What is CMMC compliance?

CMMC compliance helps ensure your systems and teams meet the cybersecurity standards required by the U.S. Department of Defense. It protects sensitive data, strengthens your eligibility for contracts, and gives you a powerful competitive edge.

What is CMMC compliance?

CMMC meaning
Who needs CMMC certification?
Risk of non-compliance
CMMC 2.0 vs. CMMC 1.0 vs. DFARS
CMMC-compliant software
FAQs
Glossary

For any company that expects to win – or even bid on – contracts with the U.S. Department of Defense (DoD), CMMC compliance is a must-have. It stands for Cybersecurity Maturity Model Certification and is the measurement standard the government uses to put structure around what’s expected from its contractors. The newly-released CMMC 2.0 standards have amended and streamlined some of these requirements but they remain based on the type of information your company deals with and has access to. Some organizations need only the basics. Others must pass rigorous audits and maintain strict control measures over sensitive data. And it affects more than IT. It touches procurement, operations, cloud infrastructure, staffing, and even vendor relationships. The better your systems and processes align, the easier it becomes to meet the requirements – and prove you’re ready to go.

CMMC meaning

Cybersecurity Maturity Model Certification is a U.S. Department of Defense framework that mandates cybersecurity standards for contractors and suppliers in the defense industrial base. It verifies an organization’s ability to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) through a tiered certification process.

Who needs CMMC certification?

If your company handles DoD-related government information or supports the Defense Industrial Base (DIB), you must meet cybersecurity requirements. This includes prime contractors, subcontractors, vendors, and service providers.

Direct DoD contractors and subcontractors

Any business bidding on or subcontracting DoD work must meet the CMMC level specified in the contract. Flow-down rules apply, meaning compliance is required across the full defense supply chain, not just for prime contractors.

Companies handling FCI, CUI, or HVA

If you access Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or High Value Assets (HVA) – or if you manage DoD documents, technical specs, or sensitive designs – you must certify to the right CMMC level.

Cloud providers, IT services, and support vendors

Third parties offering infrastructure, storage, or services to DoD contractors must have a minimum FedRAMP Moderate Equivalency – including SaaS, PaaS, and IaaS providers , managed service providers (MSPs), logistics firms, cybersecurity vendors, and others supporting defense-related work.

What’s at risk if you don’t meet CMMC compliance requirements?

If your company isn’t certified at the appropriate level, you run the risk of losing out on future opportunities. You can also put existing contracts at risk, be removed from competitive bids, or even be the weak link that causes your prime contractor to fail. To clarify, here is a look at non-compliance risks from three perspectives:

Eligibility

DoD contracts require proof of CMMC certification as a gating factor. Without it, you can’t even bid. Subcontractors should be aware that primes vet their suppliers 12 to 18 months in advance to ensure full compliance by award time.

Pipeline impact

It can take months to prepare for the certification process, and to audit and remediate gaps. Only certified companies will show up in the Supplier Performance Risk System (SPRS). A delay in compliance can lead to lost time and money.

Work and reputation

If you’re not CMMC-certified when a client’s contract comes up for renewal, you may be replaced. And a failure to meet minimum cybersecurity standards could expose you to liability or removal from the approved DoD vendor list altogether.

CMMC 2.0 vs. CMMC 1.0 vs. DFARS: What’s new and what still applies

DFARS stands for Defense Federal Acquisition Regulation Supplement and NIST is National Institute of Standards and Technology. They are the standards for guiding cybersecurity framework. CMMC 2.0 isn’t a replacement for DFARS or NIST 800-171. It’s a formalization of them. It has clearer enforcement, tiered certification, and far less ambiguity. To understand how they relate, it’s important to know what’s changed, what hasn’t, and what’s now required for compliance. Here is a summary of the new set-up:

What’s new in CMMC 2.0 (vs. CMMC 1.0)

Fewer levels, sharper focus: CMMC 2.0 reduces five levels to three. This eliminates vague middle ground and aligns more closely with real-world contract needs.
Stronger ties to existing standards: Drops custom maturity processes in favor of 1:1 alignment with NIST SP 800-171 (Level 2) and NIST SP 800-172 (Level 3).
More flexibility in certification: Allows self-assessments at Level 1 and for some Level 2 non-prioritized acquisitions. This lowers the cost and timeline for small and mid-sized contractors.
Use of POA&Ms: Permits Plan of Action and Milestones (POA&M) for some unmet controls, with conditions. This is something CMMC 1.0 did not allow.
Faster rulemaking: Introduced via DFARS Case 2019-D041, CMMC 2.0 is being fast-tracked for full implementation by 2026.

What hasn’t changed

DFARS is still law: Contractors must still comply with DFARS 252.204-7012, including rapid reporting of cyber incidents and implementation of NIST 800-171 for systems handling CUI.
SPRS remains key: Companies must register self-assessment scores in the Supplier Performance Risk System (SPRS) which primes now routinely use to evaluate subcontractor eligibility.
CUI is still the dividing line: If you handle Controlled Unclassified Information, you still need to meet the full 110 controls in NIST 800-171 – now validated via CMMC.

