If you work as a contractor for the United States Government, you must comply with stricter security rules than standard companies. One of these frameworks is CMMC (Cybersecurity Maturity Model Certification) that applies to the treatment of sensitive unclassifed information.
What is CMMC?
- CMMC (Cybersecurity Maturity Model Certification) is a unified cybersecurity standard developed by the U.S. Department of Defense (DoD) to protect Controlled Unclassified Information (CUI) across the Defense Industrial Base (DIB).
It builds on frameworks like NIST SP 800-171, adding certification levels and third-party assessments to ensure consistent cybersecurity practices among contractors and subcontractors.
What is CUI?
- Controlled Unclassified Information (CUI) is sensitive but unclassified information that the U.S. federal government creates or possesses, or that is created by a non-federal entity (like a contractor) on behalf of the government, and which requires safeguarding or dissemination controls in accordance with laws, regulations, or government-wide policies.
It’s not secret or top secret, but it’s still sensitive enough that unauthorized access could cause harm to national interests, law enforcement, or individual privacy.
Some examples of CUI are:
- PII (personally identifiable information) and PHI (protected health info)
- Military specs, logistics plans, mission data
- ITAR/EAR-regulated technical drawings
- Taxpayer data, procurement records
- Details about energy grids, water systems
- Grand jury subpoenas, attorney-client privilege docs
Federal agencies must mark documents and systems containing CUI using standard labels, such as “Controlled // CUI.”
- If you handle CUI in any form—whether it’s stored in a WordPress admin panel, transferred via email, or used in project documentation—then CMMC Level 2 compliance is required. Your security controls, incident response, and access policies must align with NIST SP 800-171.
What is DIB?
- The Defence Industrial Base (DIB) is a network of private sector companies and organizations that provide products, services, and research to support U.S. national defence and military operations.
This includes everything from weapons systems and military hardware to software, cybersecurity, logistics, and IT services. If a company supports the Department of Defense (DoD)—even indirectly—they are considered part of the DIB.
The DIB is considered critical infrastructure by the U.S. government because it directly impacts national security. It enables the readiness, modernization, and mission effectiveness of U.S. forces. Furthermore, it often handles Controlled Unclassified Information (CUI) and classified data.
What to do for CMMC compliance
The key steps to CMMC compliance are:
- Determine whether your organization processes, stores, or transmits Controlled Unclassified Information.
- Compare your current practices against NIST SP 800-171 (for Level 2), identifying control gaps.
- Document how each control is implemented, including diagrams, configurations, and policies.
- Detail plans to remediate gaps with deadlines, responsible parties, and resource estimates.
- Go through the assessment process: yearly self-assessment for Level-1 compliance, third-party assessments (C3PAO) for prioritized programs for Level-2 compliance, and assessed by DOD assessors for Level-3 compliance.
- Show ongoing cybersecurity improvements, audit logging, and incident response capabilities.
Overall, CMMC compliance covers all the key areas of strong cybersecurity practices: access controls, incident response, system integrity and configuration, risk assessment, identification and authentication, security awareness and training, physical protection, media protection, maintenance and personnel security.