The Cybersecurity Maturity Model Certification, or CMMC, has become an increasing hot topic in the government contracting industry. What is CMMC, does it apply to your company, and what do you need to know about the certification? The high-level overview below will help get you up to speed on CMMC.
What is CMMC?
Cybersecurity Maturity Model Certification (CMMC) establishes and verifies that companies within the Defense Industrial Base (DIB) are implementing cybersecurity measures to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.
The Cyber AB will authorize and accredit CMMC Third Party Assessment Organizations (C3PAOs). Contractors that are required to meet CMMC requirements will select a C3PAO to conduct an assessment, and if the assessment report does not reveal any deficiencies, the C3PAO will issue the contractor the appropriate CMMC certificate.
It is important to emphasize, Cybersecurity Maturity Model Certification assessments can only be conducted by C3PAOs that are authorized and accredited by The Cyber AB and listed on The Cyber AB Marketplace. Knowing this will help prevent contractors from falling victim to CMMC related scams that have been reported in the past.
Who Does CMMC Impact and When?
CMMC impacts companies that do business with the Department of Defense (DOD), including subcontractors. However, companies that only produce Commercial-Off-The-Shelf (COTS) products are exempt from CMMC requirements.
As of August 2025, CMMC is not yet mandatory for DOD contracts, but it will be soon. The final CMMC acquisition rule was just submitted to the Office of Information and Regulatory Affairs (OIRA) on July 22nd. OIRA is currently reviewing the final rule and CMMC requirements could go into effect as early as October 1st per Electronic Code of Federal Regulations. Once approved, CMMC requirements will be phased in quickly and nearly all DOD contracts will be affected.
CMMC and GSA
At this time, the intent is for CMMC to be implemented within DOD contracts only. However, GSA included CMMC language in two of their Governmentwide Acquisition Contracts (GWACs), STARS III and Polaris.
It is important to note that CMMC requirements for STARS III and Polaris would be at the order level and that GWACS, including STARS and Polaris, are not part of the GSA Multiple Award Schedule (MAS) Contract.
Full FAQ
Above, we provided a highly simplified overview of the Cybersecurity Maturity Model Certification. For more information and to review the full FAQ, visit the Office of the Under Secretary of Defense for Acquisition & Sustainment CMMC page here.
Additional Reading
- DOD CIO | CMMC 101 Brief
- Federal News Network | DoD addresses two big challenges to make CMMC a reality
- Federal News Network | Grand odyssey of CMMC nearing implementation
- Forbes | Cybersecurity No Longer Optional
- The Cyber AB | The CMMC Assessment Process (CAP)