Table of Contents

If your organization supports U.S. Department of Defense (DoD) missions, whether you are a defense contractor, subcontractor, or a university conducting DoD-funded research, you may need to comply with the Cybersecurity Maturity Model Certification (CMMC).

CMMC is a DoD cybersecurity standard that establishes required practices and processes for organizations that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

While CMMC is most often associated with the Defense Industrial Base (DIB), the same requirements and expectations apply across related industries that support DoD programs, including universities and research institutions that handle CUI in labs, departmental file shares, collaboration tools, and research platforms.

This guide explains what the Cybersecurity Maturity Model Certification (CMMC) is, how it is structured, what organizations must do to prepare, and how Lightbeam helps teams operationalize the data security and governance foundations required for CMMC compliance.

What is the Cybersecurity Maturity Model Certification (CMMC)?

The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s framework for assessing and validating that organizations implement required cybersecurity practices to protect FCI and CUI. CMMC requirements are defined in the CMMC Program rule (32 CFR Part 170) and are enforced in DoD contracting through DFARS clauses.

Who needs to care about CMMC?

If your organization processes, stores, or transmits FCI or CUI in support of a DoD contract, CMMC can impact your eligibility for awards, options, and extensions when CMMC requirements are included in a solicitation or contract clause. This includes prime contractors, subcontractors receiving flowed-down requirements, and universities and research partners where CUI appears in research data and collaboration systems.

FCI vs. CUI: the data types that drive CMMC scope

Most CMMC preparation challenges start with scope. CMMC scope is not only “which systems are used on DoD work,” but “which systems handle FCI or CUI.” If you cannot confidently answer “where does our FCI/CUI live?” you will struggle to prepare for assessments and to sustain ongoing affirmations.

FCI (Federal Contract Information)

FCI is information provided by or generated for the government under a contract that is not intended for public release. In practice, CMMC Level 1 maps to the foundational safeguarding requirements in FAR 52.204-21.

CUI (Controlled Unclassified Information)

CUI is unclassified information that requires safeguarding or dissemination controls pursuant to laws, regulations, or government-wide policies. The authoritative reference for CUI categories and handling is the National Archives CUI program and the CUI Registry.

CMMC levels (CMMC 2.0) at a glance

CMMC defines three levels of cybersecurity maturity. Each level maps to established federal requirements and NIST guidance.

Level 1: Basic safeguarding of FCI

Level 1 focuses on foundational safeguards and requires annual self-assessment and annual affirmation against 15 security requirements aligned to FAR 52.204-21.

Level 2: Protection of CUI

Level 2 aligns to NIST SP 800-171 Rev. 2 and includes 110 requirements. Depending on contract and program requirements, Level 2 may require either self-assessment (allowed for select programs) or a third-party certification assessment.

Level 3: Expert-level protection for high-risk programs

Level 3 builds on Level 2 and adds enhanced requirements aligned to NIST SP 800-172 for the highest priority DoD programs.

Assessments, verification, and where status is recorded

CMMC is not only a set of controls. It is a verification and evidence program that expects recurring affirmations and, for some programs, independent assessments.

Assessment types and who performs them

Level 1 uses annual self-assessment and annual affirmation.

Level 2 may require a third-party certification assessment (commonly performed by a C3PAO) or a self-assessment for select programs.

Level 3 is expected to involve government-led assessments for the most sensitive programs.

Where affirmations and status live: SPRS

The Supplier Performance Risk System (SPRS) supports workflows for submitting assessments and annual affirmations. Because affirmations recur, most organizations benefit from a continuous compliance evidence program rather than a one-time audit scramble.

POA&Ms and conditional status

The CMMC program allows limited use of Plans of Action and Milestones (POA&Ms) for certain circumstances at higher levels, while Level 1 does not permit POA&Ms. If your organization relies on a POA&M, you still need a time-boxed plan to close gaps and achieve a final status.

When does CMMC show up in contracts?

DoD implementation is phased. DoD has stated it will incorporate CMMC assessment requirements in applicable procurements effective November 10, 2025, when the revised DFARS clause 252.204-7021 became effective. Organizations should plan for variability by program office and solicitation, and should assume that scoping, evidence, and access governance will be scrutinized.

A practical CMMC compliance roadmap

CMMC readiness tends to break down on three things: scope, evidence, and operational follow-through. A practical roadmap starts with the data and ends with repeatable proof.

Step 1: define scope by finding where FCI and CUI actually live

Most organizations underestimate how widely FCI/CUI spreads across collaboration tools, email attachments, shared drives, research workspaces, ticketing tools, and cloud storage. Start by inventorying the repositories and applications used in DoD-related work, then validate where FCI/CUI appears in real content.

Step 2: classify and minimize exposure

After you identify likely FCI/CUI locations, reduce exposure by removing unnecessary copies, aligning retention and handling rules, and consolidating sensitive data into governed locations. Universities and research institutions often benefit from this step because decentralized storage and collaboration patterns can rapidly multiply risk.

Step 3: validate access controls and least privilege

Many CMMC gaps are access-related: broad group permissions, stale access, external sharing, inherited permissions drift, and public links. Standardize least-privilege access patterns and ensure you can prove who has access to in-scope systems and data.

Run recurring user access reviews for in-scope systems so access decisions are documented, actions are traceable, and evidence stays current instead of being rebuilt during audit season.

Step 4: build an evidence program (not just a control list)

Assessments and affirmations depend on your ability to show what is true now: which systems are in scope, where FCI/CUI resides, who can access it, what remediation occurred, and how reviews operate over time. Treat evidence as an ongoing operational output, not a once-a-year project.

How Lightbeam helps organizations meet CMMC expectations

CMMC is not a “buy one product and you are compliant” standard. Organizations typically need coordinated people, process, and technology. Lightbeam helps by delivering data visibility, identity context, and governance workflows that improve scoping, reduce exposure, and generate defensible evidence.

