The Cybersecurity Maturity Model Certification (CMMC) replaces the current DFARS 252.204-7012 clause that defense contractors currently have to when entering into a contract with the Department of Defense. Based on the NIST SP 800-171 framework, albeit with the addition of various other processes and practices, CMMC compliance spans five levels, with the third one being the minimum requirement ...

Most organizations wanting to contract or subcontract with the Department of Defense should aim for CMMC level 3. This is the minimum required level for handling controlled unclassified information (CUI), and compliance will be fully enforced from October 2025.