Post updated on November 10, 2025.
Effective November 10, 2025, the Cybersecurity Maturity Model Certification (CMMC) is a new security requirement for U.S. Department of Defense (DoD) contractors in the defense industrial base (DIB) to combat cyber threats aimed at the supply chain. CMMC sets cybersecurity and data protection standards, certifications and assessment requirements as a condition of a DoD contract award to safeguard government intellectual property and sensitive information. DoD first announced in November 2021 that it was abandoning and revamping the original CMMC requirements. On December 26, 2023, the much anticipated CMMC Proposed Rule for CMMC 2.0 was released, replacing the original five-level model with a simplified three-level model.
The new CMMC model aims to measure and certify the cybersecurity practices of Defense Industrial Base (DIB) contractors and subcontractors to ensure they follow best practices for protecting sensitive information on their networks, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The CMMC 2.0 revisions aim to make it easier for small and medium-sized enterprises (SMEs) to comply with the mandates.
WHAT ARE FCI AND CUI?
The primary purpose of CMMC is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with and handled by contractors and subcontractors of the DoD on non-federal contractor information systems.
The DoD defines FCI and CUI as follows:
Federal Contract Information (FCI) – “FCI is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”
Controlled Unclassified Information (CUI) – “CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
If you are a government contractor or subcontractor that processes, stores or transmits FCI or CUI, you will need to adhere to the new CMMC 2.0 guidelines to compete for DoD contracts and solicitations.
CMMC 2.0 LEVELS
The Proposed Rule outlines three independent levels and requirements for contractors and subcontractors. In addition to certification, a new affirmation requirement requires a senior official from the prime contractor and any subcontractor to affirm continuing compliance with the security requirements annually:
- CMMC Level 1 – Basic Safeguarding of FCI (Self):
- 15 basic safeguarding requirements required by FAR clause 52.204-21
- Annual self-assessment and affirmation that the organization has implemented all applicable best safeguarding requirements
- Results entered into the Supplier Performance Risk System (SPRS)
- CMMC Level 2 – Broad Protection of CUI (Self):
- 110 requirements aligned with NIST SP 800-171 R2 required by DFARS clause 252.204-7012
- Triennial (every 3 years) self-assessment and annual affirmation for select programs
- Results entered into the Supplier Performance Risk System (SPRS)
- CMMC Level 2 – Broad Protection of CUI (C3PAO):
- 110 requirements aligned with NIST SP 800-171 R2 required by DFARS clause 252.204-7012
- Triennial third-party assessments conducted by Certified Third-Party Assessor Organization (C3PAO)
- Results entered into CMMC Enterprise Mission Assurance Support Service (eMASS)
CMMC - Valid for three years from the CMMC Status Date as defined in 32 CFR § 170.4
- CMMC Level 3 – Higher-Level Protection of CUI Against Advanced Persistent Threats (DIBCAC):
- 110+ requirements based on NIST SP 800-171 R2 required by DFARS clause 252.204-7012
- 24 selected from NIST SP 800-172 Feb2021, as detailed in table 1 to 32 CFR § 170.14(c)(4)
- Pre-requisite CMMC Status of Level 2 (C3PAO) for the same CMMC Assessment Scope, for each Level 3 certification assessment
- Conducted by Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every 3 years
- Results entered into CMMC Enterprise Mission Assurance Support Service (eMASS)
CMMC - Valid for three years from the CMMC Status Date as defined in 32 CFR § 170.4
Four Phase Roll Out of CMMC 2
The CMMC Final Rule went into effect on November 10, 2025 and applies to all DoD contractors and subcontractors. Implementation includes a four-phase rollout for solicitations and contracts over three years. This phased approach provides time for training assessors and for companies to comprehend and implement the CMMC assessment requirements.
- Phase One (Begins November 10, 2025) Must conform to CMMC Level 1 self-assessment or Level 2 self-assessment requirements for contracts involving FCI and CUI.
- Phase Two (Begins November 10, 2026) Level 2 Certification Assessments commence and will be added to applicable solicitations and contracts. CMMC Level 3 certification assessment requirements could be required for applicable solicitations and contracts.
- Phase Three (Begins November 10, 2027) CMMC Level 3 Certification Assessment requirements for applicable contracts will begin. Contractors will have to report their assessment results.
- Phase Four (Begins November 10, 2028) Applicable CMMC program requirements will be included in all solicitations and contracts as a condition of the contract award.
It is important to note that the DoD may apply CMMC Level 2 (C3PAO) requirements in certain Phase 1 procurements or Level 3 requirements in select Phase 2 procurements, which could restrict competitors or increase costs.
The journey to achieve CMMC certification is projected to take around two years, but the time to act is now. If you haven’t begun this critical process yet, don’t wait any longer!
PROTECTING DEFENSE AND SUPPLY CHAIN DATA FROM INSIDER THREATS
The key focus of CMMC is to prevent the loss of intellectual property and sensitive information that could threaten national security or military advantage. Insider threats are a big part of the problem CMMC aims to address. However, solving the problems posed by insider threats to protect DoD-sensitive data, including CUI and FCI, requires a different information security approach. Insider threats stem from simple human negligence, such as sharing CUI with an unauthorized party, to malicious employee actions, such as nation-state espionage or data theft for personal gain.
Traditional information security is designed to focus predominantly on outside threats like hackers or unauthorized user access, and is no longer enough. SIEMs, SOARs and other solutions are reactive and don’t do anything to prevent the initial loss of data—they are focused on the attacker’s actions and not on the data.
