

Cybersecurity Maturity Model Certification (CMMC) is a robust security framework designed to safeguard the Department of Defense (DoD) by ensuring the security of all contractors and subcontractors in the Defense Industrial Base (DIB) supply chain that process, store, and transmit sensitive government information like Controlled Unclassified Information (CUI).
Due to the diversity and criticality of government data, the CMMC consists of various control areas, which differ according to the certification level. Each area encompasses critical cybersecurity practices you must implement if you plan on forming or maintaining a relationship with the DoD.
These practices are informally referred to as controls, so we’ll use this term in this guide as a synonym for the program’s practices. The guide will break down the key CMMC practices for ongoing compliance.
CMMC control areas at a glance
CMMC encompasses 14 control domains derived from NIST SP 800-171:
- Access Control (AC)
- Awareness & Training (AT)
- Audit & Accountability (AU)
- Configuration Management (CM)
- Identification & Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Such comprehensive coverage enhances security for organizations in the DoD supply chain, as each domain can encompass many specific practices that vary by the chosen certification level.
{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist
CMMC certification levels and corresponding practices
CMMC offers three certification levels, as outlined in the following table:
Each certification level encompasses different security practices that correspond to an organization’s role in the DoD supply chain and the criticality of shared information. Below, we’ll clarify the practices corresponding to each level.
CMMC Level 1 controls
CMMC Level 1 is the base-level certification program designed to establish basic cybersecurity practices for DoD contractors and subcontractors. As such, it only includes six out of the 14 CMMC control domains and has 15 specific practices in total.
The following table outlines the Level 1 domains with example practices:
To obtain a Level 1 certificate, you need to self-assess your IT infrastructure against these practices. The self-assessment encompasses various activities, such as:
- Access reviews
- Authentication policy reviews
- Staff interviews
During the assessment, you’ll need to collect and review various documents that demonstrate CMMC compliance, such as:
- Policy, procedure, and process documents
- Security plans and planning documents
- Training materials
- Network, system, and data flow diagrams
After completing the self-assessment, you should enter the results into the Supplier Performance Risk System (SPRS). You must meet all of the applicable CMMC practices and affirm the implementation of the in-scope practices to get certified.
Your certificate will be valid for one year, after which you’ll need to repeat the entire self-assessment process. Alongside the results, you’ll have to provide annual compliance affirmations to maintain the certificate.
{{cta_withimage22="/cta-blocks"}} | The audit ready checklist
CMMC Level 2 controls
CMMC Level 2 addresses the security of sensitive CUI, so it’s not surprising that it encompasses a much broader range of practices and processes. It’s built around 110 practices derived from NIST SP 800-171 R2, which are split across all 14 domains.
The following table outlines some of the key domains not included in Level 1 certification alongside example practices:
Depending on the specific information your organization can access, process, and share, you can choose between two Level 2 assessment types:
- A self-assessment for organizations that do not handle highly sensitive CUI
- A Certified Third-Party Assessor Organization (C3PAO) assessment for organizations handling prioritized CUI
Whichever option you choose, your certificate will be valid for three years, but you still need annual compliance affirmations. This doesn’t mean both assessments are equally valuable, though—a C3PAO assessment is typically considered a superior option due to the increased security assurance it provides.
Unlike Level 1 certification, Level 2 doesn’t require immediate adherence to all the in-scope practices. If you meet at least 80 percent (88/110 practices) but still have gaps, you can apply for a Conditional Certificate.
To do so, you must accompany your assessment results with a Plan of Action & Milestones (POA&M)—a document that outlines how the gaps will be remediated. You have 180 days to remediate all gaps, after which you’ll receive the Final Certificate.
At this point, it’s crucial to track remediation against specified timelines. This helps you properly prioritize gap remediation activities and ensure accountability for fixing these gaps.
CMMC Level 3 controls
CMMC Level 3 certification builds on Level 2, which means you must first implement all 110 NIST SP 800-171 R2 practices before upgrading to Level 3.