Why this matters

CMMC 2.0 clarifies what contractors have technically been required to do for years, and now enforces it through tiered certification. For DoD contractors, this means your systems must do more than support policies – they must help to enforce the technical controls that will be audited, including access and encryption to workflows, audit trails, and supply chain traceability, and much more.

Loading component...

What makes a cloud platform CMMC-ready?

An assessment of CMMC compliance will depend on your organization’s overall posture regarding cybersecurity. That said, the tools and solutions you use play an absolutely essential role. A CMMC-ready platform isn’t just one that supports your compliance journey, it must also be part of the certified environment itself.

For software that handles CUI or FCI, this infrastructure is crucial. You’ll want to look for solution providers that offer cloud services meeting security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP). The most effective solutions – whether ERP, document management, or other operational platforms – include safeguards such as role-based access, encryption at rest and in transit, audit trails, and workflow-level controls that align with the major CMMC control families.

But CMMC compliance requires more than the purchase of secure tools. The way they are configured, monitored, and used is also very important. Let’s put it this way: software alone won’t guarantee certification, but software that’s designed and leveraged with compliance in mind, can significantly reduce risk and effort. That’s why it’s important to evaluate not just whether a platform is “secure,” but whether it helps maintain traceability, enforce access restrictions, log activity, and support the kind of shared responsibility that’s crucial for FedRAMP and CMMC-aligned environments.

In short, compliant software doesn’t replace your cybersecurity program, but it can make that program more consistent, defensible, and efficient to run.

Loading component...

Conclusion

Today’s business leaders are living through unprecedented changes, challenges, and competition. And while CMMC can seem daunting and complicated, it’s actually pretty straightforward once you have the right tools and structure in place. It takes planning, teamwork, and systems that hold up under scrutiny and evolve as requirements change. But once you get there, you’ll be freed up to focus on the innovation and strategy you need to thrive and lean into the future.

Loading component...

Learn how Infor is supporting DoD contractors with industry-specific solutions and fully CMMC-compliant software solutions.

Explore Infor A&D software

CMMC FAQs

Loading component...

CMMC acronym glossary

Acronym	Full Term	Definition
AC	Access Control	CMMC domain focused on restricting access to systems and data
AU	Audit and Accountability	CMMC domain that requires audit logging and traceability
AWS	Amazon Web Services	Cloud platform used by many vendors to host secure environments for defense contracts
C3PAO	CMMC Third-Party Assessor Organization	Authorized company that conducts official CMMC assessments
CMMC	Cybersecurity Maturity Model Certification	U.S. Department of Defense framework for assessing cybersecurity practices of defense contractors
CUI	Controlled Unclassified Information	Sensitive information requiring safeguarding but not classified by law
DCAA	Defense Contract Audit Agency	Performs audits of government contracts to ensure compliance and cost control
DCMA	Defense Contract Management Agency	DoD agency that monitors contractor performance
DFARS	Defense Federal Acquisition Regulation Supplement	DoD-specific rules for acquisition that include cybersecurity mandates
DIB	Defense Industrial Base	Network of organizations, facilities, and resources that provides the government with materials, products, and services
DIBCAC	Defense Industrial Base Cybersecurity Assessment Center	Conduct cybersecurity assessments for the DoD, especially for CMMC Level 3
DoD	Department of Defense	Federal agency overseeing U.S. military operations and defense contracts
EAR	Export Administration Regulations	Rules governing the export of dual-use items not covered by ITAR
FCI	Federal Contract Information	Information provided by or for the government not intended for public release
FIPS	Federal Information Processing Standards	U.S. government computer security standards
FedRAMP	Federal Risk and Authorization Management Program	U.S. government program that standardizes security for cloud services
IAM	Identity and Access Management	Technologies and policies that control user access to systems
IR	Incident Response	CMMC domain covering processes for detecting and responding to security incidents
ITAR	International Traffic in Arms Regulations	U.S. regulations controlling the export of defense-related materials
MP	Media Protection	CMMC domain about securing physical and digital media
NIST	National Institute of Standards and Technology	U.S. agency that develops cybersecurity frameworks and technical standards
NIST SP 800-171	NIST Special Publication 800-171	NIST guideline outlining how to protect CUI in non-federal systems
OSC	Organization Seeking Certification	Company or entity undergoing CMMC assessment
POA&M	Plan of Action and Milestones	Document describing how an organization plans to correct security deficiencies
RMF	Risk Management Framework	Structured process used to identify and manage cybersecurity risks
SIEM	Security Information and Event Management	System that aggregates and analyzes security data
SPRS	Supplier Performance Risk System	DoD system that tracks contractor compliance and risk scores
SSP	System Security Plan	Document that outlines how an organization implements cybersecurity requirements
TLS	Transport Layer Security	Protocol for encrypting data in transit

Loading component...

What is CMMC compliance?