SkarpSkarp
Get the App

Chapter 1 of 14

Module 1: CMMC 2.0 in Context – Why It Exists and Who It Affects

Introduce the CMMC 2.0 program, its purpose in protecting the Defense Industrial Base, and the regulatory framework that now makes CMMC mandatory in DoD contracts.

15 min readen

Step 1 – Why CMMC Exists: The Cyber Threat to the Defense Industrial Base

Big Picture: Why Did DoD Create CMMC?

The Cybersecurity Maturity Model Certification (CMMC) program exists because the U.S. Department of Defense (DoD) concluded that voluntary and self-attested cybersecurity in the Defense Industrial Base (DIB) was not sufficient.

Over the last 10–15 years, the DIB has been a prime target for:

  • Nation‑state espionage (e.g., theft of weapons system designs, logistics data)
  • Intellectual property theft from defense contractors and their suppliers
  • Supply chain attacks via small subcontractors and managed service providers (MSPs)

Historically, DoD relied heavily on DFARS 252.204‑7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), which incorporated NIST SP 800‑171 requirements but allowed contractors to self‑attest that they were compliant. Repeated incident data and audits showed:

  • Many firms claimed compliance but had large gaps.
  • Prime contractors often had limited visibility into subcontractor cybersecurity.
  • Adversaries deliberately targeted smaller, less mature suppliers as entry points.

CMMC was created to make cybersecurity maturity visible and enforceable across the entire defense supply chain, not just at the prime contractor level.

Key idea: CMMC is not just about checking boxes; it is a risk management mechanism to raise the baseline security of the entire Defense Industrial Base.

Step 2 – From CMMC 1.0 to CMMC 2.0: Evolution and Simplification

Timeline and Evolution

CMMC 1.0 (announced 2020):

  • Introduced 5 maturity levels (1–5) with a mix of NIST controls and additional CMMC‑unique practices.
  • Required third‑party certification for many contracts.
  • Criticized as too complex, too fast, and too expensive, especially for small businesses.

CMMC 2.0 (announced November 2021, finalized rule published in 2025):

  • Reduced to 3 levels:
  • Level 1 – Foundational: Basic safeguarding of Federal Contract Information (FCI).
  • Level 2 – Advanced: Protection of Controlled Unclassified Information (CUI), aligned closely with NIST SP 800‑171 Rev. 2.
  • Level 3 – Expert: For highest‑priority programs, aligned with NIST SP 800‑172–type enhanced protections.
  • Removed most CMMC‑unique practices; re‑centered on NIST.
  • Introduced more flexible assessment mechanisms:
  • Some Level 2 programs require third‑party assessments.
  • Others allow annual self‑assessments with senior official affirmation.

By November 10, 2025 (today minus about 1 month), CMMC 2.0 has moved from policy concept to enforceable regulation and contract requirement via:

  • 32 CFR Part 170 – the core DoD CMMC rule.
  • 48 CFR / DFARS clauses – the mechanism that makes CMMC binding in contracts.

Key idea: CMMC 2.0 is leaner and more NIST‑aligned than 1.0 but more enforceable because it is now embedded in the Code of Federal Regulations and the DFARS.

Step 3 – Regulatory Pillar 1: 32 CFR Part 170 (The CMMC Rule)

What Is 32 CFR Part 170?

32 CFR Part 170 is the DoD’s formal regulation governing the CMMC program. It is codified in Title 32 of the Code of Federal Regulations (National Defense).

Conceptually, 32 CFR Part 170 does four big things:

  1. Establishes the CMMC Program
  • Defines the scope and objectives of CMMC.
  • States that CMMC is intended to protect FCI and CUI in the DIB.
  1. Defines Levels and Assessment Types
  • Codifies CMMC Levels 1, 2, and 3.
  • Distinguishes between self‑assessment, third‑party assessment (C3PAO), and government assessment.
  1. Creates the Governance Structure
  • Identifies the roles of the DoD Chief Information Officer (CIO), the CMMC Program Management Office (PMO), and other stakeholders.
  • Provides the legal basis for CMMC Assessment Organizations, certification bodies, and training.
  1. Links CMMC to Contracting Policy
  • States that DoD contracting activities must use CMMC requirements in solicitations and contracts.
  • Directs how CMMC requirements are to be integrated into acquisition processes.

Why 32 CFR Part 170 Matters

  • Without 32 CFR Part 170, CMMC would be policy guidance, not a binding rule.
  • It gives DoD the authority to require specific cybersecurity maturity levels as a condition of contract award and performance.

Key idea: 32 CFR Part 170 is the legal backbone of CMMC; it defines the program and gives DoD the authority to demand compliance.

