What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is a Department of Defense (DoD) requirement designed to protect sensitive defense information across the contractor supply chain. It establishes a standardized approach for implementing and verifying cybersecurity practices.
CMMC 2.0 defines three levels based on the type of information being handled. Level 1 applies to Federal Contract Information (FCI), while Level 2 focuses on Controlled Unclassified Information (CUI) and aligns directly with the 110 security controls outlined in NIST SP 800-171. Level 3 builds on these requirements for the most critical national security programs, incorporating 24 controls from NIST SP 800-172.
Depending on the level required, organizations may complete a self-assessment or undergo an external assessment. Level 2 requires a third-party certification assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). Level 3 requires an assessment by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Who does the CMMC Program Apply to?
CMMC certification is required for direct (‘prime’) contractors and subcontractors based on the level specified in their DoD contract. This means that the entity(ies) must be certified with a CMMC level equal to or greater than the level associated with the contract.
CMMC Certification Requirements
CMMC 2.0 governs 14 domains, derived from FAR clause 52.204-21, NIST 800-171, and NIST 800-172.
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
FileCloud Supports CMMC
Achieving CMMC compliance requires more than implementing individual security tools. Organizations must demonstrate consistent enforcement of policies, visibility into user activity, and protection of sensitive data across all workflows.
FileCloud centralizes file storage, sharing, and governance into a single platform, helping organizations reduce complexity while supporting CMMC-aligned security practices. Whether deployed on-premises or in a secure cloud environment, FileCloud enables teams to collaborate efficiently without compromising control over sensitive information.
Two Deployment Paths
Organizations can support CMMC requirements using FileCloud through either a self-hosted deployment or a FedRAMP-authorized cloud environment, depending on their security, infrastructure, and compliance needs.
FileCloud Server provides full control over data, infrastructure, and security configurations, enabling organizations to implement CMMC-aligned controls within their own environment.
- Maintain complete ownership of CUI data and storage infrastructure
- Deploy in isolated or air-gapped environments for sensitive workloads
- Configure security controls to align with NIST SP 800-171 requirements
- Best suited for organizations requiring full control over enclave boundaries and security implementation.
FileCloud FedRAMP is delivered within a FedRAMP High authorized environment, enabling alignment with federal security requirements. This deployment model reduces the operational burden of implementing and maintaining CMMC-aligned controls. Organizations remain ultimately responsible for implementing and maintaining the controls required for their specific CMMC level.
- Built on a FedRAMP-authorized infrastructure baseline
- Inherits a high level of security controls aligned with federal requirements
- Accelerates readiness for CMMC Level 2 environments
- Best suited for organizations looking to reduce infrastructure complexity and accelerate compliance readiness.