What Is CMMC 2.0? The Complete Guide for Defense Contractors

If you hold a Department of Defense contract, or plan to compete for one, CMMC determines whether you stay eligible. The Cybersecurity Maturity Model Certification is the DoD’s framework for verifying that defense contractors protect sensitive information. Not through self-reported claims. Through assessments that carry contractual weight.

More than 250,000 companies operate in the U.S. defense industrial base. Every one of them needs to understand what CMMC compliance requires, whether they’re a 20-person machine shop or a multi-division prime. This guide covers what CMMC 2.0 is, who it applies to, how the three certification levels work, what the enforcement timeline looks like, and what you need to do to prepare.

Why CMMC Exists

The Defense Industrial Base handles some of the most sensitive unclassified information in the federal supply chain. Controlled Unclassified Information, or CUI, flows through contractors who design weapons systems, manufacture components, develop software, and provide logistics for the U.S. military. For years, protecting that information was governed by DFARS clause 252.204-7012, which required contractors to self-attest their compliance with NIST SP 800-171 cybersecurity controls.

The problem: self-attestation didn’t work. A 2019 DoD Inspector General report found widespread non-compliance across the defense industrial base. Contractors submitted scores to the Supplier Performance Risk System (SPRS) that didn’t reflect reality. Evidence was thin or missing. Controls existed on paper but not in practice. Industry studies have consistently found that self-reported compliance scores overstate actual readiness, with the vast majority of contractors unprepared for independent third-party assessment.

In gap assessments we’ve conducted across the defense industrial base, gaps of 25 points or more are routine, and deltas north of 40 aren’t unusual. The gap isn’t a rounding error. It’s structural.

CMMC was the DoD’s response. Instead of trusting contractors to report their own cybersecurity compliance, the program introduces independent verification through third-party assessments. If you handle CUI, you prove your security posture meets the standard. If you don’t prove it, you don’t win contracts. The requirement is federal law, not a suggestion.

What CMMC 2.0 Changed from Version 1.0

The original CMMC framework, released in January 2020, had five maturity levels and hundreds of practices layered on top of NIST 800-171. Industry pushed back hard. The requirements were dense, the cost burden fell disproportionately on small businesses that make up roughly 73% of the defense industrial base, and the certification ecosystem wasn’t ready to handle the volume.

CMMC 2.0 streamlined the model. The DoD finalized the program through two rulemaking actions: 32 CFR Part 170 (the program rule, effective December 16, 2024) and 48 CFR (the DFARS contract clause implementing CMMC in solicitations, effective mid-2025). The result is a simpler, more enforceable framework that aligns directly to existing federal cybersecurity standards.

Key changes from CMMC 1.0 to CMMC 2.0:

Five levels compressed to three. The original five-tier model created confusion. CMMC 2.0 simplifies to Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).
Custom practices removed. CMMC 1.0 layered proprietary practices on top of NIST standards. Version 2.0 aligns directly to NIST 800-171 for Level 2 and adds NIST 800-172 requirements for Level 3. No more CMMC-specific requirements to track separately.
Plans of Action and Milestones (POA&Ms) are allowed. With limitations. Contractors can have some controls in a remediation plan at assessment time, but they must close all POA&M items within 180 days and certain critical controls are excluded from POA&M eligibility.
Self-assessment permitted for some Level 2 contracts. The DoD distinguishes between prioritized and non-prioritized acquisitions. Non-prioritized CUI contracts may allow Level 2 self-assessment. Most CUI contracts, especially those handling sensitive technical data, will require C3PAO certification.
Annual affirmation required. Certification isn’t a one-time event. A senior official must affirm annually that the organization still meets the certified level. Triennial reassessment validates ongoing compliance every three years.

The Three CMMC Levels Explained

CMMC Level 1, Foundational

Who it applies to: Contractors who handle Federal Contract Information (FCI) only, not CUI. FCI is general contract information that isn’t publicly available but doesn’t carry the sensitivity designation of Controlled Unclassified Information.

What it requires: 15 basic safeguarding security requirements drawn from FAR 52.204-21. These cover fundamentals: limiting system access to authorized users, identifying and authenticating users before granting access, sanitizing media before disposal, protecting systems from malicious code, updating security protections, and performing periodic scans. Basic requirements, but they require real implementation.

How it’s assessed: Annual self-assessment conducted by the organization. No third-party audit. Results submitted to SPRS and affirmed annually by a senior company official. The assessment covers 59 assessment objectives across the 15 security requirements.

What it means in practice: Level 1 is the minimum bar for doing business with the DoD. Don’t dismiss it as trivial. Prime contractors increasingly ask subcontractors to demonstrate Level 1 readiness with actual documentation, not just a verbal assurance during a proposal call. If your contracts involve only FCI and no CUI touches your systems, Level 1 is your requirement. But verify carefully. Many contractors underestimate the sensitivity of the information flowing through their environment.