Step 4 – Regulatory Pillar 2: 48 CFR / DFARS – Making CMMC Contractual

From Regulation to Contract: 48 CFR and DFARS

While 32 CFR Part 170 establishes the CMMC program, DoD still needs a way to bind contractors to these requirements. That happens through Title 48 of the CFR, which contains the Federal Acquisition Regulation (FAR) and agency supplements, including the Defense Federal Acquisition Regulation Supplement (DFARS).

Key DFARS clauses for CMMC 2.0 include (as of November 10, 2025):

  • DFARS 252.204‑7021 – Cybersecurity Maturity Model Certification Requirements
  • This is the primary CMMC clause.
  • It requires the contractor to:
  • Have the required CMMC level at time of award (and sometimes at specified milestones).
  • Maintain that level throughout contract performance.
  • Flow down appropriate CMMC requirements to subcontractors handling FCI or CUI.
  • DFARS 252.204‑7025 – CMMC Program Requirements (title slightly varies by version, but functionally this clause supports the program)
  • Clarifies program‑level obligations, such as:
  • Use of CMMC‑accredited assessors.
  • Handling of CMMC assessment data.
  • Conditions under which DoD can verify or challenge a contractor’s CMMC status.
  • Continuing relevance of DFARS 252.204‑7012, 7019, 7020
  • 7012: Safeguarding Covered Defense Information and Cyber Incident Reporting.
  • 7019: Notice of NIST SP 800‑171 DoD Assessment Requirements.
  • 7020: NIST SP 800‑171 DoD Assessment Requirements.
  • These clauses coexist with CMMC and often appear in the same contract. CMMC does not eliminate 7012/7019/7020; instead, it adds a maturity certification layer.

Key idea: 32 CFR Part 170 creates CMMC; DFARS 252.204‑7021 and 252.204‑7025 (plus related clauses) are how CMMC becomes legally enforceable in your contract.

Step 5 – Interactive: Trace the Legal Chain

Activity: Follow the Authority Chain

Work through this chain step by step and write a one‑sentence explanation for each link. Treat this like a short legal reasoning exercise.

  1. Congress → DoD
  • Identify at least one way in which Congress influences or authorizes DoD cybersecurity requirements for contractors (e.g., via NDAA provisions).
  • Your task: Write a one‑sentence explanation: How does Congressional authority ultimately justify DoD imposing cybersecurity requirements on private contractors?
  1. DoD → 32 CFR Part 170
  • DoD uses its statutory authority to issue 32 CFR Part 170.
  • Your task: Write one sentence explaining how 32 CFR Part 170 turns high‑level statutory authority into a formal regulatory program.
  1. 32 CFR Part 170 → DFARS 252.204‑7021 / 7025
  • DoD acquisition policy offices implement the regulation through DFARS clauses.
  • Your task: Explain in one sentence why the existence of 32 CFR Part 170 is not enough by itself to bind contractors, and why DFARS clauses are necessary.
  1. DFARS clauses → Individual Contract
  • Contracting officers insert clauses like 252.204‑7021 into solicitations and contracts.
  • Your task: Explain in one sentence how the presence of 252.204‑7021 in a contract creates a legally enforceable obligation on the contractor.
  1. Contract → Subcontractors / MSPs
  • The prime contractor must flow down relevant clauses to subcontractors and service providers.
  • Your task: Identify one risk if a prime fails to properly flow down CMMC requirements to a subcontractor handling CUI.

When you are done, you should have a 5‑sentence narrative that explains, in your own words, how CMMC requirements become binding on a small subcontractor in the DIB.

Step 6 – Who Must Comply? Primes, Subs, MSPs, and Edge Cases

Core Rule: CMMC Follows the Data (FCI/CUI), Not Just the Prime

In practice, CMMC applies to any organization that processes, stores, or transmits FCI or CUI in performance of a DoD contract that includes the relevant DFARS clauses.

#### 1. Prime Contractors

  • Always in scope when their contracts include CMMC clauses.
  • Must achieve the CMMC level specified in the solicitation (often Level 1 or Level 2; Level 3 for select programs).
  • Responsible for flow‑down to subcontractors and for verifying that subs meet the required level.

Example: A major defense integrator building a radar system holds detailed CUI on system performance. The contract specifies CMMC Level 2 third‑party assessment. The prime must:

  • Obtain and maintain a CMMC Level 2 certification from a C3PAO.
  • Ensure all subs handling radar design CUI also meet Level 2 (via self‑ or third‑party assessment, as specified).

#### 2. Subcontractors (Tier‑1, Tier‑2, etc.)

  • In scope if they touch FCI or CUI.
  • Required level may differ from the prime’s level depending on what data they handle.

Example:

  • Tier‑1 sub: Manufactures a sensitive component using CUI drawings → CMMC Level 2 required.
  • Tier‑2 sub: Provides generic fasteners using only public specs, no FCI/CUI → Might only need Level 1 or no CMMC clause at all, depending on contract structure.

