CMMC 2.0 Explained: What Defense Contractors Need to Do Now

What Is CMMC and Why Does It Exist?

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s answer to a persistent problem: defense contractors were required to protect sensitive government data under DFARS clause 252.204-7012 and NIST SP 800-171, but compliance was self-attested and poorly enforced. Breaches kept happening. Sensitive data kept leaking.

CMMC changes the game by requiring independent verification of cybersecurity practices before a contractor can win or maintain DoD contracts. If you do business with the Department of Defense—or you’re a subcontractor to someone who does—CMMC applies to you.

CMMC 2.0: The Streamlined Model

The original CMMC framework (1.0) had five maturity levels and was widely criticized as too complex, too expensive, and too slow to implement. CMMC 2.0 simplified the model to three levels and aligned them directly with existing NIST standards.

Level 1: Foundational

Level 1 covers basic cyber hygiene—17 practices drawn from FAR 52.204-21. Think of it as the minimum: use antivirus, limit access to authorized users, authenticate user identities, and protect systems with basic access controls.

Level 1 applies to contractors that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). Assessment is annual self-assessment with affirmation by a senior company official.

Key points:

• 17 practices from FAR 52.204-21
• Annual self-assessment
• Senior official affirmation submitted to SPRS
• No third-party assessment required

Level 2: Advanced

Level 2 is where most defense contractors will land. It requires implementation of all 110 security requirements from NIST SP 800-171 Revision 2. This is the same standard that DFARS 7012 has required since 2017—but now with teeth.

Depending on the sensitivity of the CUI involved, Level 2 requires either:

• Self-assessment (for select programs) — triennial self-assessment with annual affirmation, or
• Third-party assessment (for critical programs) — triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO), with annual affirmation in between.

The DoD will specify in the solicitation which assessment type is required. For contracts involving CUI related to critical national security programs, expect the third-party requirement.

Level 3: Expert

Level 3 adds requirements from NIST SP 800-172 on top of Level 2. It’s designed for contractors handling the most sensitive CUI and targeted by advanced persistent threats (APTs). Assessment is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Level 3 will apply to a relatively small number of contractors. If you’re not already aware that you need Level 3, you probably don’t—at least not yet.

The CMMC Timeline

CMMC 2.0’s final rule (32 CFR Part 170) was published in October 2024 and took effect December 16, 2024. The companion DFARS rule (48 CFR) that puts CMMC requirements into actual contracts is expected to be finalized in 2025.

The DoD plans a phased rollout:

• Phase 1 (starting with DFARS rule effective date): Level 1 self-assessment and Level 2 self-assessment may appear in solicitations as a condition of contract award.
• Phase 2 (one year after Phase 1): Level 2 C3PAO assessments may be required in solicitations.
• Phase 3 (two years after Phase 1): Level 3 assessments may be required.
• Phase 4 (three years after Phase 1): Full implementation. CMMC requirements included in all applicable solicitations and contracts, including option periods.

Don’t wait for your contract to require it. If you handle CUI today, you should already be implementing NIST 800-171. CMMC just formalizes the verification.

CUI: The Heart of the Matter

Controlled Unclassified Information (CUI) is the information that triggers Level 2 requirements. CUI includes technical data, export-controlled information, proprietary data marked by the government, personnel records, and many other categories.

Understanding what CUI you handle—and where it lives in your environment—is step one. If you’re not sure:

• Review your contracts and subcontracts for DFARS 7012 clauses
• Look for CUI markings on documents you receive from DoD or prime contractors
• Ask your contracting officer or prime contractor directly
• Review the CUI Registry (archives.gov/cui) for applicable categories

Many contractors discover they have CUI flowing through systems they hadn’t considered—email, file shares, collaboration tools, personal devices. Scoping your CUI environment accurately is critical to a successful CMMC assessment.

NIST 800-171: The 110 Requirements

CMMC Level 2 maps directly to NIST SP 800-171 Revision 2. The 110 requirements fall into 14 families:

1. Access Control (AC) — 22 requirements covering who can access what, and how
2. Awareness and Training (AT) — 3 requirements for security training and role-based awareness
3. Audit and Accountability (AU) — 9 requirements for logging, monitoring, and audit trail protection
4. Configuration Management (CM) — 9 requirements for baseline configurations and change control
5. Identification and Authentication (IA) — 11 requirements for user identification and MFA
6. Incident Response (IR) — 3 requirements for incident handling capabilities
7. Maintenance (MA) — 6 requirements for system maintenance controls
8. Media Protection (MP) — 9 requirements for digital and physical media handling
9. Personnel Security (PS) — 2 requirements for screening and access termination
10. Physical Protection (PE) — 6 requirements for physical access controls
11. Risk Assessment (RA) — 3 requirements for vulnerability scanning and risk assessment
12. Security Assessment (CA) — 4 requirements for security control assessment and monitoring
13. System and Communications Protection (SC) — 16 requirements for boundary defense and encryption
14. System and Information Integrity (SI) — 7 requirements for flaw remediation and malware protection

If you’ve already been working toward NIST 800-171 compliance, you’re working toward CMMC Level 2. The gap is often in documentation, consistency, and evidence—not in technical controls alone.

