CMMC 2.0 Compliance: A Step-by-Step Guide for Defense Contractors

If you’re a defense contractor — or a subcontractor in the defense industrial base (DIB) — CMMC 2.0 compliance isn’t optional. It’s the price of admission for doing business with the Department of Defense.

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework has been rolling out since late 2024, and by 2026, it’s showing up in contracts. If you haven’t started your compliance journey yet, the clock is ticking. But here’s the good news: with the right plan and the right IT partner, CMMC compliance is absolutely achievable — even for small and mid-sized contractors.

This guide breaks down exactly what CMMC 2.0 requires, what level you need, and how to get there step by step.

What Is CMMC 2.0?

CMMC 2.0 — the Cybersecurity Maturity Model Certification, version 2.0 — is the DoD’s framework for ensuring that every company handling federal contract information (FCI) or controlled unclassified information (CUI) meets a baseline standard of cybersecurity.

The original CMMC 1.0 had five maturity levels and was widely criticized as overly complex and expensive for small businesses. CMMC 2.0 streamlined things down to three levels, aligned more closely with existing NIST standards, and introduced self-assessment options for lower-risk contracts.

The Three CMMC 2.0 Levels

• Level 1 — Foundational: 17 practices based on FAR 52.204-21. Covers basic cyber hygiene like access control, media protection, and physical security. Required for contractors handling FCI. Self-assessment is allowed.

• Level 2 — Advanced: 110 practices aligned with NIST SP 800-171. Required for contractors handling CUI. Most Level 2 contracts require a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO). Some lower-risk CUI contracts may allow self-assessment.

• Level 3 — Expert: Based on a subset of NIST SP 800-172 controls. Required for contractors working on the DoD’s highest-priority programs. Assessed by the government (DIBCAC).

Most small and mid-sized defense contractors fall into Level 1 or Level 2. If you handle CUI — and most subcontractors do — Level 2 is your target.

Why CMMC 2.0 Compliance Matters Now

Here’s what’s changed in 2025-2026:

• CMMC requirements are appearing in new contracts. The DoD’s phased rollout means CMMC clauses (DFARS 252.204-7021) are now standard in solicitations.
• Self-assessments carry legal weight. Under the new rules, executives must affirm compliance. False claims can trigger False Claims Act liability.
• Competitors are getting certified. If your competitors are CMMC-compliant and you’re not, you’re losing bids. Period.
• Supply chain pressure is real. Prime contractors are requiring subs to demonstrate compliance before awarding work.

The bottom line: if you want to keep your defense contracts — or win new ones — you need a CMMC compliance plan today.

Step 1: Determine Your Required CMMC Level

Start by answering two questions:

1. Do you handle CUI? If yes, you likely need Level 2. If you only handle FCI, Level 1 may suffice.
2. What do your contracts say? Review your existing contracts and any upcoming solicitations for CMMC requirements. The specific level will be stated in the contract.

If you’re unsure whether your data qualifies as CUI, check the CUI Registry or talk to your contracting officer. Many contractors underestimate their CUI exposure — things like technical drawings, test results, and even certain emails can qualify.

Pro tip: When in doubt, plan for Level 2. It’s better to be over-prepared than to lose a contract because you scoped too low.

Step 2: Scope Your CUI Environment

This is where most contractors stumble. CMMC compliance applies to your CUI environment — every system, network, and person that stores, processes, or transmits CUI. The bigger your CUI environment, the more expensive and complex compliance becomes.

How to Reduce Your Scope

• Segment your network. Isolate CUI-handling systems from your general business network. This limits the number of systems in scope. A properly configured managed network is essential here.
• Limit CUI access. Only give CUI access to employees who genuinely need it for their work.
• Use an enclave. Some contractors create a dedicated CUI enclave — a separate environment specifically for CUI work — to minimize their compliance footprint.
• Consider cloud solutions. GCC High environments (Microsoft 365 GCC High, for example) are designed for CUI and can simplify compliance significantly.

Step 3: Conduct a Gap Assessment

Before you can close gaps, you need to find them. A gap assessment compares your current cybersecurity posture against the CMMC requirements for your target level.

For Level 2, that means evaluating your environment against all 110 NIST SP 800-171 controls across 14 families:

• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity

For each control, document whether you’re fully implemented, partially implemented, or not implemented. This becomes the foundation of your Plan of Action and Milestones (POA&M).

A qualified managed IT provider can conduct this assessment and give you an honest picture of where you stand. Don’t try to grade your own homework — an outside perspective catches blind spots.

Step 4: Build Your System Security Plan (SSP)

Your System Security Plan is the single most important CMMC compliance document. It describes:

• Your CUI environment boundaries
• How each NIST 800-171 control is implemented
• The people, processes, and technologies that support each control
• Roles and responsibilities for security

Think of the SSP as the “blueprint” of your compliance posture. Assessors will review it line by line. It needs to be detailed, accurate, and current.