#### 3. Managed Service Providers (MSPs) / Cloud / IT Providers

  • If an MSP hosts, processes, or can access CUI/FCI as part of supporting a DIB client, it is typically considered in scope.
  • The prime or higher‑tier contractor must ensure that the MSP’s environment meets the required CMMC level, or that the MSP is covered under an acceptable enclave / boundary strategy.

Example:

  • A small defense contractor uses an MSP for:
  • Email
  • File storage
  • Endpoint management
  • The contractor stores CUI in the MSP‑managed cloud. The MSP therefore participates in handling CUI and must either:
  • Be CMMC Level 2‑equivalent in its controls and assessments, or
  • Operate within a CMMC‑compliant enclave controlled by the contractor.

#### Edge Case: Commercial‑Off‑The‑Shelf (COTS) Vendors

  • Vendors providing pure COTS products (e.g., standard office supplies) with no access to FCI/CUI may be out of scope for CMMC, even if they indirectly support defense work.
  • Distinguishing COTS vs. non‑COTS and verifying data flows is a critical analysis task for primes.

Key idea: To determine if an organization must comply, ask: Does it handle FCI or CUI under a DoD contract with CMMC clauses, or support systems that do? If yes, CMMC almost certainly applies.

Step 7 – Quiz: Who Is in Scope?

Answer this question to test your understanding of who CMMC 2.0 applies to.

A small company provides IT helpdesk services and manages Microsoft 365 for a mid‑size defense contractor. The contractor stores CUI in SharePoint and email, and the contract includes DFARS 252.204‑7021. The IT company does not have a direct contract with DoD. Which statement is MOST accurate?

  1. The IT company is out of scope for CMMC because it has no direct contract with DoD.
  2. The IT company is in scope for CMMC because it can access systems that store or process CUI.
  3. The IT company only needs to worry about CMMC if it voluntarily chooses to get certified for marketing purposes.
  4. The IT company is covered automatically by the prime’s CMMC certification and therefore has no independent obligations.
Show Answer

Answer: B) The IT company is in scope for CMMC because it can access systems that store or process CUI.

CMMC obligations flow down through the supply chain. Even without a direct DoD contract, the IT company manages systems containing CUI under a contract that includes DFARS 252.204‑7021. That makes it part of the in‑scope environment. It must either meet the relevant CMMC requirements directly or be included in a compliant enclave/boundary. The other options misunderstand how flow‑down and data‑centric scoping work.

Step 8 – Flashcards: Core Terms and Acronyms

Flip these cards (mentally or with your study tool) to reinforce key vocabulary for CMMC 2.0 and its regulatory context.

CMMC 2.0
The current version of the Cybersecurity Maturity Model Certification program, with 3 levels (1–3), aligned primarily with NIST SP 800‑171 and 800‑172, and made enforceable through 32 CFR Part 170 and DFARS clauses.
Defense Industrial Base (DIB)
The worldwide industrial complex of businesses and organizations that provide products and services to meet U.S. defense requirements, including primes, subcontractors, and many service providers.
FCI (Federal Contract Information)
Information provided by or generated for the government under a contract to develop or deliver a product or service to the government, not intended for public release. CMMC Level 1 focuses on protecting FCI.
CUI (Controlled Unclassified Information)
Information that requires safeguarding or dissemination controls under U.S. law, regulation, or government‑wide policy, but is not classified. CMMC Level 2 focuses on protecting CUI.
32 CFR Part 170
The DoD regulation that formally establishes the CMMC program, defines its levels and governance, and directs its integration into the acquisition system.
DFARS 252.204‑7021
The DFARS contract clause titled Cybersecurity Maturity Model Certification Requirements that obligates contractors to achieve and maintain a specified CMMC level and to flow down requirements to applicable subcontractors.
DFARS 252.204‑7025
A DFARS clause supporting the CMMC program, addressing program‑level requirements such as the use of accredited assessors and handling of CMMC assessment information.
C3PAO
CMMC Third‑Party Assessment Organization – an accredited body authorized to perform official CMMC assessments for certain levels and contract types.
NIST SP 800‑171
A NIST Special Publication that specifies security requirements for protecting CUI in non‑federal systems and organizations; it is the technical baseline for CMMC Level 2.
Flow‑down
The contractual mechanism by which a prime contractor passes specific clauses and requirements (such as CMMC obligations) to its subcontractors and service providers.

Step 9 – Mapping CMMC Levels to Data Types and Organizations

Activity: Classify Three Hypothetical Organizations

For each scenario below, identify:

  1. Whether CMMC is likely required (yes/no).
  2. Which CMMC level is most plausible (1, 2, or 3), based on the data type and mission criticality.
  3. Whether you expect self‑assessment or third‑party/government assessment to be more likely (justify your reasoning).

Write your answers in a 3×3 table or short bullet list.