CMMC Level 2, Advanced

Scoring: CMMC Level 2 uses a 110-point weighted scoring model. Security requirements are weighted at 1, 3, or 5 points each, based on their classification as Basic or Derived Security Requirements. Two requirements, multi-factor authentication (MFA) and FIPS-validated encryption, allow partial credit for partial implementation. Conditional status requires achieving at least 80% of the maximum score, with only permissible NOT MET requirements placed on a POA&M. All POA&M items must be closed within 180 days of the Conditional CMMC Status date. Some requirements are excluded from POA&M eligibility entirely, meaning they must be fully implemented at the time of assessment. If you don’t close the POA&M within the 180-day window, your certification status lapses.

That 180-day clock does not pause.

Who it applies to: Contractors who store, process, or transmit Controlled Unclassified Information. This is the level that affects the majority of the defense industrial base.

What it requires: All 110 security controls from NIST SP 800-171 Revision 2, organized across 14 control families. Access Control alone has 22 requirements. System and Communications Protection has 16. The controls span technical measures (encryption, multi-factor authentication, audit logging), operational practices (incident response procedures, maintenance protocols), and management requirements (risk assessments, security awareness training, personnel screening).

Each of the 110 controls maps to detailed assessment objectives defined in NIST SP 800-171A. There are 320 assessment objectives total. A C3PAO assessor evaluates compliance at this granular level, not at the control level. A single control might have three or four objectives, and each one must be satisfied for the control to score as MET.

Organizations that track evidence continuously close gaps in a fraction of the time compared to those that assemble evidence retrospectively before an assessment. The difference isn’t marginal. Retrospective evidence collection is where most timelines break down.

How it’s assessed: Two paths exist. Some non-prioritized contracts may allow Level 2 self-assessment, where the organization evaluates itself and submits results to SPRS. Most CUI contracts, particularly those the DoD designates as prioritized acquisitions involving sensitive technical data, require a certification assessment conducted by an authorized C3PAO (Certified Third-Party Assessment Organization). The C3PAO is accredited by the Cyber AB, the accreditation body for the CMMC ecosystem.

What it means in practice: Level 2 is where the real work lives. The 110 controls cover everything from how you configure your firewalls to how you train your employees to how you respond to a security incident. Achieving Level 2 certification requires organizational commitment beyond the IT department. It touches HR (personnel security, training), facilities (physical protection), management (risk assessment, policy governance), and operations (incident response, maintenance). Most organizations need 6 to 18 months of sustained effort to reach assessment-ready status.

CMMC Level 3, Expert

Level 3 applies to a smaller subset of contractors handling the most sensitive CUI — typically supporting critical weapons programs, intelligence community-adjacent work, or advanced capabilities where adversary targeting is a known risk. It requires all 110 NIST 800-171 security requirements plus 24 selected enhanced security requirements from NIST SP 800-172, with DoD-approved parameters where applicable. These enhanced requirements address advanced persistent threats with measures like penetration testing, threat hunting, and security operations capabilities that go beyond what most commercial organizations maintain.

Assessment is government-led, conducted by DCMA DIBCAC (Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center). You must first hold a Final Level 2 (C3PAO) certification before requesting a Level 3 assessment. The assessment is conducted by the government, not a commercial C3PAO. Unless your contracting officer specifically requires Level 3, your contract involves classified program adjacency, or you’re supporting advanced weapons systems with known adversary targeting, Level 2 is your target. Don’t prepare for Level 3 unless it’s explicitly required — if you’re uncertain, check your contract requirements and talk to your contracting officer.

CMMC Enforcement Timeline

The DoD is implementing CMMC through a four-phase rollout plan attached to the 48 CFR final rule. Each phase expands the scope of contracts that require certification.

Phase 1 begins on the effective date of the 48 CFR CMMC Acquisition rule (since the 32 CFR Part 170 program rule was already effective December 16, 2024, Phase 1 starts on whichever rule takes effect later). The DoD extended the Phase 1 period to one year. During Phase 1, contracting officers include Level 1 and Level 2 self-assessment requirements in new solicitations and contracts as a condition of award. Some contracting officers and program managers may also require C3PAO certification during Phase 1 for high-priority programs at their discretion.

Phase 2 begins one calendar year after Phase 1. Level 2 C3PAO certification becomes mandatory for prioritized CUI contracts. This is the phase that changes the game for most contractors. If you handle CUI on contracts the DoD designates as requiring third-party certification, you must hold the certification at time of award. No certification, no contract.

That’s not a negotiable timeline. It’s a gate.

