Understanding Cybersecurity Maturity Model Certification: The New Standard for Doing Business with the Department of Defense

For anyone working with or hoping to work with the Department of Defense (DoD), cybersecurity compliance is no longer optional. It’s now a condition of doing business. The DoD created the Cybersecurity Maturity Model Certification (CMMC) to solve a growing problem within the defense supply chain: inconsistent protection of sensitive information and unreliable self-reporting of compliance.

CMMC changes that equation. It replaces self-attestation with formal certification, holding every defense contractor to clearly defined technical and legal standards. For thousands of organizations across the Defense Industrial Base (DIB), those standards are both explicit and non-negotiable.

The DoD depends on a vast network of suppliers, subcontractors, and service providers. These organizations handle two main types of information:

• Federal Contract Information (FCI): Data generated under government contracts not meant for public release
• Controlled Unclassified Information (CUI): Sensitive but unclassified material such as technical drawings, specifications, or export-controlled data

Before CMMC, the government relied on contractors to self-report compliance with the NIST SP 800-171 cybersecurity framework. However, assessments revealed large gaps—particularly around encryption and data protection.

The result was predictable. The outcome was inconsistent safeguards across the supply chain. With this comes increased risk to national security.

CMMC aims to correct that, ensuring accountability through verified audits and standardized certification.

CMMC 2.0 organizes requirements into three tiers:

Foundational: Level 1

• Defines the basic safeguards for contractors handling FCI only.
• Directs organizations to self-assess their compliance with 17 core practices.

Advanced: Level 2

• Applies to contractors handling CUI.
• Requires full implementation of 110 cybersecurity controls across 14 domains, covering everything from access control to system integrity.
• Involves a third-party assessment usually.

Expert: Level 3

• Pertains to companies working on the DoD’s most sensitive programs.
• Includes additional enhanced protections and a government-led evaluation.

CMMC requirements began appearing in contracts in late 2025. By the end of 2026, most Level 2 contractors will need third-party certification. The DoD expects to establish full enforcement by 2028.

At the heart of CMMC Level 2 is NIST SP 800-171, a set of 110 detailed cybersecurity requirements grouped into 14 domains. These domains address how organizations manage access, secure data, respond to incidents, and ensure system integrity.

Compliance requires technology, policy, and people working in tandem. It’s not enough to install software. You must document, implement, and prove that every control works as intended.

One of the most critical (and commonly misunderstood) requirements involves encryption. When protecting CUI, organizations must use FIPS-validated cryptography—not just “FIPS-compliant” tools.

FIPS-Validated Cryptography vs. FIPS-Compliant Tools

That distinction matters under federal rules. “Validated” means the specific encryption component has been through testing and certification by an approved lab under the Cryptographic Module Validation Program (CMVP). Vendors must provide a valid certificate number; if they can’t, the encryption doesn’t meet the standard.

In practice, this requirement covers data at rest and in transit. It applies to any environment: servers, VPN transmissions, emails, and the cloud.

With the transition to FIPS 140-3 underway in 2026, organizations should prioritize solutions already validated to the newer standard to avoid compliance gaps.

Most contractors seeking Level 2 certification will work with a Certified Third-Party Assessor Organization (C3PAO), accredited by the Cyber AB. These assessors evaluate three things:

• The organization’s documentation (policies, procedures, security plans)
• Interviews with personnel responsible for implementation
• Testing of actual controls in the environment

Assessors verify, not assume. Organizations must demonstrate compliance in practice. Organizations submit assessment results to the DoD’s Enterprise Mission Assurance Support Service (eMASS) system. Once approved, certification is valid for three years.

For companies that have treated CMMC as a future issue, time is running short. With compliance language now embedded in contracts, preparation must begin immediately. Implementing all 110 NIST controls can take 12–18 months of focused work.

But there’s good news: CMMC brings clarity. By defining exact requirements and requiring proof, contractors have a roadmap for secure operations and long-term eligibility to work with the DoD.

CMMC isn’t just another cybersecurity checklist. It’s an enforceable standard that ties directly to the rule of law in federal contracting. Companies that understand and embrace that standard could be in a better position to protect national interests. They are also more likely to continue doing business in one of the most demanding, high-stakes environments in the world.

Want to learn more about achieving CMMC compliance with PKWARE? Explore how we support it with data-centric encryption.