If your organization works with the Department of Defense—or wants to—Cybersecurity Maturity Model Certification (CMMC) compliance is no longer optional. The DoD has finalized CMMC 2.0, and it is now appearing in contract requirements. Contractors that cannot demonstrate the appropriate certification level will lose their eligibility to bid on and perform DoD work.
This guide explains what CMMC 2.0 requires, who it applies to, how it maps to existing frameworks, and what steps you need to take to achieve and maintain compliance.
What Is CMMC?
The Cybersecurity Maturity Model Certification is a unified cybersecurity standard for the Defense Industrial Base (DIB). It was created by the DoD to verify that contractors and subcontractors handling federal data meet specific cybersecurity practices and processes.
Before CMMC, defense contractors were required to self-attest their compliance with NIST SP 800-171 through the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. However, self-attestation proved unreliable—audits revealed widespread gaps between claimed compliance and actual security posture.
CMMC addresses this gap by introducing third-party verification at higher certification levels, ensuring that contractors actually implement the security controls they claim to have in place.
CMMC 2.0: What Changed
CMMC 2.0, finalized through the federal rulemaking process, significantly streamlined the original CMMC 1.0 framework:
- Reduced from 5 levels to 3 levels — Eliminated redundant intermediate levels
- Aligned directly with NIST standards — Removed CMMC-unique practices, mapping entirely to NIST SP 800-171 and NIST SP 800-172
- Introduced self-assessment at Level 1 — Reduced burden for contractors handling only Federal Contract Information (FCI)
- Allowed Plans of Action and Milestones (POA&Ms) — Contractors can achieve conditional certification while actively remediating specific gaps
- Established the CMMC Accreditation Body (Cyber AB) — Manages the ecosystem of assessors and training
These changes made CMMC more practical and achievable while maintaining the core objective: verifiable cybersecurity across the defense supply chain.
The Three CMMC 2.0 Maturity Levels
Level 1: Foundational
- Applies to: Contractors handling Federal Contract Information (FCI) only
- Requirements: 17 security practices from FAR 52.204-21
- Assessment: Annual self-assessment submitted to the Supplier Performance Risk System (SPRS)
- Focus: Basic cyber hygiene—access control, identification/authentication, media protection, physical protection, system/communications protection, and system/information integrity
What FCI means: FCI is information provided by or generated for the government under contract that is not intended for public release. It does not include information that is publicly available or simple transactional data.
Level 1 is the minimum bar. It covers fundamental practices that every organization should already have in place: using antivirus software, limiting system access to authorized users, and sanitizing media before disposal.
Level 2: Advanced
- Applies to: Contractors handling Controlled Unclassified Information (CUI)
- Requirements: All 110 security requirements from NIST SP 800-171 Rev 2
- Assessment: Either self-assessment or third-party assessment (C3PAO) depending on the sensitivity of the CUI, conducted every three years
- Focus: Comprehensive cybersecurity practices across 14 control families
What CUI means: CUI is information that the government creates or possesses that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. Examples include technical drawings, test results, engineering data, and personnel records related to defense programs.
Level 2 is where most defense contractors will need to certify. The 110 NIST 800-171 requirements span access control, audit and accountability, configuration management, incident response, risk assessment, and more. This level requires substantial investment in security infrastructure, policies, and documentation.
Level 3: Expert
- Applies to: Contractors handling CUI associated with the highest-priority programs
- Requirements: A subset of enhanced security requirements from NIST SP 800-172
- Assessment: Government-led assessment by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
- Focus: Protection against Advanced Persistent Threats (APTs) with enhanced detection, response, and resilience capabilities
Level 3 applies to a small subset of contractors working on the most sensitive programs. It requires capabilities such as threat hunting, advanced incident response, and security operations center (SOC) operations.
CMMC and NIST 800-171: The Relationship
CMMC Level 2 directly maps to NIST SP 800-171, which contains 110 security requirements organized into 14 families:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
If your organization has already implemented NIST 800-171, you have a significant head start on CMMC Level 2 certification. The primary addition CMMC brings is the verification mechanism—you must now prove your implementation through assessment rather than simply asserting it.
Who Needs CMMC Compliance?