1) CMMC scoping: discover where FCI/CUI exists across your environment

Lightbeam helps teams scope CMMC by connecting to the repositories where FCI and CUI typically spread, including cloud object stores, collaboration platforms, enterprise file systems, and common SaaS applications. That coverage helps reduce blind spots across departmental drives, research workspaces, and shared collaboration sites.

Outputs you can reuse in SSP and audit preparation include in-scope repository inventories, coverage reporting, and sensitive data location summaries.

2) CMMC-aligned protection: classify, prioritize, and reduce exposure

Lightbeam helps teams identify likely CUI and other sensitive data types at scale, then prioritize and automate remediation based on risk and identity context. Teams can reduce exposure by tightening access, addressing risky external sharing, and removing unnecessary sensitive copies so controls target the right data in the right places.

3) RoPA and PIA workflows: document CUI/FCI systems faster with pre-populated evidence

CMMC preparation depends on fast, accurate documentation of which systems process, store, or transmit FCI and CUI, and how those systems control access, retention, and sharing. Lightbeam’s RoPA (Record of Processing Activities) and PIA (Privacy Impact Assessment) workflows streamline this step by letting teams run structured questionnaires tied to real systems and data sources.

Lightbeam pre-populates key fields directly from connected repositories and applications (such as system details, owners, data categories, and data locations), reducing manual effort and improving consistency. The result is clearer, audit-ready documentation of in-scope systems handling FCI/CUI, plus a repeatable workflow you can reuse as programs evolve.

4) User Access Reviews: operationalize least privilege and produce audit-ready evidence

CMMC programs require you to prove that only the right users can access systems and data that handle FCI and CUI, and that you can repeat that proof over time. Lightbeam’s User Access Review workflows replace spreadsheet-based access certifications with a structured, repeatable review process across supported repositories.

Reviewers can certify, revoke, or right-size access. Each review captures reviewer, scope, decision, timestamp, and outcome, creating a repeatable certification record. Lightbeam retains the outcome, ownership, review state, and action history so teams can export audit-ready evidence on demand.

5) Continuous compliance support: keep evidence current for affirmations

Because CMMC includes recurring affirmations and ongoing accountability, Lightbeam helps teams maintain an always-current evidence posture. Teams can generate exports such as access certification reports, exposure posture snapshots, and remediation logs without rebuilding evidence from scratch for every audit cycle.

Evidence artifacts Lightbeam can help produce

  • In-scope repository, sensitive data, and system inventories for FCI/CUI programs.
  • Sensitive data classification and location summaries that support scoping and ongoing governance.
  • Access certification reports (who reviewed what, outcomes, timestamps, and action history) for in-scope systems.
  • Continuous access posture exports showing open access, external sharing, and excessive permissions tied to remediation status.
  • Remediation activity logs and outcomes reporting to demonstrate risk reduction over time.
  • RoPA/PIA outputs documenting in-scope systems, owners, data categories, and safeguards for FCI/CUI supported by pre-populated system evidence.

FAQs

What is the Cybersecurity Maturity Model Certification (CMMC)?

The Cybersecurity Maturity Model Certification (CMMC) is the DoD framework that defines and verifies cybersecurity requirements for organizations handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Does CMMC apply to universities?

It can. Universities and research institutions that support DoD programs and handle CUI should expect CMMC requirements to apply through contract terms and flowed-down requirements.

What is the difference between CMMC Level 1 and Level 2?

Level 1 focuses on basic safeguarding of FCI and aligns to FAR 52.204-21. Level 2 focuses on protecting CUI and aligns to NIST SP 800-171, with assessment type depending on the program.

When will CMMC be required in DoD contracts?

DoD has stated it will begin incorporating CMMC assessment requirements in applicable procurements on November 10, 2025, aligned to the effective date of the revised DFARS 252.204-7021 clause.

What is SPRS and why does it matter for CMMC?

SPRS supports the submission of assessments and annual affirmations. It matters because CMMC expects ongoing affirmations and defensible evidence, not a one-time audit event.

Conclusion: treat CMMC as a data security and governance program

CMMC compliance requires more than policies and checklists. It requires clarity on where FCI/CUI lives, who can access it, and how quickly you can prove safeguards remain effective over time. That is hard for any organization and especially hard for complex, decentralized environments such as universities and research institutions.

Lightbeam helps teams operationalize CMMC readiness by continuously scanning to keep an always-current view of where FCI, CUI, and other sensitive data lives, how it is classified, and who can access it as systems, projects, and permissions change. Lightbeam maps exposure to identity context so teams can prioritize risk based on real access and real data, not assumptions. It streamlines RoPA/PIA documentation with pre-populated evidence from connected data sources, and it runs repeatable User Access Reviews that document decisions and drive remediation. The result is a control layer that keeps access governance aligned to policy over time, so you can demonstrate compliance as an ongoing operating posture rather than a point-in-time assessment.

If you are preparing for the Cybersecurity Maturity Model Certification (CMMC), Lightbeam can help you scope faster, reduce exposure, and stay audit-ready as contracts and affirmation requirements evolve.

References

 

FAQ Section

What is CMMC compliance?

CMMC (Cybersecurity Maturity Model Certification) is a cybersecurity framework developed by the U.S. Department of Defense to ensure contractors adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

What is the difference between FCI and CUI?

Federal Contract Information (FCI) refers to information provided by or generated for the government during contract performance, while Controlled Unclassified Information (CUI) includes sensitive data that requires safeguarding but is not classified.

Who must comply with CMMC?

Organizations in the defense industrial base (DIB) that handle government contracts or process federal contract data must comply with CMMC requirements.