CMMC.
A calm explainer for the CMMC program.
This resource explains what CMMC (Cybersecurity Maturity Model Certification) actually requires, what the words mean, and how the machinery works — cited to primary sources throughout.
01What this is
Is
A plain-language reference and learning desk for the CMMC program — what it requires, what the words mean, how the machinery works, what to expect, in reading order or as look-up. Broad, source-traceable, no jargon.
Is for
Defense-subcontractor owners/GMs who sign affirmations; IT leads at subs; MSPs/ESPs serving DIB clients; prime-contractor supply-chain readers who need to understand what they are asking of subs.
Is not
Certification preparation, assessment consulting, legal advice, a framework, a checklist product, or a substitute for the primary sources it cites.
02Where the rollout stands
The program is in Phase 1 — self-assessments in new solicitations. Phase 2, C3PAO certification where applicable, begins 2026-11-10. The System covers all four phases and what changes at each. 32 CFR 170.3(e)
03Start by role
Start Here opens with the signals that tell you whether any of this applies before you pick a route. Four routes live there — here’s the question each one answers.
04The desk map
| Page | What it covers |
|---|---|
| The System | Who runs CMMC, which rule answers which question, and how the four-phase rollout works. |
| The Levels | What Level 1, 2, and 3 actually require, and who assesses each one. |
| The Data | FCI and CUI, defined precisely, and where each tends to hide in ordinary business systems. |
| Scope & Boundary | The five asset categories, enclave trade-offs, and what an MSP or cloud provider is actually responsible for. |
| Evidence, SSP & POA&M | What proof looks like, the System Security Plan, POA&M mechanics in full, and how an assessor examines, interviews, and tests. |
| The Assessment | What actually happens during an assessment, Conditional vs. Final status, and what Level 3 adds. |
| Myths vs Rules | Eight common misconceptions, checked against what the rule actually says. |
| FAQ | Twelve questions, answered in the order a reader actually asks them. |
| Glossary | Twenty-four terms defined the way they’re actually used — not an acronym dump. |
| Source Library | A bibliography and reading guide: which document to open for which question. |
See also Domains — the 14 security-requirement families, one page each.
Practical guides
Six task-shaped pages that compress the reference body into working order — for when you have the specific job in hand rather than a reading afternoon.
| Guide | What it covers |
|---|---|
| Level 1, in practice | The 15 requirements, the annual self-assessment, SPRS entries, and the affirmation — the FCI level end to end. |
| The contract clauses | Provisions vs clauses, how 7012 / 7019 / 7020 / 7021 / 7025 relate, the 2026 renumbering, and a plain decision path. |
| SPRS, explained | Who posts what through which path, CMMC UIDs, and what a contracting officer actually sees. |
| Gap analysis | Checking yourself against the NIST SP 800-171A objectives before anyone official does. |
| The implementation path | The order the work tends to happen in, with a plain reader checklist. |
| By role | Compact summaries for executives, technical leads, and compliance owners. |
05Independence note
This desk is independent educational material. It is not affiliated with, endorsed by, or representing the U.S. Department of Defense, the Cyber AB, or any C3PAO. CMMC is a DoD program — act on the primary sources this desk cites, and on your own advisors.