This level focuses on securing sensitive, high-value information—specifically CUI—and helps protect against advanced cybersecurity threats. Achieving Level 3 demonstrates your organization's maturity in cybersecurity practices, which builds trust and helps position your company as a reliable partner.
In addition to 110 NIST 800-171 practices, Level 3 requires 24 more practices from NIST SP 800-172 (Feb 2021), which focuses on advanced threat protection. These additional practices are essential for strengthening your organization's defenses against sophisticated attacks, further improving your cybersecurity maturity.
The following table outlines some of the Level 3 control areas and their corresponding practices:
The Level 3 assessment is government-led and conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), which is responsible for overseeing the certification process for contractors in the defense sector. It encompasses various practices related to automation and extensive risk assessments, which makes it potentially resource-intensive.
The good news is that the Conditional Certificate is available for Level 3 under the same conditions as for Level 2. If your initial assessment reveals at least 80 percent compliance, you can submit a POA&M to receive an additional 180 days to implement the remaining practices.
As per the DoD’s official resources, your Level 3 (and Level 2) certification will lapse if you fail to affirm compliance annually. This means that even though the certificate lasts for three years, you’ll need to self-assess your security practices, policies, and procedures at least once a year to ensure ongoing adherence to CMMC practices.
{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist
Common challenges of CMMC certification
Pursuing CMMC certification can be laborious and time-consuming, especially if you're looking to obtain a Level 2 or Level 3 certificate. The related assessments are extensive and examine nearly every aspect of your security infrastructure, presenting notable challenges such as:
- Scoping: Outlining a precise CMMC scope can be challenging, especially for organizations with complex IT infrastructures. You must identify where you store, process, and transmit FCI or CUI—including systems, applications, users, and data flows. Focusing resources on securing these critical areas is essential for reducing risk exposure and ensuring compliance efficiency.
- Extensive documentation: You’ll need to gather comprehensive documentation to provide evidence of implementation of CMMC practices and affirm compliance confidently. You must outline precisely how you’ve met each practice and keep records updated as your organization evolves.
- Resource constraints: SMBs may face greater challenges in implementing CMMC compared to larger organizations, mainly due to limited internal resources and inefficient workflows. Some practices require dedicated teams, which many SMBs lack, making it difficult to allocate the necessary time and expertise.
- Disruption of daily activities: Self-assessments and third-party assessments necessary for CMMC certification can place significant pressure on IT and compliance teams. The same goes for other departments involved in the certification process, which might struggle to balance everyday tasks with compliance practices. You’ll also need to conduct targeted training on FCI and CUI handling to ensure organization-wide CMMC implementation, which adds to the time and effort you’ll spend on compliance.
The easiest and most cost-effective way to avoid these challenges is to adopt a compliance automation solution. The right platform should automate tedious tasks like evidence collection and provide clear guidance on implementation to remove guesswork.
Implement CMMC controls with Vanta
Vanta is a comprehensive trust management platform offers clear prescriptive guidance and resources to help you implement the in-scope CMMC controls. It offers a dedicated CMMC solution equipped with numerous useful features, such as:
- Out-of-the-box support for all certification levels
- Automated evidence collection supported by 375+ integrations
- Centralized tracking of CMMC practices
- Continuous monitoring of CMMC practices using automated tests
Vanta also automatically cross-references your controls to avoid duplicative workflows.
While you can’t choose your Level 3 auditor, you can pick a reputable and helpful C3PAO for a Level 2 assessment as the prerequisite for Level 3 certification. To find the best option, you can tap into Vanta’s extensive partner network.
Schedule a custom demo to see Vanta in action.
{{cta_simple33="/cta-blocks"}} | CMMC product page
A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.
CMMC controls explained: A complete guide for DoD contractors

Looking to automate up to 50% of the work for CMMC?

Cybersecurity Maturity Model Certification (CMMC) is a robust security framework designed to safeguard the Department of Defense (DoD) by ensuring the security of all contractors and subcontractors in the Defense Industrial Base (DIB) supply chain that process, store, and transmit sensitive government information like Controlled Unclassified Information (CUI).