CMMC applies to any organization in the Defense Industrial Base that:
- Holds or bids on DoD contracts that involve FCI or CUI
- Is a subcontractor to a prime contractor on a DoD contract involving FCI or CUI
- Provides products or services that involve processing, storing, or transmitting DoD information
The requirement flows down through the supply chain. If you are a subcontractor three tiers removed from the prime contractor, you still need the appropriate CMMC level for the type of information you handle.
Important: CMMC requirements will be phased into new contracts over a multi-year rollout. However, organizations should not wait for a specific contract to require it—the certification process takes 12-18 months for most organizations, and assessment capacity is limited.
Steps to Achieve CMMC Compliance
Step 1: Determine Your Required Level
Review your current and anticipated DoD contracts. Identify whether you handle FCI only (Level 1) or CUI (Level 2). If uncertain, consult your contracting officer or the contract’s DFARS clauses.
Step 2: Define Your CUI Scope
Identify where CUI enters your environment, how it flows through your systems, where it is stored, and who has access. This CUI data flow mapping defines the boundary of your assessment scope. Minimizing the systems that touch CUI reduces both your compliance burden and your attack surface.
Step 3: Conduct a Gap Assessment
Perform a thorough gap assessment against NIST 800-171 requirements. For each of the 110 requirements, document:
- Whether the requirement is fully implemented, partially implemented, or not implemented
- The specific systems, policies, and procedures that satisfy each requirement
- Evidence that demonstrates implementation (configurations, logs, policy documents)
This gap assessment produces your System Security Plan (SSP) and identifies items for your Plan of Action and Milestones (POA&M).
Step 4: Remediate Gaps
Address identified gaps systematically. Common remediation areas include:
- Access control — Implementing role-based access, MFA, and least privilege
- Audit logging — Deploying centralized log collection and retention
- Configuration management — Establishing baselines and change management processes
- Incident response — Creating and testing an IR plan
- Encryption — Implementing encryption for CUI at rest and in transit
- Security awareness training — Establishing regular training programs for all personnel
Work with your IT team or managed IT services provider to prioritize remediation based on risk and assessment timeline.
Step 5: Document Everything
CMMC assessments are evidence-based. Every security requirement must be supported by documentation:
- System Security Plan (SSP) describing your information systems and security controls
- Policies and procedures for each control family
- Configuration standards and system hardening guides
- Training records for security awareness
- Incident response plan with evidence of testing
- Risk assessments conducted regularly
Documentation is often the largest gap for organizations with strong technical controls but weak governance.
Step 6: Self-Assessment or Third-Party Assessment
For Level 1: Conduct your annual self-assessment using the DoD Assessment Methodology. Submit your score to SPRS. An executive must affirm the accuracy of the assessment.
For Level 2: Depending on the contract, you will either conduct a self-assessment or engage a CMMC Third-Party Assessment Organization (C3PAO) accredited by the Cyber AB. C3PAO assessments involve on-site evaluation, evidence review, interviews with personnel, and technical testing.
Step 7: Maintain Compliance
CMMC certification is not a one-time event. You must:
- Continuously monitor and maintain security controls
- Update documentation as your environment changes
- Conduct annual self-assessments (Level 1) or triennial third-party assessments (Level 2)
- Address POA&M items within the specified timeframes
- Report cyber incidents to the DoD within 72 hours per DFARS requirements
Self-Assessment vs Third-Party Assessment
| Aspect | Self-Assessment | Third-Party (C3PAO) |
|---|---|---|
| Applicable Level | Level 1 (all), Level 2 (select contracts) | Level 2 (contracts involving prioritized CUI) |
| Conducted By | Internal team | Accredited C3PAO |
| Cost | Internal labor costs only | $50,000 - $200,000+ depending on scope |
| Frequency | Annual | Every 3 years |
| Rigor | Self-reported, executive affirmation | Independent evidence review and verification |
| SPRS Submission | Required | Results submitted by C3PAO |
CUI Handling Best Practices
Proper handling of Controlled Unclassified Information is central to CMMC compliance:
- Mark CUI appropriately using the CUI Registry marking requirements
- Encrypt CUI at rest using FIPS 140-2 validated cryptographic modules
- Encrypt CUI in transit using TLS 1.2 or higher
- Limit access to personnel with a legitimate need to know
- Use dedicated systems or clearly defined enclaves for CUI processing
- Control removable media — Prohibit or strictly control USB drives, external hard drives, and portable storage
- Implement Data Loss Prevention (DLP) to monitor and prevent unauthorized CUI exfiltration
- Destroy CUI securely when no longer needed, using methods consistent with NIST SP 800-88
CMMC Compliance Costs
Compliance costs vary significantly based on organization size, current security posture, and required certification level.
Level 1 estimated costs:
- Gap assessment: $5,000 - $15,000
- Remediation: $10,000 - $50,000
- Annual self-assessment labor: Internal costs
- Total first-year: $15,000 - $65,000
Level 2 estimated costs:
- Gap assessment: $15,000 - $50,000
- Remediation: $50,000 - $500,000+ (varies widely based on existing maturity)
- C3PAO assessment: $50,000 - $200,000+
- Ongoing compliance management: $25,000 - $100,000 annually
- Total first-year: $140,000 - $750,000+
Organizations with mature security programs and existing NIST 800-171 compliance will fall toward the lower end. Organizations starting from scratch will face significantly higher costs.
How an MSP Supports CMMC Compliance
Managed service providers with CMMC expertise can accelerate your compliance journey by:
- Conducting readiness assessments that identify gaps against NIST 800-171
- Designing compliant architectures including CUI enclaves and network segmentation
- Implementing technical controls — encryption, MFA, SIEM, EDR, and DLP
- Managing security infrastructure with 24/7 monitoring and incident response
- Preparing documentation — SSPs, policies, procedures, and evidence packages
- Supporting assessments by coordinating with C3PAOs and providing evidence
- Maintaining compliance through continuous monitoring and regular reviews
For small and mid-sized contractors without dedicated security teams, an MSP with CMMC experience is often the most cost-effective path to certification. The alternative—building an internal security program from scratch—requires specialized hiring, tool procurement, and expertise that many smaller organizations cannot sustain.
FAQ
When will CMMC be required in contracts? The DoD began including CMMC requirements in select contracts in 2025, with a phased rollout continuing through 2026 and beyond. The full implementation across all applicable contracts is expected by 2028. However, organizations should begin preparation now—the certification process takes 12-18 months, and C3PAO assessment capacity is limited.
Can I get a waiver for CMMC requirements? CMMC waivers are extremely rare and only granted by the DoD in exceptional circumstances for mission-critical contracts where no compliant alternative exists. Organizations should not plan on obtaining a waiver.
What happens if I fail a C3PAO assessment? If you do not meet all requirements, the C3PAO will identify the gaps. You may be eligible for conditional certification if your gaps are limited and you submit a POA&M with specific remediation timelines. Significant failures require full remediation and reassessment.
Does CMMC apply to commercial off-the-shelf (COTS) products? Contractors that exclusively provide COTS products are generally exempt from CMMC requirements beyond Level 1. However, if you provide modified COTS products or services that involve CUI, higher levels may apply. Review your specific contract language.
Can I use cloud services for CUI? Yes, but cloud services used to process, store, or transmit CUI must meet FedRAMP Moderate (or equivalent) requirements. Major cloud providers (Azure Government, AWS GovCloud) offer FedRAMP-authorized environments suitable for CUI workloads.
How does CMMC relate to other compliance frameworks like HIPAA or ISO 27001? CMMC shares significant overlap with other security frameworks. Organizations compliant with ISO 27001 or HIPAA will find many CMMC requirements already addressed. However, CMMC has specific requirements—particularly around CUI handling, FIPS encryption, and DoD-specific incident reporting—that go beyond these frameworks. A crosswalk analysis can identify which existing controls satisfy CMMC requirements and where gaps remain.
What is the SPRS score and why does it matter? The Supplier Performance Risk System (SPRS) score reflects your self-assessed compliance with NIST 800-171. Scores range from -203 to 110, with 110 representing full compliance. The DoD reviews SPRS scores during contract evaluation, and a low score can disqualify your bid. Maintaining an accurate, current SPRS score is essential even before formal CMMC assessment.