Understanding CMMC and NIST 800-171

news & updates May 29, 2024
This image shows three intercultural co-workers in a high-tech security or monitoring center during a night shift. A bald man stands explaining data displayed on multiple large screens that show maps and codes, addressing a young Asian woman holding a coffee cup, who appears attentive and serious. Beside them, a young Black man in glasses is seated, observing the screens and listening to the conversation, engaged in the workflow. The setting conveys a sense of urgency and focus, typical of environments requiring continuous monitoring and real-time data analysis.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the Department of Defense (DoD) to enhance the protection of sensitive information handled by defense contractors. Expected to be fully integrated into defense contracts by late 2024 or early 2025, CMMC is pivotal for safeguarding sensitive data and securing defense contracts. It aims to ensure that contractors adhere to robust cybersecurity practices, thereby reducing the risk of data
breaches and cyberattacks. This compliance with affect Prime Contractors and Subcontractors.

Why Was CMMC Created?

CMMC was established to protect Controlled Unclassified Information (CUI) from cyber threats and adversaries. Under the current system, companies are required to follow the security guidelines outlined in NIST SP 800-171 to protect CUI. However, compliance has been inconsistent due to the self-assessment nature of these requirements. CMMC introduces more rigorous assessments to ensure genuine adherence to these cybersecurity protocols, providing a more secure environment for sensitive information.

Levels of CMMC

CMMC is structured into three levels, each representing a tier of cybersecurity maturity and protection.

Level 1: Basic Cyber Hygiene
Focuses on safeguarding Federal Contract Information (FCI), which is information provided by or created for the government. This level involves basic protection measures and is designed to be straightforward to implement.

Level 2: Intermediate Cyber Hygiene
Provides more comprehensive protection for CUI. This level requires independent assessments and is applicable to most companies handling sensitive defense information. It includes a more extensive set of practices compared to Level 1.

Level 3: Advanced/Progressive
The highest level of protection for CUI, aimed at defending against sophisticated cyber threats. Companies at this level must implement the most stringent cybersecurity practices and undergo thorough assessments to ensure robust security measures are in place.

Preparing for CMMC

Understanding Information Types

Federal Contract Information (FCI):

This is information not intended for public release and is provided by or created for the government under a contract. Protecting FCI is essential for maintaining the integrity and confidentiality of government-related operations.

Controlled Unclassified Information (CUI):

CUI refers to information that requires protection under federal laws, regulations, and policies. It encompasses a broad range of data types that, if compromised, could impact national security or government operations.


The introduction of CMMC marks a significant advancement in the cybersecurity landscape for defense contractors. By ensuring strict adherence to security practices through independent assessments, CMMC aims to fortify the defense industrial base against cyber threats. As CMMC becomes a standard requirement in defense contracts, companies must proactively prepare to meet these new standards, ensuring both the protection of sensitive information and the opportunity to secure valuable defense contracts.

Connect With Me On LinkedIn

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.