Due to the diversity and criticality of government data, the CMMC consists of various control areas, which differ according to the certification level. Each area encompasses critical cybersecurity practices you must implement if you plan on forming or maintaining a relationship with the DoD.
These practices are informally referred to as controls, so we’ll use this term in this guide as a synonym for the program’s practices. The guide will break down the key CMMC practices for ongoing compliance.
CMMC control areas at a glance
CMMC encompasses 14 control domains derived from NIST SP 800-171:
- Access Control (AC)
- Awareness & Training (AT)
- Audit & Accountability (AU)
- Configuration Management (CM)
- Identification & Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Such comprehensive coverage enhances security for organizations in the DoD supply chain, as each domain can encompass many specific practices that vary by the chosen certification level.
{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist
CMMC certification levels and corresponding practices
CMMC offers three certification levels, as outlined in the following table:
Each certification level encompasses different security practices that correspond to an organization’s role in the DoD supply chain and the criticality of shared information. Below, we’ll clarify the practices corresponding to each level.
CMMC Level 1 controls
CMMC Level 1 is the base-level certification program designed to establish basic cybersecurity practices for DoD contractors and subcontractors. As such, it only includes six out of the 14 CMMC control domains and has 15 specific practices in total.
The following table outlines the Level 1 domains with example practices:
To obtain a Level 1 certificate, you need to self-assess your IT infrastructure against these practices. The self-assessment encompasses various activities, such as:
- Access reviews
- Authentication policy reviews
- Staff interviews
During the assessment, you’ll need to collect and review various documents that demonstrate CMMC compliance, such as:
- Policy, procedure, and process documents
- Security plans and planning documents
- Training materials
- Network, system, and data flow diagrams
After completing the self-assessment, you should enter the results into the Supplier Performance Risk System (SPRS). You must meet all of the applicable CMMC practices and affirm the implementation of the in-scope practices to get certified.
Your certificate will be valid for one year, after which you’ll need to repeat the entire self-assessment process. Alongside the results, you’ll have to provide annual compliance affirmations to maintain the certificate.
{{cta_withimage22="/cta-blocks"}} | The audit ready checklist
CMMC Level 2 controls
CMMC Level 2 addresses the security of sensitive CUI, so it’s not surprising that it encompasses a much broader range of practices and processes. It’s built around 110 practices derived from NIST SP 800-171 R2, which are split across all 14 domains.
The following table outlines some of the key domains not included in Level 1 certification alongside example practices:
Depending on the specific information your organization can access, process, and share, you can choose between two Level 2 assessment types:
- A self-assessment for organizations that do not handle highly sensitive CUI
- A Certified Third-Party Assessor Organization (C3PAO) assessment for organizations handling prioritized CUI
Whichever option you choose, your certificate will be valid for three years, but you still need annual compliance affirmations. This doesn’t mean both assessments are equally valuable, though—a C3PAO assessment is typically considered a superior option due to the increased security assurance it provides.
Unlike Level 1 certification, Level 2 doesn’t require immediate adherence to all the in-scope practices. If you meet at least 80 percent (88/110 practices) but still have gaps, you can apply for a Conditional Certificate.
To do so, you must accompany your assessment results with a Plan of Action & Milestones (POA&M)—a document that outlines how the gaps will be remediated. You have 180 days to remediate all gaps, after which you’ll receive the Final Certificate.
At this point, it’s crucial to track remediation against specified timelines. This helps you properly prioritize gap remediation activities and ensure accountability for fixing these gaps.
CMMC Level 3 controls
CMMC Level 3 certification builds on Level 2, which means you must first implement all 110 NIST SP 800-171 R2 practices before upgrading to Level 3.
This level focuses on securing sensitive, high-value information—specifically CUI—and helps protect against advanced cybersecurity threats. Achieving Level 3 demonstrates your organization's maturity in cybersecurity practices, which builds trust and helps position your company as a reliable partner.
