Subscribe to Hexnode Blog
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
BackWhat is CMMC?
CMMC, or Cybersecurity Maturity Model Certification, is a U.S. Department of Defense cybersecurity framework for organizations in the Defense Industrial Base. It helps verify that contractors and subcontractors have the right security controls in place to protect sensitive, unclassified government information.
CMMC focuses mainly on protecting Federal Contract Information and Controlled Unclassified Information. It applies to DoD contractors, subcontractors, and suppliers that handle this type of information through their systems. The DoD final rule establishes CMMC as a way to verify that contractors have implemented required safeguards for FCI and CUI.
Why It Matters
Defense contractors often handle sensitive information that is not classified but still needs protection. Exposure, theft, or misuse of this information can affect national security, supply chains, and defense operations.
CMMC matters because it moves cybersecurity from a simple self-declaration model toward a more structured assessment model. It helps ensure that organizations can prove they are protecting sensitive defense information properly.
CMMC Certification Levels
CMMC 2.0 is organized into three levels:
| Level | Focus | Assessment type |
|---|---|---|
| Level 1: Foundational | Basic safeguarding for Federal Contract Information | Self-assessment |
| Level 2: Advanced | Protection of Controlled Unclassified Information | Self-assessment or third-party assessment, depending on contract requirements |
| Level 3: Expert | Higher-level protection for CUI against advanced threats | Government-led assessment |
Level 2 is based on the 110 requirements from NIST SP 800-171 Rev. 2, while Level 3 includes additional selected requirements from NIST SP 800-172.
What Gets Assessed?
CMMC assessments look at whether an organization has implemented cybersecurity practices across areas such as:
- Access control
- Identity and authentication
- Incident response
- Audit and logging
- Configuration management
- Risk management
- System and communications protection
- Security awareness and training
The exact requirements depend on the CMMC level required by the DoD contract.
Supporting CMMC Readiness with Endpoint Security
Organizations preparing for CMMC need strong controls around the devices, users, and access paths that may interact with sensitive contract data. Hexnode UEM helps IT teams manage endpoints, enforce security policies, monitor device compliance, and control access from trusted devices.
For identity-aware access, Hexnode IdP supports SSO, MFA, RBAC, and device posture checks. Hexnode XDR adds endpoint threat detection, investigation, and response, helping teams identify and address risks on devices before they affect sensitive environments.
Hexnode supports the endpoint and access security layer that can strengthen broader CMMC readiness efforts.
Frequently Asked Questions (FAQs)
1. Who needs CMMC?
Organizations that work with the DoD and handle Federal Contract Information or Controlled Unclassified Information may need CMMC based on contract requirements.
2. Is CMMC a one-time requirement?
No. CMMC status must be maintained, and some levels require periodic reassessments and annual affirmations.