Phase 3 begins one calendar year after Phase 2. Level 3 requirements activate for applicable solicitations and contracts.

Phase 4 begins one calendar year after Phase 3. Full implementation across all applicable DoD contracts, including option periods on existing contracts. By this phase, CMMC compliance is embedded in the entire acquisition lifecycle.

The timeline matters because preparation takes months, not weeks. Organizations typically need 6 to 18 months to implement controls, produce documentation, build an evidence package, and pass a C3PAO assessment. Assessor availability can become a scheduling constraint, especially as more contractors seek certification. Assessment costs are projected to increase as demand outpaces supply. Early movers face less competition for assessor time and lower costs.

What CMMC Requires You to Produce

Passing a CMMC assessment is not about installing security tools and checking boxes. Assessors verify implementation, not intention. They test whether controls work in practice, not just whether policies describe them on paper. Here’s what you need to have ready.

System Security Plan (SSP)

The SSP is the cornerstone document of your CMMC compliance program. It describes your information system boundaries, network architecture, CUI data flows, implemented security controls, and how each control is applied in your specific environment. A generic SSP copied from a template will not survive a C3PAO assessment. Assessors compare your SSP against your actual environment, and inconsistencies become findings immediately.

Your SSP should describe, at minimum: system boundaries and interconnections, CUI categorization and handling procedures, roles and responsibilities for security management, implementation details for each of the 110 controls mapped to your specific systems, and authorization boundaries that define what’s in scope for the assessment.

Plan of Action and Milestones (POA&M)

The POA&M documents any controls not yet fully implemented: what the gap is, what actions are needed to close it, who owns each action, and when it will be completed. Under CMMC 2.0, POA&Ms are allowed at assessment time for most controls, but they have constraints. Certain controls designated by the DoD as non-POA&M-eligible must be fully implemented before assessment. All open POA&M items must be closed within 180 days of the Conditional CMMC Status date, or certification lapses.

Evidence Artifacts

For each control, you need traceable evidence that it’s implemented and working as described in your SSP. This means configuration screenshots, policy documents, access control lists, training records, audit logs, network diagrams, vulnerability scan results, and incident response records. The evidence must be current, meaning it reflects your environment as it exists today, not six months ago. It must be consistent with your SSP. And it must tie to specific assessment objectives, not just to the control at a high level.

Assessors follow a structured methodology. For each assessment objective, they use one or more of three methods: examining documentation, interviewing personnel, and testing technical controls. Stale evidence, contradictory documentation, or employees who can’t explain the security procedures described in your policies all produce findings.

Personnel Readiness

C3PAO assessors interview your staff as part of the assessment process. They ask employees about CUI handling procedures, incident response protocols, security awareness training, acceptable use policies, and physical security practices. These aren’t scripted conversations. Assessors probe to understand whether the organization actually operates the way its documentation claims. If your people don’t know the policies that exist on paper, that’s a finding, and findings accumulate fast.

Not sure where you stand? Run a free gap assessment to see how your current security posture maps against the 110 controls.

Who Does CMMC Apply To?

The short answer: every organization in the DoD supply chain that handles Federal Contract Information or Controlled Unclassified Information.

Prime contractors must meet the CMMC level specified in their contracts and ensure their subcontractors meet the applicable level as well. CMMC compliance is a condition of award, and primes bear responsibility for their supply chain.

Subcontractors at every tier who receive CUI must meet the applicable CMMC level. DFARS flow-down requirements make this explicit. A prime contractor who awards work to a non-compliant subcontractor puts their own contract at risk. This supply chain accountability is one of the most significant changes CMMC introduces.

Managed Service Providers (MSPs) and other External Service Providers (ESPs) who process, store, or transmit CUI or Security Protection Data (SPD) on behalf of a contractor fall within scope. An MSP that manages only security tools (SIEM, firewall, endpoint protection) may handle SPD without touching CUI directly and would still qualify as an ESP. If your IT provider operates within your assessment boundary, their environment and practices become part of your assessment. This has significant implications for how contractors select and manage their technology partners.

Foreign companies working with the DoD or its contractors may need to comply with CMMC if they handle CUI or FCI related to defense contracts.

The DoD estimates that roughly 80,000 organizations will need Level 2 certification. Small and mid-size businesses make up approximately 73% of the defense industrial base. CMMC applies to all of them. The size of your company doesn’t change the requirement.

How Much Does CMMC Certification Cost?

Costs vary significantly based on your organization’s size, current cybersecurity maturity, and the scope of your CUI environment. Here’s what to expect.

Assessment fees: C3PAO assessment costs for Level 2 typically range from $31,000 to over $150,000, depending on the size and complexity of your environment. Smaller organizations with limited CUI scope land at the lower end. Organizations with distributed environments, multiple locations, or complex network architectures land higher. Assessment costs are expected to increase as demand outstrips C3PAO availability in late 2026 and beyond.

