01Compliance

What is a CMMC (Cybersecurity Maturity Model Certification)?

Also known as: Cybersecurity Maturity Model Certification

By the GovPrimer teamUpdated January 1, 2026

Definition

CMMC is the Department of Defense's framework for verifying that contractors meet required cybersecurity standards before handling sensitive defense information. Depending on the data involved, contractors must demonstrate a specific CMMC level — sometimes verified by a third-party assessment.

01Section

Why CMMC exists

CMMC builds on DFARS cybersecurity clauses and NIST SP 800-171 to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the defense supply chain.

As CMMC requirements roll into DoD solicitations, achieving the required level becomes a precondition for award — so defense contractors must plan compliance well in advance.

01Questions

Frequently asked questions

Do all DoD contractors need CMMC certification?

The required level depends on the type of information you handle. Firms handling only FCI face lower requirements than those handling CUI, which may require a third-party CMMC assessment. The level is specified in the solicitation.

01Keep exploring

DFARS (Defense FAR Supplement)FedRAMP FAR (Federal Acquisition Regulation)Understanding Set-Asides: 8(a), WOSB, SDVOSB, HUBZone Browse the full govcon glossary

01Get started

Find these opportunities in GovPrimer

Search live SAM.gov opportunities, award data, and set-asides in one place. Free forever plan — no credit card required.

Start free See pricing

Back to the glossary