The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the United States Department of Defense (DoD) to ensure that organizations in the defense industrial base (DIB) adequately protect sensitive unclassified information. CMMC 2.0, the current version, streamlines the original five-level model into three levels aligned with existing NIST standards.

CMMC applies to any organization that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of DoD contracts. This includes prime contractors, subcontractors, and suppliers at any tier of the defense supply chain. If your organization touches DoD data, CMMC is on your roadmap.

The framework was created because the DoD found that the existing self-attestation model for NIST 800-171 compliance was insufficient. Too many contractors were self-certifying compliance without actually implementing required controls. CMMC replaces self-attestation with third-party assessment for organizations handling CUI, creating accountability that was previously absent.

As CMMC requirements flow down through contracts, organizations that achieve certification early gain a competitive advantage in DoD contracting. Those that delay risk being excluded from contract opportunities as prime contractors increasingly require CMMC certification from their supply chain partners.

Level 1 (Foundational) requires 17 basic safeguarding practices derived from FAR clause 52.204-21. These are fundamental cybersecurity hygiene practices including access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. Level 1 applies to organizations handling only FCI and requires annual self-assessment.

Level 2 (Advanced) requires implementation of all 110 security requirements from NIST SP 800-171 Revision 2. This level applies to organizations handling CUI and requires either self-assessment or third-party assessment by a CMMC Third-Party Assessor Organization (C3PAO), depending on the criticality of the CUI involved. Most defense contractors handling CUI will need Level 2 certification with third-party assessment.

Level 3 (Expert) requires all NIST 800-171 controls plus a subset of NIST SP 800-172 enhanced security requirements. This level applies to organizations handling the most sensitive CUI and requires government-led assessment by the Defense Contract Management Agency (DCMA). Level 3 is reserved for organizations in the most critical programs.

The practical reality for most defense contractors is Level 2. The 110 NIST 800-171 requirements span access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

Preparation begins with scoping. Identify all systems that process, store, or transmit CUI. Map CUI flows across your organization, including subcontractors and cloud services. The scope of your CMMC assessment is determined by your CUI boundary — minimizing that boundary through network segmentation and data flow restriction reduces both assessment scope and implementation cost.

Conduct a gap assessment against the applicable NIST 800-171 requirements. For each requirement, determine whether your current controls are fully implemented, partially implemented, or not implemented. Document findings in a System Security Plan (SSP) and create a Plan of Action and Milestones (POA&M) for any gaps.

Remediate identified gaps. This typically involves implementing missing technical controls, establishing documented procedures, conducting workforce training, and deploying monitoring and logging infrastructure. Pay particular attention to the audit and accountability family of controls (3.3.x), which require organizations to create, protect, and retain information system audit records to enable monitoring, analysis, investigation, and reporting.

The audit and accountability controls are where many organizations struggle. NIST 800-171 requires that audit records contain sufficient information to establish what occurred, when, where, the source, and the outcome. Audit records must be protected from unauthorized modification, and audit capacity must be managed to avoid failure. For organizations processing CUI through automated systems, these requirements demand robust, tamper-evident logging that goes beyond standard application logs.

Engage a Registered Practitioner (RP) or Registered Provider Organization (RPO) for pre-assessment readiness review. They can identify issues that a C3PAO would flag and help you address them before the formal assessment. This step is not mandatory but significantly improves assessment outcomes.

The audit and accountability controls in NIST 800-171 (family 3.3) are among the most technically demanding and most scrutinized during CMMC assessments.

Requirement 3.3.1 mandates creating and retaining system audit logs and records sufficient to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Requirement 3.3.2 requires ensuring that individual users' actions can be uniquely traced to those users for accountability.

Requirement 3.3.3 requires reviewing and updating logged events. Requirement 3.3.4 requires alerting on audit logging process failure. Requirement 3.3.5 requires correlating audit record review, analysis, and reporting to support investigation and response.

Most critically, requirement 3.3.8 requires protecting audit information and audit logging tools from unauthorized access, modification, and deletion. This is where standard application logging falls short — if the same administrators who operate the systems can modify the audit logs, the logs do not satisfy the protection requirement.

Cryptographic proof infrastructure directly addresses 3.3.8 by creating audit records that are cryptographically signed, hashed, and stored in an append-only ledger that no administrator can modify. Each record receives an independent verification URL that assessors can check without accessing the organization's systems. This provides a defense-in-depth approach to audit record integrity that C3PAOs recognize as a strong implementation of the protection requirement.

CMMC assessments are evidence-intensive. Assessors will request documentation, observe processes, interview personnel, and test controls across all applicable requirements. The organizations that navigate assessment efficiently are those with systematic evidence collection and readily accessible records.

Build your evidence infrastructure around three principles. First, automate evidence collection wherever possible. Manual evidence gathering is slow, inconsistent, and prone to errors that assessors will identify. Use compliance automation tools that continuously monitor control implementation and aggregate evidence.

Second, ensure evidence integrity. Assessors must trust that the evidence you present accurately reflects your operations. Evidence stored in modifiable formats — editable documents, database records accessible to administrators, application logs without integrity protection — is inherently weaker than evidence with cryptographic integrity guarantees.

Third, maintain continuous readiness. CMMC assessments can occur on the assessment timeline, not yours. Organizations that maintain continuous evidence collection rather than scrambling to compile evidence before assessment demonstrate operational maturity and typically receive cleaner assessment results.

For organizations processing CUI through AI systems, automated decision engines, or complex data pipelines, proof infrastructure creates a parallel evidence trail that satisfies both the audit and accountability requirements and the system and information integrity requirements. Each CUI processing event receives a cryptographic attestation that proves what was processed, when, and with what outcome — evidence that assessors can verify independently.