WHAT IS CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's unified framework for verifying that contractors have implemented adequate cybersecurity protections for sensitive government information. It is a unified cybersecurity standard for DoD acquisitions aimed at securing the Defense Industrial Base (DIB) supply chain.
The program covers two categories of sensitive data: Federal Contract Information (FCI), information generated under a government contract not intended for public release, and Controlled Unclassified Information (CUI), which is unclassified but sensitive defense-related data requiring specific protection.
THE THREE LEVELS OF CMMC 2.0
-
Level 1 (Foundational): 17 basic cybersecurity practices protecting FCI. Annual self-assessment only.
-
Level 2 (Advanced): 110 practices aligned with NIST SP 800-171, protecting CUI. Requires third-party assessment by a C3PAO for most contracts.
-
Level 3 (Expert): All Level 2 requirements plus 24 additional controls from NIST SP 800-172, assessed by the Defense Contract Management Agency (DCMA).
WHAT DOES CMMC CERTIFICATION MEAN FOR CONTRACTORS?
The scale of the mandate is enormous. DoD estimates that approximately 80,000 contractors in the Defense Industrial Base will need Level 2 certification through a C3PAO assessment.
The phased rollout is already underway: Phase 1 began November 10, 2025, when CMMC Level 1 and Level 2 self-assessments became conditions of award for new contracts. Phase 2 begins November 10, 2026, when DoD will start adding Level 2 C3PAO certification requirements to applicable contracts. Full mandatory enforcement across all applicable contracts arrives by November 10, 2028.
There is a serious capacity crunch. Approximately 80 authorized C3PAOs serve 80,000 contractors requiring Level 2 certification. Many C3PAOs are booked throughout 2026 already. Wait times will exceed 18 months for new clients by Q3 2026, and assessment fees are expected to climb significantly as demand outstrips supply.
The legal stakes are high. The Department of Justice, through its Civil Cyber-Fraud Initiative, increasingly uses the False Claims Act (FCA) to investigate and prosecute contractors that knowingly misrepresent their cybersecurity compliance. Third-party C3PAO assessments may provide a crucial layer of defense against an allegation that a contractor had knowledge of noncompliance.
Non-compliance means losing contracts. Contractors cannot bid on new contracts requiring CMMC compliance without certification. Prime contractors are identifying CMMC-ready suppliers to avoid supply chain risks, and companies achieving certification first become preferred partners for major defense contractors who are eliminating non-compliant suppliers from consideration.
WHAT IS C3PAO CERTIFICATION?
A Certified Third-Party Assessment Organization (C3PAO) is an entity authorized by the Cyber AB (the CMMC Accreditation Body) to conduct CMMC assessments and submit the results to the DoD. Think of a C3PAO as the "CPA of Cybersecurity" for the defense world.
Critically, a C3PAO cannot assess an organization for which they provided significant implementation consulting. Their sole mission is to verify that QED Enterprises, Inc. has met all 110 practices of NIST SP 800-171 as required by CMMC Level 2. They evaluated our "objective evidence," interviewed our staff, and observed our processes in .
C3PAOs use Certified CMMC Assessors (CCAs) to conduct the actual assessments, supported by Certified CMMC Professionals (CCPs).