Preparation and remediation: The total cost of reaching assessment-ready status, including security tool implementation, gap remediation, documentation development, and consulting support, typically falls between $50,000 and $300,000. Organizations starting from a low SPRS score or those with significant control gaps will face higher costs. Organizations that have maintained an active NIST 800-171 program will spend less.

Among contractors we’ve supported through assessment preparation, organizations that started with an SPRS score above 70 spent dramatically less on remediation — often cutting the cost in half or more compared to those starting below 40. Starting position is the single largest predictor of total cost.

Ongoing costs: CMMC certification requires annual affirmation and triennial reassessment. Maintaining compliance continuously is less expensive than rebuilding it every three years, but it requires sustained investment in monitoring, evidence management, and documentation currency.

For small businesses, the cost of CMMC compliance is a legitimate concern. The DoD has acknowledged this and the rule allows some flexibility through self-assessment paths for lower-risk contracts. But for CUI contracts requiring C3PAO certification, the cost is a hard requirement of doing business with the DoD.

Common Questions About CMMC 2.0

How long does it take to get CMMC certified?

Most organizations need 6 to 12 months of active preparation before they’re ready for a C3PAO assessment. The assessment itself takes approximately one week on-site. Add scheduling lead time for C3PAO availability, which is tightening as enforcement phases approach. Plan 9 to 18 months from start to certification for a realistic timeline.

Do I need CMMC if I only handle FCI?

If your contracts involve only FCI and no CUI, Level 1 self-assessment applies. But verify carefully. Many contractors underestimate the sensitivity of the information they handle. If CUI is present in your environment, even if your contract doesn’t explicitly call it out, Level 2 may apply. Review the CUI Registry and consult your contracting officer when the boundary is unclear.

What’s the difference between CMMC and NIST 800-171?

NIST 800-171 defines the 110 security controls. CMMC is the certification program that verifies those controls are implemented. The standard tells you what to do. The certification proves you did it. For a detailed comparison, read our guide: CMMC vs NIST 800-171: Key Differences Defense Contractors Must Understand.

What happens if I’m not certified by the deadline?

You become ineligible for contract award on solicitations that require CMMC. Contracting officers will not award to an offeror who hasn’t met the specified CMMC level. For existing contracts, option periods may require compliance verification. Non-compliance means lost revenue and lost competitive positioning.

Can I use my existing NIST 800-171 compliance work?

Yes. If you’ve been implementing NIST 800-171 properly, with real controls, documented evidence, and a current SSP, that work forms the foundation of your CMMC Level 2 program. The controls are the same. CMMC adds the verification layer. The gap is usually in evidence quality and documentation currency, not in the controls themselves.

What’s a C3PAO and how do I find one?

A C3PAO is a Certified Third-Party Assessment Organization accredited by the Cyber AB to conduct official CMMC Level 2 assessments. You can find Authorized C3PAOs through The Cyber AB Marketplace. Start identifying and engaging a C3PAO early, because scheduling lead times are increasing.

Is CMMC expanding beyond the DoD?

Signs point to yes. GSA has begun exploring CMMC-like cybersecurity requirements for civilian federal contracts. State, local, and education sectors are increasingly referencing CMMC and NIST 800-171 frameworks in their own procurement requirements. The addressable market for CMMC-aligned compliance is growing beyond the defense industrial base.

What to Do Next

The contractors who come through this well are the ones who start early, scope accurately, and build a repeatable process instead of a one-time fix.

Three steps to take now:

1. Determine your CMMC level. Review your current contracts and active solicitations. Look for DFARS clauses that reference CUI handling. If CUI is present, plan for Level 2. If you’re uncertain about CUI presence, scope your data flows before making assumptions.

2. If you skip the baseline, everything after it is guesswork. Before you spend money on tools or consultants, understand where you actually stand against the 110 NIST 800-171 controls. An honest gap assessment tells you what’s already in place, what’s missing, and how much work lies ahead. The gap between where you think you are and where you actually are is almost always larger than expected.

3. Build your compliance system. Spreadsheets and shared drives don’t survive continuous compliance. You need a system that manages your SSP, tracks evidence, monitors control status, and keeps documentation synchronized as your environment changes. That system becomes your operational backbone through assessment, certification, and every annual affirmation that follows.

Deep Fathom was built for this problem. Our AI-native compliance platform guides defense contractors through gap assessment, remediation planning, evidence collection, and assessment preparation, producing documentation and evidence that holds up under C3PAO review. If you’re starting your CMMC journey or stuck in one that isn’t working, check your readiness or talk to our team.

Related reading: