The Cybersecurity Maturity Model Certification (CMMC) 2.0 represents the Department of Defense’s effort to verify that defense contractors actually implement the cybersecurity controls they claim to have in place. For years, contractors self-attested to compliance with NIST 800-171 through the Supplier Performance Risk System (SPRS). CMMC changes that equation by introducing third-party and government-led assessments tied directly to contract eligibility. If your organization handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) as part of defense contracts, CMMC compliance is not optional — it is a condition of doing business with the DoD.

The CMMC 2.0 Three-Level Model

CMMC 2.0 simplified its predecessor’s five-level model into three levels, each with distinct requirements and assessment mechanisms.

Level 1: Foundational

Level 1 applies to organizations that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). FCI is information provided by or generated for the government under contract that is not intended for public release.

Requirements: 17 security practices drawn from FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). These are fundamental cybersecurity hygiene practices that most organizations should already have in place:

  • Limit system access to authorized users and transactions
  • Verify and control connections to external systems
  • Control information posted on publicly accessible systems
  • Identify and authenticate users before granting access
  • Sanitize or destroy media containing FCI before disposal or reuse
  • Limit physical access to systems and equipment
  • Escort visitors and monitor visitor activity
  • Maintain audit logs of physical access
  • Control and manage physical access devices (keys, badges)
  • Monitor, control, and protect organizational communications at external and key internal boundaries
  • Implement subnetworks for publicly accessible systems that are physically or logically separated
  • Identify, report, and correct information system flaws in a timely manner
  • Provide protection from malicious code at appropriate locations
  • Update malicious code protection mechanisms when new releases are available
  • Perform periodic scans and real-time scans of files from external sources
  • Establish and maintain baseline configurations and inventories of organizational information systems
  • Control and monitor user-installed software

Assessment: Annual self-assessment with results submitted to SPRS. No third-party assessment is required. An authorized senior official must affirm the assessment results, creating personal accountability for accuracy.

Level 2: Advanced

Level 2 is where the majority of defense contractors will land. It applies to organizations that handle CUI and aligns directly with the 110 security requirements of NIST SP 800-171 Revision 2.

Requirements: All 110 security requirements from NIST 800-171, organized across 14 control families:

  • Access Control (22 requirements)
  • Awareness and Training (3 requirements)
  • Audit and Accountability (9 requirements)
  • Configuration Management (9 requirements)
  • Identification and Authentication (11 requirements)
  • Incident Response (3 requirements)
  • Maintenance (6 requirements)
  • Media Protection (9 requirements)
  • Personnel Security (2 requirements)
  • Physical Protection (6 requirements)
  • Risk Assessment (3 requirements)
  • Security Assessment (4 requirements)
  • System and Communications Protection (16 requirements)
  • System and Information Integrity (7 requirements)

Assessment: CMMC 2.0 defines two assessment paths for Level 2:

  • Third-party assessment (C3PAO): For contracts involving CUI that is prioritized as critical to national security, assessment must be conducted by a CMMC Third-Party Assessment Organization (C3PAO) accredited by the Cyber AB (formerly the CMMC Accreditation Body). Assessments are valid for three years.
  • Self-assessment: For contracts involving CUI that is not prioritized as critical, the DoD may allow self-assessment with senior official affirmation. The specific determination of which contracts require third-party versus self-assessment will be made at the contract level.

Level 3: Expert

Level 3 applies to organizations handling CUI associated with the highest-priority programs. It builds on Level 2 by adding a subset of requirements from NIST SP 800-172 (Enhanced Security Requirements for Protecting CUI).

Requirements: All 110 NIST 800-171 requirements plus selected NIST 800-172 enhanced requirements. The specific 800-172 requirements included in Level 3 have been defined by the DoD and focus on advanced threat protection, including:

  • Threat-driven security architecture
  • Penetration testing
  • Advanced monitoring and detection capabilities
  • Enhanced incident response
  • Supply chain risk management

Assessment: Government-led assessment conducted by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). These assessments are the most rigorous and are reserved for the most sensitive programs.

The Relationship to DFARS and Existing Requirements

CMMC does not exist in a vacuum. It builds on the existing DFARS clause 252.204-7012, which has required defense contractors to implement NIST 800-171 since December 2017. Most contractors are already contractually obligated to comply with 800-171. What CMMC adds is verification.

Under the current regime, contractors self-report their SPRS score based on their assessment against NIST 800-171. There is no independent validation, which has led to widespread concerns about the accuracy of self-reported scores. CMMC closes this accountability gap by requiring, for many contracts, independent assessment of actual implementation.

Organizations that have been diligent about NIST 800-171 compliance are well positioned for CMMC Level 2. Those that have been reporting optimistic SPRS scores without corresponding implementation face a reckoning.

Enforcement Timeline

CMMC 2.0 requirements are being phased into DoD contracts through a rulemaking process. The CMMC final rule (32 CFR Part 170) was published in October 2024, with CMMC requirements beginning to appear in new solicitations and contracts starting in 2025.

The phased implementation plan rolls out in four phases over several years:

  • Phase 1: Self-assessment for Level 1 and Level 2 (self-assessment) begins appearing in contracts.
  • Phase 2: Third-party assessment requirements for Level 2 (C3PAO) begin appearing in contracts, roughly 12 months after Phase 1.
  • Phase 3: Level 3 assessment requirements begin appearing, and CMMC requirements start appearing in option periods of existing contracts.
  • Phase 4: Full implementation across all applicable contracts.

The key takeaway is that waiting until CMMC appears in your specific contracts is a poor strategy. Assessment preparation takes months, C3PAO availability may be constrained as demand surges, and your competitive position depends on being ready when prime contractors and the DoD start requiring certification.

Supply Chain Implications

CMMC’s impact extends beyond direct DoD contractors. Prime contractors are responsible for ensuring their subcontractors meet applicable CMMC levels. This means CMMC requirements will flow down through the supply chain, and subcontractors that cannot demonstrate the required certification level will be excluded from contract teams.

For small and mid-size manufacturers, IT service providers, and other subcontractors in the defense industrial base, CMMC certification is increasingly a prerequisite for maintaining existing business relationships, not just winning new contracts.

Organizations should evaluate their supply chain exposure early. If your customers include defense primes, they will eventually require evidence of your CMMC status. Getting ahead of that conversation demonstrates reliability and protects your position in the supply chain. For a deeper look at managing supply chain risk, see our third-party risk management guide.

Practical Preparation Steps

1. Determine Your Required CMMC Level

Review your current and anticipated contracts to identify whether you handle FCI only (Level 1) or CUI (Level 2 or 3). If you are unsure whether the information you handle qualifies as CUI, consult the CUI Registry maintained by the National Archives and work with your contracting officers to clarify.

2. Scope Your CUI Environment

Identify all systems, networks, and processes that store, process, or transmit CUI. Minimizing your CUI boundary reduces the scope of your CMMC assessment and the number of controls you need to implement. Consider network segmentation, dedicated CUI enclaves, and limiting access to personnel with a legitimate need.

3. Conduct an Honest Gap Assessment

Assess your current implementation against all applicable NIST 800-171 requirements. Be honest — the purpose of the gap assessment is to identify what needs to be fixed, not to generate a favorable score. Document each requirement as fully implemented, partially implemented, or not implemented.

4. Build and Execute a Remediation Plan

For each gap, develop a Plan of Action and Milestones (POA&M) with specific remediation steps, responsible parties, and target dates. CMMC Level 2 allows limited use of POA&Ms, but certain requirements cannot be on a POA&M at the time of assessment. Prioritize accordingly.

5. Prepare Your Evidence Package

CMMC assessors will require evidence of implementation for every requirement. This includes written policies and procedures, system configurations, access control lists, training records, audit logs, incident response plans, and other artifacts. Organize evidence by control family before assessment. Our audit readiness checklist provides a timeline-based approach to evidence preparation.

6. Engage a C3PAO Early

If your contracts will require third-party assessment, engage with a C3PAO well in advance. Assessment timelines, availability, and scheduling can vary. A pre-assessment readiness review from a C3PAO can identify issues before the formal assessment, giving you time to remediate.

How SCF Connect Accelerates CMMC Compliance

SCF Connect is built to help defense contractors manage the intersection of CMMC, NIST 800-171, and related requirements efficiently:

  • CMMC-to-NIST 800-171 mapping: SCF Connect maps CMMC Level 2 requirements directly to NIST 800-171 controls and the broader SCF control set, providing clear implementation guidance for each requirement.
  • Cross-framework efficiency: Many defense contractors also face ISO 27001 requirements from international partners (see our ISO 27001 controls guide for details), SOC 2 demands from commercial customers, or FedRAMP requirements for cloud services. SCF Connect manages all of these from a unified control framework, so a single control implementation satisfies multiple mandates.
  • Gap analysis and scoring: Visualize your readiness against CMMC and NIST 800-171 requirements, identify gaps ranked by severity, and project the impact of planned remediation on your overall score.
  • POA&M management: Track remediation plans with target dates, responsible parties, and progress metrics directly within the platform.
  • Assessment readiness: Generate organized evidence packages aligned to CMMC assessment requirements, reducing the preparation burden when your C3PAO engagement begins.

Defense contractors that start preparing now — rather than waiting for CMMC to appear in their specific contracts — will be in the strongest competitive position as enforcement ramps up. SCF Connect provides the infrastructure to make that preparation systematic and efficient.

Start your free trial to see how SCF Connect maps your current controls to CMMC 2.0 requirements and identifies exactly where you need to focus.

Frequently Asked Questions

Is CMMC 2.0 required now?

Yes. The CMMC 2.0 final rule took effect in December 2024, and CMMC requirements are being phased into DoD contracts starting in 2025. During the phased rollout, self-assessment is accepted for Level 1 and some Level 2 contracts, but third-party certification (C3PAO assessment) will be required for most Level 2 contracts handling CUI.

What is the difference between CMMC Level 1 and Level 2?

Level 1 (Foundational) requires implementation of 17 basic cybersecurity practices from FAR 52.204-21, protecting Federal Contract Information (FCI). Level 2 (Advanced) requires all 110 security controls from NIST SP 800-171, protecting Controlled Unclassified Information (CUI). Level 2 is significantly more rigorous and typically requires third-party assessment.

How long does a C3PAO assessment take?

A typical C3PAO (CMMC Third Party Assessment Organization) assessment takes 1-3 weeks of on-site and remote evaluation, depending on the organization’s size and scope. However, preparation typically takes 6-18 months. Organizations already aligned with NIST 800-171 can significantly shorten the preparation timeline.

Can small businesses achieve CMMC Level 2?

Yes, but it requires dedicated resources. Small defense contractors often find it helpful to use a common control framework approach, which allows them to implement controls once and map them across CMMC, NIST 800-171, and other requirements simultaneously, reducing the overall compliance burden.

Related resources: