CMMC is the Pentagon’s verification that you actually protect the controlled information it hands you. As of November 10, 2025, the certification clause is being written into DoD contracts. No certificate at the level your contract demands, and you can’t win the award, can’t keep the work, can’t be flowed the work as a sub. This is the checklist that gets a small defense contractor from exposed to certified, before that clause lands on a bid you need to win.
CMMC (Cybersecurity Maturity Model Certification) is how the Department of Defense checks that contractors in the Defense Industrial Base protect the government information on their systems. The program rule was codified at 32 CFR Part 170, published October 15, 2024, and became effective December 16, 2024. It set the three-level CMMC 2.0 structure that every contract now points to.
NIST is the what. CMMC is the proof. NIST SP 800-171 defines the requirements for protecting Controlled Unclassified Information on nonfederal systems. CMMC is the assessment-and-certification wrapper on top of it, self-assessment, third-party assessment, or government-led, depending on the level. You’ve likely been contractually obligated to NIST 800-171 for years. CMMC is the day someone checks.
FCI vs CUI drives everything. The data you handle dictates the level you need. Federal Contract Information (FCI) is information provided by or generated for the government under a contract, not for public release, that’s Level 1 territory. Controlled Unclassified Information (CUI) is more sensitive and pulls you to Level 2, or Level 3 for the high-priority CUI subject to advanced persistent threats. Scope the data first. The level follows from it.
Who must comply. Anyone bidding on or holding DoD work that touches FCI or CUI, primes and subcontractors alike. The requirement flows down. A prime can’t certify on your behalf, and a clean prime won’t carry an uncertified sub onto a contract that requires CMMC.
Three levels, three data sensitivities, three ways you get checked. Level 2 is where most of the Defense Industrial Base lives, because most defense work touches CUI.
Protects FCI. The 15 basic safeguarding requirements from FAR 52.204-21, mapping to 59 NIST SP 800-171A assessment objectives. Met by annual self-assessment plus an annual affirmation from a senior official. No POA&Ms, every requirement must be fully met.
Protects CUI. All 110 security requirements of NIST SP 800-171 Rev 2 across 14 families, 320 assessment objectives. Assessed by self-assessment or by a third-party C3PAO depending on the contract; higher-priority CUI requires a C3PAO. Certification valid up to three years.
Defends high-priority CUI against advanced persistent threats. The 110 requirements plus a 24-requirement subset of NIST SP 800-172, 134 controls. Assessed exclusively by the government’s DIBCAC, not a C3PAO. Requires a Final Level 2 (C3PAO) status first.
Level 2 is the 110 requirements of NIST SP 800-171 Rev 2, organized into 14 control families. Below are the families assessors fail contractors on most often, Access Control, Audit & Accountability, Configuration Management, and Incident Response, plus the program gates that decide whether your assessment even gets a score.
Two rules, not one. The program rule (32 CFR Part 170) took effect December 16, 2024 and built the framework. The acquisition rule amending the DFARS, finalizing the CMMC contract clause (DFARS 252.204-7021) and adding the level-requirement notice clause (252.204-7025), was published September 10, 2025 and took effect November 10, 2025. That second rule is the one that made CMMC a binding contract requirement and started the clock.
The four-phase rollout. Phase 1 began November 10, 2025, inserting Level 1 and Level 2 self-assessment requirements into new solicitations. Each phase begins roughly twelve months after the last. Phase 2 (around November 2026) introduces mandatory Level 2 C3PAO assessments. Phase 3 (around November 2027) adds Level 3. Phase 4, full implementation, including option periods on earlier awards, begins around November 2028.
Build the runway. For a small contractor, Level 2 readiness commonly runs 12-18 months. Certifications last three years, with an annual affirmation in between. The phase that makes C3PAO certification non-negotiable arrives in late 2026, which means the work to be ready for it starts now, not when the clause shows up on a bid you can’t afford to lose.
The math that surprises people: a 12-18 month runway against a Phase 2 deadline in late 2026 means the contractor who waits for the clause to appear on a solicitation has already missed it. Certification is a project you start before you need it.
Shrink the scope before you spend a dollar on assessment. The fastest path to Level 2 is a segmented enclave, a logically separated environment that contains CUI and becomes its own assessment boundary. Fewer in-scope assets means a shorter, cheaper C3PAO assessment. Launchpad DIB builds and runs that enclave on FedRAMP-Moderate-equivalent cloud, so your CUI lives somewhere that already meets the bar DFARS demands.
The SSP and the controls, handled. Launchpad DIB stands up the System Security Plan that gates your entire assessment, implements the 110 controls across the 14 families, and concentrates on the ones assessors fail most, access control, audit and accountability, configuration and patching, incident response. DoD estimates a small contractor spends north of $100,000 to reach Level 2 the hard way. Launchpad DIB is built to compress that.
Accountability stays yours, so we make it survivable. Under CMMC shared responsibility, the contractor remains accountable for all 110 requirements; that can’t be outsourced. Launchpad DIB operates the controls and produces the evidence under shared responsibility, then keeps you continuously affirmation-ready year over year, not scrambling 180 days before a closeout. See how Launchpad DIB works.
MARFI Launchpad DIB builds the enclave, stands up the SSP, implements the 110 controls, and keeps you affirmation-ready, so CMMC stops being the thing between you and the award.