In addition to 110 NIST 800-171 practices, Level 3 requires 24 more practices from NIST SP 800-172 (Feb 2021), which focuses on advanced threat protection. These additional practices are essential for strengthening your organization's defenses against sophisticated attacks, further improving your cybersecurity maturity.
The following table outlines some of the Level 3 control areas and their corresponding practices:
The Level 3 assessment is government-led and conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), which is responsible for overseeing the certification process for contractors in the defense sector. It encompasses various practices related to automation and extensive risk assessments, which makes it potentially resource-intensive.
The good news is that the Conditional Certificate is available for Level 3 under the same conditions as for Level 2. If your initial assessment reveals at least 80 percent compliance, you can submit a POA&M to receive an additional 180 days to implement the remaining practices.
As per the DoD’s official resources, your Level 3 (and Level 2) certification will lapse if you fail to affirm compliance annually. This means that even though the certificate lasts for three years, you’ll need to self-assess your security practices, policies, and procedures at least once a year to ensure ongoing adherence to CMMC practices.
{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist
Common challenges of CMMC certification
Pursuing CMMC certification can be laborious and time-consuming, especially if you're looking to obtain a Level 2 or Level 3 certificate. The related assessments are extensive and examine nearly every aspect of your security infrastructure, presenting notable challenges such as:
- Scoping: Outlining a precise CMMC scope can be challenging, especially for organizations with complex IT infrastructures. You must identify where you store, process, and transmit FCI or CUI—including systems, applications, users, and data flows. Focusing resources on securing these critical areas is essential for reducing risk exposure and ensuring compliance efficiency.
- Extensive documentation: You’ll need to gather comprehensive documentation to provide evidence of implementation of CMMC practices and affirm compliance confidently. You must outline precisely how you’ve met each practice and keep records updated as your organization evolves.
- Resource constraints: SMBs may face greater challenges in implementing CMMC compared to larger organizations, mainly due to limited internal resources and inefficient workflows. Some practices require dedicated teams, which many SMBs lack, making it difficult to allocate the necessary time and expertise.
- Disruption of daily activities: Self-assessments and third-party assessments necessary for CMMC certification can place significant pressure on IT and compliance teams. The same goes for other departments involved in the certification process, which might struggle to balance everyday tasks with compliance practices. You’ll also need to conduct targeted training on FCI and CUI handling to ensure organization-wide CMMC implementation, which adds to the time and effort you’ll spend on compliance.
The easiest and most cost-effective way to avoid these challenges is to adopt a compliance automation solution. The right platform should automate tedious tasks like evidence collection and provide clear guidance on implementation to remove guesswork.
Implement CMMC controls with Vanta
Vanta is a comprehensive trust management platform offers clear prescriptive guidance and resources to help you implement the in-scope CMMC controls. It offers a dedicated CMMC solution equipped with numerous useful features, such as:
- Out-of-the-box support for all certification levels
- Automated evidence collection supported by 375+ integrations
- Centralized tracking of CMMC practices
- Continuous monitoring of CMMC practices using automated tests
Vanta also automatically cross-references your controls to avoid duplicative workflows.
While you can’t choose your Level 3 auditor, you can pick a reputable and helpful C3PAO for a Level 2 assessment as the prerequisite for Level 3 certification. To find the best option, you can tap into Vanta’s extensive partner network.
Schedule a custom demo to see Vanta in action.
{{cta_simple33="/cta-blocks"}} | CMMC product page
A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.
Explore more CMMC articles
Introduction to CMMC
CMMC requirements
CMMC certification process
CMMC levels
Get started with CMMC
Start your CMMC journey with these related resources.

What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan
Vanta’s director of US government strategy and affairs shares how current and future contractors for the DoD can get CMMC certified.

CMMC Checklist
This checklist will guide you through the steps to take to get CMMC certified and how to successfully implement and maintain the certification.

The ultimate guide to NIST 800-171
Jumpstart your NIST 800-171 compliance with Vanta's complete guide to this legally required security standard.