The Cybersecurity Maturity Model Certification (CMMC) Framework
The Cybersecurity Maturity Model Certification (CMMC) Framework
The U.S. Department of Defense (DoD) has issued its final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS), effective November 10, 2025. As a result of these amendments, the Cybersecurity Maturity Model Certification (CMMC) will be incorporated into most DoD contracts. Below is more information about the history of the framework and its potential implications under the False Claims Act.
Introduction
The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s comprehensive framework to ensure that contractors in the Defense Industrial Base (DIB) protect sensitive information, particularly Controlled Unclassified Information (CUI). It represents the evolution of cybersecurity compliance from the earlier self-attestation model under NIST SP 800-171 to a more rigorous, audited system enforced through formal rulemaking. Understanding its history and progression sheds light on why CMMC is now a cornerstone of defense contracting.
Early Foundations: NIST SP 800-171 and Self-Attestation
In 2015, the National Institute of Standards and Technology (NIST) issued Special Publication 800-171, which outlined 110 security control requirements for non-federal organizations that handle CUI. A year later, the DFARS clause 252.204-7012 formally required DoD contractors to comply with these controls.
At that time, compliance was based on self-attestation. Contractors were expected to assess their own security practices and affirm compliance without external verification. While efficient in theory, this system quickly showed flaws: organizations often overstated their compliance, enforcement was inconsistent, and adversaries continued to exploit gaps in contractor cybersecurity. There was a clear need for a stronger system of verification.
CMMC 1.0
In 2019, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC). Officially released in early 2020, CMMC version 1.0 established a five-level model that combined cybersecurity practices with process maturity. Levels ranged from basic cyber hygiene at Level 1 to highly advanced capabilities at Level 5.
CMMC 1.0 also required contractors to submit self-assessment scores into the Supplier Performance Risk System (SPRS). More importantly, it mandated that verification be conducted through third-party assessments or government audits. For the first time, contractors could not rely solely on their word; they had to demonstrate compliance to win contracts.
Despite its ambitious goals, CMMC 1.0 faced significant pushback from industry stakeholders. Small and mid-sized businesses in particular raised concerns about the costs, administrative burdens, and unclear timelines. Many contractors argued that the five-level structure went beyond the scope of NIST SP 800-171 and risked excluding companies from DoD supply chains.
The DoD listened and by late 2021, it paused CMMC rollout and announced a streamlined update known as CMMC 2.0.
CMMC 2.0: A Simplified Model
CMMC 2.0, unveiled in November 2021, simplified the framework by reducing the five levels to three tiers:
Level 1 (Foundational): Requires basic cyber hygiene for contractors handling only Federal Contract Information (FCI). Compliance can be met through annual self-assessments.
Level 2 (Advanced): Aligns directly with NIST SP 800-171’s 110 requirements. It applies to contractors handling CUI. Some contracts allow self-assessments, but most require third-party certification by accredited assessors.
Level 3 (Expert): Applies to the most sensitive DoD programs and incorporates additional controls from NIST SP 800-172. These assessments are conducted by the government itself.
CMMC 2.0 also reintroduced the use of Plans of Action & Milestones (POA&Ms) under limited circumstances, giving contractors some flexibility to remediate gaps without losing eligibility.
Rulemaking and Legal Authority
The first phase of CMMC rulemaking was the publication of the Program Rule on October 15, 2024, codified in 32 CFR Part 170. This rule established the core framework of the CMMC program itself, defining the certification levels, aligning them to NIST SP 800-171 and SP 800-172 requirements, and setting out how assessments, audits, and oversight would function. In short, it created the regulatory foundation for CMMC but stopped short of requiring contractors to meet these standards in order to receive DoD contracts.
The second phase of rulemaking is the Acquisition, or CMMC Clause Rule, under Title 48 of the Code of Federal Regulations (DFARS). This phase integrates CMMC into the contracting process by introducing or updating DFARS clauses, such as 252.204-7021, that mandate specific CMMC certification levels as conditions of eligibility for contract award. Expected to take effect in late 2025, this rule operationalizes the framework created in the first phase by making CMMC an enforceable contractual requirement across the DIB.
In parallel, updates to DFARS clauses (such as 252.204-7021) are embedding CMMC certification requirements directly into contracts. Once fully phased in, contractors will need to hold the required CMMC level to be eligible for award—making certification a contractual obligation.
From Self-Attestation to Audits
The shift from self-attestation under NIST SP 800-171 to mandatory audits under CMMC reflects lessons learned from persistent cyber vulnerabilities. Self-attestation proved unreliable, leaving sensitive defense data exposed to adversaries. By requiring third-party certification or government-led audits, the DoD ensures accountability and consistency across its supply chain.
This transition also reflects a broader policy emphasis: cybersecurity is no longer an optional best practice but a non-negotiable condition for participation in defense contracting. Contractors must show proof of compliance.
Current Status and Contractor Implications
As of 2025, CMMC 2.0 is in effect through the Program Rule, and DFARS updates are progressively including certification requirements in solicitations. Contractors must now:
Determine the CMMC level required for their contracts (based on what type of information they handle.
Implement the appropriate CMMC level (NIST SP 800-171 for Level 2, or NIST SP 800-172 for Level 3).
Prepare for either self-assessments, third-party audits, or government evaluations depending on their tier.
Maintain documentation, evidence, and POA&Ms to remain compliant.
For many organizations, this has meant significant investments in cybersecurity tools, workforce training, and governance structures.
Cybersecurity and the False Claims Act
The Department of Justice’s Civil Cyber Fraud Initiative (CCFI) was announced in fall 2021, just as CMMC 1.0 was sent back to the drawing board, to provide an enforcement mechanism for self-attested scores. With the launch of that initiative, insiders who were aware that a company had knowingly misstated the state of its cybersecurity could blow the whistle on noncompliance as an FCA relator. Prior to this initiative, it was generally believed that only in exceptional cases, where the gravamen of the contract itself was for cybersecurity, would cybersecurity assurances be considered sufficiently material to support an FCA action. The CCFI created a fertile new area of cybersecurity FCA cases, with twelve having settled so far, bringing in approximately fifty million dollars, with dozens more still under seal.
This raises the question of whether CMMC’s third-party assessment model will bring an end to cybersecurity-based FCA cases. While the new model may shift the focus of inquiry, it seems unlikely that such cases will disappear. Instead, we can expect cases in which a third-party assessor will be a named defendant in a suit alleging collusion for providing false scores.
Conclusion
The evolution of CMMC reflects the DoD’s recognition that self-attestation under NIST SP 800-171 was insufficient for securing sensitive information across the defense supply chain. What began as voluntary self-reporting has now matured into a regulated, audited framework with real contractual teeth. CMMC 2.0 strikes a balance between rigor and feasibility, aligning closely with established NIST standards while introducing verification mechanisms to ensure compliance.
For contractors, CMMC is more than a certification—it is a gateway to doing business with the Department of Defense. As rulemaking embeds these requirements into federal contracting, CMMC will remain central to safeguarding national security in an era of increasingly sophisticated cyber threats.
And for whistleblowers who are willing to report these schemes to protect national security, it seems likely that there will continue to be opportunities to do so.
This piece was written by Julie Bracker of Bracker and Marcus LLC.
