Solutions like BitLocker only encrypt data at rest, leaving files exposed the moment they leave the hard drive or a system is breached. Legacy encryption tools also tend to disrupt workflows, break applications, and lock users out of the files they need to do their jobs.
Organizations should not have to choose between productivity and compliance. Encryption must work in the background to allow seamless access for authorized users and applications without interrupting day-to-day work. Persistent, file-level protection keeps CUI encrypted throughout its lifecycle on endpoints, as it traverses a network, or when exchanged with partners and the DoD. The result is security that follows the data to meet this CMMC requirement.
What Cybersecurity Maturity Model Certification Looks Like
Most contractors seeking Level 2 certification will work with a Certified Third-Party Assessor Organization (C3PAO), accredited by the Cyber AB. These assessors evaluate three things:
- The organization’s documentation (policies, procedures, security plans)
- Interviews with personnel responsible for implementation
- Testing of actual controls in the environment
Assessors verify, not assume. Organizations must demonstrate compliance in practice. Organizations submit assessment results to the DoD’s Enterprise Mission Assurance Support Service (eMASS) system. Once approved, certification is valid for three years.
What It Means for the Defense Industry
For companies that have treated CMMC as a future issue, time is running short. With compliance language now embedded in contracts, preparation must begin immediately. Implementing all 110 NIST controls can take 12–18 months of focused work.
But there’s good news: CMMC brings clarity. By defining exact requirements and requiring proof, contractors have a roadmap for secure operations and long-term eligibility to work with the DoD.
CMMC isn’t just another cybersecurity checklist. It’s an enforceable standard that ties directly to the rule of law in federal contracting. Companies that understand and embrace that standard could be in a better position to protect national interests. They are also more likely to continue doing business in one of the most demanding, high-stakes environments in the world.
Want to learn more about achieving CMMC compliance with PKWARE? Explore how we support it with data-centric encryption.