Simply repurposing tools designed to detect external threats is not enough to provide the necessary level of proactive data security required to combat internal threats, which are more challenging to detect and can take longer to identify, even with these tools in place. They also do not address the data tagging and protection required to safeguard sensitive data.
There is also a fundamental flaw with most existing security software solutions and with many security policies making data more vulnerable: the login process is not robust enough to guarantee that the logged-in user is who they say they are, with no attribution at the user level. If someone logs in with stolen credentials, they can use the access and privileges of the compromised account to navigate systems and data, stealing as they go. In this case, the security lies within the permissions of the logged-in user only, not a combination of user and content privileges.
Extending Zero Trust to information security provides a solution.
ZERO TRUST 101
Systems designed using Zero Trust principles are better positioned to address threats and comply with the NIST SP 800 171 requirements underpinning CMMC. Simply put, the Zero Trust model has one basic principle: trust nothing – validate everything.
Transitioning to this new security architecture will require careful planning to avoid weakening the security posture along the way and will continually evolve. Providers migrating to this Zero Trust environment must understand that it will require continuous verification of the operational picture via real-time information. In addition, Zero Trust architectures generally focus on user-to-network, user-to-device, or user-to-application access and are not necessarily focused on the data.
A DATA-CENTRIC ZERO TRUST MODEL
This new Zero Trust security model enforces least-privileged access for each and every access request. An “allow” or “deny” model alone is insufficient to meet Zero Trust data security needs. Access must also be restricted using various/different levels of control (e.g., access control, read-only rights, encryption). Unfortunately, many Zero Trust solutions do not focus on the data; they focus on the network and the application – not the data behind them.
A data-centric ‘Zero Trust’ approach is a far more effective methodology to ensure data, which is the main target, remains secure. A data-centric Zero Trust approach does not automatically trust any user inside or outside your perimeters or applications. Instead, you must verify anyone trying to access an individual data file before granting them access to it – each and every time.
Attribute-based access control (ABAC) is a methodology that evaluates attributes (or characteristics of data and users) rather than roles to determine access and usage rights. It uses a data-centric security approach that assesses each file’s attributes, including security classification and permissions, and user attributes such as security clearance, time of day, location, and device to determine who can access, edit and download files.
ABAC makes a data-centric Zero Trust possible by providing granular, real-time control over access to information, adjusting security in real time to determine whether the user should be granted access to the requested information – based on all of these parameters – at that point in time. If the user scenario does not match or appears suspicious, access is denied, or a restricted view of the data is provided.
For example, suppose an authenticated user is trying to access a sensitive file they own. It is outside of business hours, and they are using a BYOD device in another country. In that case, file access will be denied – effectively thwarting a hacker using stolen credentials.
ENFORCE KEY CMMC 2.0 REQUIREMENTS IN MICROSOFT APPLICATIONS Using ABAC
NC Protect from archTIS provides capabilities for easily adding ABAC to Microsoft 365, GCC and GCC High, SharePoint on-premises, and File Shares. It’s a complementary product that Microsoft Security has recognized as a Privacy & Compliance Trailblazer Finalist. It allows enterprises to enhance their existing Microsoft environment with ABAC policies to dynamically control data access, usage, and sharing with fine-grain precision to comply with CMMC, NIST, and ITAR requirements and more.
NC Protect policies offer more than just access control. They can also provide file-level protection, such as encryption, secure-read-only access, user-based watermarks, and more. Policies can also control with whom information can be shared – all in real time – using dynamic attribute-based access and data protection policies. These policies automatically adapt to changes in user context and content changes, meaning that a user’s access and usage rights can alter depending on their location at any given time. The product also includes a scanning and classification tool to aid in classification and attribute management.
Using a solution like NC Protect that utilizes dynamic ABAC policies has many benefits and affords granular data security to ensure compliance with CMMC and other information security requirements. It also ensures operational security by delivering a seamless solution to deliver and share information securely with multinational coalition partners.
Some of the capabilities NC Protect offers for CMMC compliance include:
- Scans to find FCI, CUI and other sensitive content in your repositories.
- Adds metadata tagging based on the contents of the document scan.
- Attribute-based access control (ABAC) policies evaluate data, environmental, and user attributes combined with defined policies to determine appropriate access, usage, and sharing rights.
- Leverage Microsoft sensitivity labels and classifications from other tools (Janusseal, Titus, etc.) in access and protection policies.
- Limits overprivileged admin access that is the default in Microsoft applications.
- CUI and FCI can be automatically encrypted at rest or in transit.
- Conditional policies can limit access and usage rights on mobile devices.
- Apply CUI visual markings to documents, CAD files, PDFs, images and more.
- A complete audit trail of all document access and usage is logged and can be ported to Microsoft Sentinel or Splunk for upstream actions and analysis.
This level of granular ABAC-enabled, real-time control is the key to extending the Zero Trust methodology to the data layer. Each time a user tries to access information. All of these attributes are checked against policies to determine if a user can access a file and what they can do with it at that moment in time based on all of the parameters.
NC Protect’s zero trust ABAC-enabled policies help address and dynamically enforce the Access Control (AC), System and Information Integrity (SI), Communication Protection (SC), and Auditing and Accountability (AU) requirements in NIST SP 800 171 that form the backbone of CMMC Levels 2 and 3, and those included in Level 1.
Read this White Paper to understand the challenges of implementing mandated FCI and CUI requirements to meet CMMC, SP 800 171, and the Zero Trust mandate. Ready to talk? Contact us to discuss how NC Protect can help you more easily meet your Microsoft application data access, protection, and auditing requirements for CMMC compliance.
Learn More in this new white paper
CMMC 2.0: Jump-start FCI & CUI Protection with Data-centric Zero Trust
