Defense Contractor

Who needs CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is required for all Department of Defense (DoD) contractors and subcontractors who handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). This includes all types and sizes of companies, from prime contractors to small businesses and suppliers.


CUI is any information that requires safeguarding or dissemination controls under laws, regulations, or government-wide policies, and FCI is any information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.

The CMMC framework is designed to ensure that DoD contractors have appropriate cybersecurity measures in place to protect sensitive information from cyber threats. It includes five levels of cybersecurity maturity, with level 1 being the least mature and level 5 being the most mature.

The specific level of CMMC certification required will depend on the type of information being handled by the contractor or subcontractor. For example, those handling CUI will need to achieve a higher level of certification than those handling FCI.

It is important for companies that handle CUI or FCI to understand and comply with the CMMC requirements if they want to continue doing business with the DoD. Failure to comply can result in the loss of contracts and other significant penalties.

Interested in learning more about the benefits of CMMC compliance for your business?  Read our other post about it here:  What are the benefits of CMMC?