---

#### Scenario A – Precision Parts Manufacturer

  • Manufactures custom metal parts for a DoD weapons platform.
  • Receives technical drawings clearly marked as CUI.
  • Has ~50 employees and no direct contact with classified information.

Questions:

  • Is CMMC required?
  • Likely level?
  • Likely assessment type and why?

---

#### Scenario B – Software Analytics Startup

  • Provides a web‑based analytics dashboard for DoD logistics, hosted in a commercial cloud.
  • Processes shipment schedules and maintenance forecasts labeled CUI.
  • The system is considered mission critical for operational planning.

Questions:

  • Is CMMC required?
  • Likely level?
  • Would DoD be more comfortable with self‑assessment, third‑party assessment, or direct government assessment? Why?

---

#### Scenario C – Office Supplies Vendor

  • Sells standard office furniture and paper products to multiple DoD bases.
  • Receives only purchase orders and shipping instructions; no CUI, no sensitive design data.

Questions:

  • Is CMMC required? If yes, which level? If no, why not?
  • What evidence would you look for in the solicitation to confirm your conclusion?

After you answer, compare your reasoning to these guiding heuristics:

  • CUI → Level 2 is the default baseline.
  • Mission‑critical CUI with high risk → consider Level 3 or more rigorous assessment.
  • FCI only → typically Level 1.
  • No FCI/CUI → CMMC may not be required, but check the actual clauses.

Step 10 – Quiz: Contract Enforceability and Timing

Test your understanding of how and when CMMC becomes binding in DoD contracts.

A contractor submits a proposal for a new DoD contract. The solicitation includes DFARS 252.204‑7021 specifying CMMC Level 2. When must the contractor have the required CMMC Level 2 status to be eligible for award, under the current CMMC 2.0 framework?

  1. Any time within 12 months after contract award, as long as they plan to comply.
  2. Before submitting the proposal, or the proposal will automatically be rejected.
  3. At or before the time of contract award, as specified in the solicitation and clause.
  4. Only by the end of the first option year of the contract.
Show Answer

Answer: C) At or before the time of contract award, as specified in the solicitation and clause.

Under CMMC 2.0 as implemented via DFARS 252.204‑7021, the contractor generally must have the required CMMC level **at or before the time of contract award**, according to the solicitation and clause language. CMMC is treated as a condition of eligibility, not a post‑award aspiration. Options 1 and 4 delay compliance beyond what the clause contemplates, and option 2 is too strict because some solicitations allow obtaining certification between proposal and award.

Key Terms

C3PAO
CMMC Third‑Party Assessment Organization, an accredited entity authorized to conduct official CMMC assessments for contractors.
CMMC 2.0
The current version of the Cybersecurity Maturity Model Certification program, with three maturity levels and closer alignment to NIST SP 800‑171/172, made enforceable through 32 CFR Part 170 and DFARS clauses.
Flow‑down
The process by which a prime contractor passes specific contract clauses and obligations, such as CMMC requirements, to its subcontractors and service providers.
Subcontractor
An entity that has a contract with a prime contractor or another subcontractor to provide supplies or services for performance of a prime contract.
32 CFR Part 170
The DoD regulation that formally establishes the CMMC program, defines its scope, levels, and governance, and directs its integration into defense acquisition.
Prime contractor
The organization that has a direct contractual relationship with the government and is responsible for overall contract performance, including flow‑down of clauses.
NIST SP 800‑171
A NIST Special Publication that specifies security requirements for protecting Controlled Unclassified Information in non‑federal systems and organizations; it is the technical basis for CMMC Level 2.
NIST SP 800‑172
A NIST Special Publication that provides enhanced security requirements for protecting CUI in critical programs and high‑value assets; it informs CMMC Level 3.
DFARS 252.204‑7021
The DFARS clause Cybersecurity Maturity Model Certification Requirements that obligates contractors to achieve and maintain a specified CMMC level as a condition of contract award and performance.
DFARS 252.204‑7025
A DFARS clause that supports the CMMC program by defining program‑level requirements such as the use of accredited assessors and handling of CMMC assessment data.
Defense Industrial Base (DIB)
The global network of private sector and public sector organizations that provide goods and services to meet U.S. defense requirements, including primes, subcontractors, and service providers.
Managed Service Provider (MSP)
A third‑party organization that manages a customer’s IT infrastructure or end‑user systems and may be in scope for CMMC if it can access FCI or CUI.
FCI (Federal Contract Information)
Information provided by or generated for the government under a contract to develop or deliver a product or service to the government, not intended for public release.
CUI (Controlled Unclassified Information)
Unclassified information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government‑wide policies.
DFARS (Defense Federal Acquisition Regulation Supplement)
The supplement to the Federal Acquisition Regulation (FAR) that contains DoD‑specific acquisition regulations, including cybersecurity and CMMC clauses.