Self-Assessment vs. Third-Party Assessment

Self-Assessment

For Level 1 and some Level 2 contracts, you’ll conduct your own assessment using the DoD Assessment Methodology. You score yourself against the requirements, document your findings in the Supplier Performance Risk System (SPRS), and have a senior official affirm the accuracy of the assessment.

This is not a rubber stamp. False affirmation is a violation of the False Claims Act, which carries serious penalties. Your self-assessment needs to be honest, documented, and defensible.

Third-Party Assessment (C3PAO)

For Level 2 contracts requiring certification, a C3PAO will assess your organization. The C3PAO is authorized by the CMMC Accreditation Body (the Cyber AB) and uses trained CMMC assessors.

The assessment process:

1. You prepare your System Security Plan (SSP) and Plan of Action and Milestones (POA&M)
2. You select and contract with a C3PAO
3. The C3PAO conducts the assessment (typically 1-2 weeks on-site for Level 2)
4. Results are submitted to the CMMC Program Management Office for adjudication
5. If you pass, your certification is valid for three years (with annual affirmation)

POA&Ms are allowed under CMMC 2.0, but they’re limited. You can have a POA&M for some requirements, but you must close them within 180 days of the assessment, and certain requirements cannot be on a POA&M at all.

What Defense Contractors Should Do Now

Regardless of exactly when CMMC requirements hit your contracts, the time to prepare is now. Here’s a practical action plan:

1. Determine Your Required Level

Review your contracts for DFARS 7012, identify what CUI you handle, and determine whether you’ll need Level 1, Level 2 self-assessment, or Level 2 C3PAO assessment.

2. Scope Your CUI Environment

Map every system, application, and network segment where CUI is stored, processed, or transmitted. Include cloud services, email, collaboration tools, and endpoints. The smaller you can make this environment (through segmentation and architecture), the less you need to protect and assess.

3. Conduct a Gap Assessment

Measure your current state against NIST 800-171’s 110 requirements. Be honest. Identify what’s fully implemented, partially implemented, and not implemented. Score yourself using the DoD Assessment Methodology.

4. Build Your System Security Plan

Your SSP documents your CUI environment, the security controls in place, and how each NIST 800-171 requirement is met. This is a living document that assessors will review closely. If you don’t have an SSP, start one today.

5. Create and Execute a POA&M

For every gap identified, create a Plan of Action and Milestones with specific remediation steps, responsible parties, and deadlines. Then execute it. A POA&M that never gets worked is worse than having no plan at all.

6. Implement the Technical Controls

This is where many organizations need help. Multi-factor authentication, encryption, SIEM/log management, endpoint detection, network segmentation, vulnerability scanning—these require expertise and infrastructure.

7. Train Your Workforce

Security awareness training is a NIST 800-171 requirement and a practical necessity. Your people need to understand CUI handling, phishing risks, incident reporting, and their specific security responsibilities.

8. Prepare Evidence

Assessors don’t take your word for it. They want evidence: screenshots, configuration files, policy documents, training records, access logs, scan reports. Start collecting and organizing evidence now.

Common Pitfalls

• Underscoping. Missing systems that handle CUI—especially email and cloud storage—leads to incomplete assessments and potential findings.
• Paper compliance. Writing policies without implementing controls. Assessors check both.
• Waiting for the requirement. By the time CMMC appears in your solicitation, you won’t have time to implement 110 controls and pass an assessment. The preparation timeline is 12-18 months for most organizations.
• Ignoring the supply chain. If your subcontractors handle CUI, they need their own CMMC certification. Build this into your subcontract requirements now.
• Treating it as an IT project. CMMC covers access controls, personnel security, physical security, and executive accountability. It’s an organizational effort, not just a technology effort.

How BrightWorks IT Helps

We work with defense contractors to prepare for and achieve CMMC certification. That includes gap assessments against NIST 800-171, SSP development, technical remediation, evidence preparation, and readiness reviews before your C3PAO assessment.

We don’t conduct C3PAO assessments ourselves—that would be a conflict of interest. We prepare you so that when the assessor arrives, you’re ready.

Don’t Wait

CMMC is coming. The rulemaking is done. The phase-in is underway. If you handle CUI and haven’t started preparing, you’re already behind. Contact BrightWorks IT to discuss your CMMC readiness and build a plan that gets you to certification on time.