Common SSP mistakes to avoid:

• Vague descriptions (“We use antivirus” instead of specifying the product, configuration, and update policy)
• Missing inherited controls (if your cloud provider covers a control, document how)
• Stale information (your SSP should be a living document, updated whenever your environment changes)

Step 5: Remediate the Gaps

Now comes the work. Based on your gap assessment, prioritize remediation by:

1. Quick wins first. Some controls are policy-based and just need documentation — acceptable use policies, incident response plans, security awareness training requirements.
2. High-impact technical controls next. Multi-factor authentication (MFA), endpoint detection and response (EDR), encrypted communications, and audit logging are foundational. A solid managed cybersecurity program covers most of these.
3. Complex infrastructure changes last. Network segmentation, CUI enclave buildout, and GCC High migration take time and planning.

Key Technical Controls You’ll Need

• MFA everywhere. Every account that can access CUI needs multi-factor authentication. No exceptions.
• Endpoint protection. Advanced EDR (not just traditional antivirus) on every endpoint in scope.
• Audit logging. Centralized log collection and retention for all in-scope systems. You need to prove who accessed what and when.
• Encryption. Data at rest and in transit must be encrypted using FIPS-validated cryptography.
• Vulnerability management. Regular scanning and patching on a defined schedule.
• Backup and recovery. Tested, documented backup and disaster recovery procedures for all CUI systems.

Step 6: Create Your POA&M

A Plan of Action and Milestones documents any controls that aren’t fully implemented yet, along with your timeline and plan for closing each gap.

Under CMMC 2.0, you can have open POA&M items and still achieve certification — but there are limits:

• POA&M items must be closed within 180 days of your assessment
• Certain critical controls cannot be on a POA&M (they must be fully implemented before assessment)
• Each POA&M item needs a realistic milestone, responsible party, and completion date

A well-structured POA&M shows assessors that you take compliance seriously and have a concrete plan. A sloppy POA&M raises red flags.

Step 7: Prepare for Assessment

For Level 1, you’ll conduct a self-assessment and submit your score to the Supplier Performance Risk System (SPRS).

For Level 2 (most CUI-handling contractors), you’ll need a C3PAO assessment:

1. Choose your C3PAO. The CMMC Accreditation Body (Cyber AB) maintains a marketplace of certified assessors. Book early — demand is high and slots fill up fast.
2. Conduct a readiness review. Before the official assessment, do an internal dry run. Walk through every control with your SSP in hand.
3. Gather your evidence. Assessors will want to see screenshots, configurations, policies, training records, and logs. Organize everything in advance.
4. Brief your team. Assessors will interview personnel. Make sure your team understands their roles and can speak to the controls they’re responsible for.

Step 8: Maintain Continuous Compliance

Passing your assessment isn’t the finish line — it’s the starting line. CMMC compliance is ongoing:

• Monitor continuously. Security monitoring, log review, and vulnerability scanning should be continuous, not periodic.
• Update documentation. When your environment changes, update your SSP and related documents immediately.
• Train regularly. Security awareness training should happen at least annually, with phishing simulations throughout the year.
• Reassess periodically. CMMC certifications have a defined validity period. Plan for reassessment well in advance.

This is where having a managed IT partner really pays off. Continuous compliance requires continuous attention — and most defense contractors don’t have the internal staff to sustain it alone.

Common CMMC Compliance Mistakes

After helping defense contractors navigate this process, we’ve seen the same mistakes come up again and again:

1. Underestimating scope. If CUI touches it, it’s in scope. Laptops, phones, personal email, USB drives — all of it.
2. Ignoring physical security. NIST 800-171 includes physical protection controls. Locked server rooms, visitor logs, and badge access matter.
3. Relying on self-assessment when you shouldn’t. If your contract requires a C3PAO assessment, a self-assessment won’t cut it.
4. Waiting too long. Remediation takes months. C3PAO scheduling takes months. Start now.
5. Going it alone. CMMC compliance is a team sport. Your IT provider, your legal counsel, and your leadership all need to be involved.

How BrightWorks IT Helps Defense Contractors

At BrightWorks IT, we work with defense contractors and government subcontractors across the supply chain to achieve and maintain CMMC compliance. Our approach includes:

• Gap assessments mapped to NIST 800-171 and CMMC 2.0 requirements
• SSP and POA&M development with the level of detail assessors expect
• Technical remediation — MFA, EDR, network segmentation, GCC High migration, and more
• Continuous monitoring and compliance maintenance so you stay certified
• Assessment preparation including readiness reviews and evidence organization

Whether you’re starting from scratch or need help closing the last few gaps, we’ve got you covered.

Take the First Step Today

CMMC compliance can feel overwhelming, but it doesn’t have to be. The key is starting early, scoping correctly, and working with an IT partner who knows the framework inside and out.

Ready to find out where you stand? Schedule your free IT assessment and we’ll evaluate your current environment against CMMC 2.0 requirements — no obligation, no pressure. Just a clear picture of what you need to do and how to get there.

BrightWorks IT is a managed IT and cybersecurity provider serving defense contractors and businesses across the U.S. Learn more about our services.