🛡️ STATUS BADGE: 🟢 ELIGIBLE (Self-Hosted)
Executive Summary: What is it?
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a US Department of Defense (DoD) program that requires all contractors, subcontractors, and suppliers in the Defense Industrial Base (DIB) to achieve a verified cybersecurity posture before handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC is not a product certification — it is an organizational certification that validates a contractor's security practices against a tiered model built on NIST SP 800-171 (Level 2) and NIST SP 800-172 (Level 3). Phase 1 implementation began November 2025; full enforcement across all DoD contracts is mandatory by October 2026.
CFO / Business Impact: What does it cost/risk?
- Defense Contract Access: CMMC certification is a contractual prerequisite for participating in DoD procurements involving FCI or CUI. Non-certified contractors are excluded from bids regardless of technical capability.
- Supply Chain Flow-Down: Prime contractors must flow CMMC requirements down to all subcontractors and suppliers that touch covered information. A single non-certified vendor in the supply chain creates contract risk for the prime.
- Assessment Cost: Level 2 assessments by a C3PAO (CMMC Third-Party Assessment Organization) typically run $50,000–$250,000 depending on organizational scope and the number of systems in the assessment boundary.
Technical Reality: How does it work?
- Three Levels: Level 1 (17 basic practices, annual self-assessment) covers FCI. Level 2 (110 practices mapped to NIST SP 800-171, triennial third-party assessment) covers CUI. Level 3 (advanced practices from NIST SP 800-172, government-led assessment) covers the most sensitive DoD programs.
- Assessment Boundary: Only systems that process, store, or transmit FCI/CUI fall within scope. Isolating CUI to a defined enclave (e.g., a self-hosted, air-gapped system) limits assessment scope and cost.
- Self-Hosted Advantage: Software deployed on contractor-controlled infrastructure — with no vendor cloud callbacks — keeps CUI within the contractor's security boundary, simplifying the CMMC assessment boundary. Vendor SaaS platforms that co-mingle data or require vendor access to CUI environments create boundary complications.
- SPRS Score: Level 2 self-assessments require contractors to upload a score to the DoD Supplier Performance Risk System (SPRS). A score below 110 is permitted but must be accompanied by a Plan of Action & Milestones (POA&M).