CMMC is a certification program created by the Department of Defense (DoD) to ensure that businesses that want to work with them adhere to proper cybersecurity practices. The certification protects Controlled Unclassified Information (CUI) handled by these businesses.

The certification levels include Level 1 (basic cyber hygiene, self-attestation), Level 2 (alignment with NIST 800-171), and Level 3 (alignment with NIST 800-171 & 800-172)

Since NIST is not a regulatory body, it does not have the authority to enforce guidelines. CMMC, on the other hand, is a model that will be enforced through DoD contract awards. Level 2 and 3 certification can be attained via third-party and government led assessments, respectively.

CMMC is a soon-to-be mandatory framework that draws from the 800-171 and 800-172.