CMMC 2.0 (Cybersecurity Maturity Model Certification) is the U.S. Department of Defense's framework for protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) across the Defense Industrial Base (DIB). With over 300,000 contractors in the DoD supply chain, CMMC 2.0 represents the most significant shift in federal cybersecurity contracting requirements in a generation.
Beginning in 2025, all DoD contracts containing CUI or FCI requirements will specify a CMMC level. Contractors who cannot demonstrate the appropriate certification will be ineligible to bid or perform on those contracts. This guide covers everything you need to know about CMMC 2.0 levels, requirements, common gaps, and the path to certification.
The CMMC 2.0 framework streamlined the original five-level model down to three levels, each aligned to specific contract types and data sensitivity requirements. Understanding which level applies to your organization is the first step in any compliance program.
Covers basic cyber hygiene practices mapped to FAR 52.204-21. Annual self-assessment required. Applies to contracts involving only Federal Contract Information (FCI).
Fully aligned to NIST SP 800-171 Rev 2. Triennial third-party assessment by a C3PAO required for CUI-handling contracts. Most DoD contractors will need Level 2.
Exceeds NIST SP 800-171, drawing from NIST SP 800-172. Government-led triennial assessment by DCSA. Reserved for the most critical national security programs.
Level 1 maps to the 17 practices in FAR clause 52.204-21, which focus on basic safeguarding of FCI. These practices include limiting system access to authorized users, sanitizing or destroying media before disposal, limiting physical access to systems, and providing security awareness training. Level 1 requires an annual self-assessment submitted to the Supplier Performance Risk System (SPRS). No third-party assessor is required, though accurate self-reporting is mandatory and misrepresentation carries False Claims Act liability.
Level 2 is where the vast majority of DoD contractors will face the most significant compliance challenge. It maps directly to all 110 security requirements in NIST SP 800-171 Rev 2, organized across 14 domains: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
For contracts that involve CUI flowing through prime contractors, Level 2 certification from an accredited C3PAO (CMMC Third Party Assessment Organization) is mandatory on a triennial cycle. Prime contractors must also ensure their subcontractors handling CUI meet the same requirements — making supply chain compliance a significant program management challenge.
Level 3 builds on the full 110 controls of Level 2 and incorporates select requirements from NIST SP 800-172, which addresses advanced persistent threats (APTs). Assessments are conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This level is reserved for contractors involved in the most sensitive national security programs, typically involving classified or near-classified weapons systems development.
CMMC requirements apply broadly across the DoD contracting ecosystem, including prime contractors, subcontractors, and suppliers at any tier who handle or process FCI or CUI. The specific level required will be stated in solicitations and contracts through DFARS clauses.
| Organization Type | Data Handled | CMMC Level | Assessment Type |
|---|---|---|---|
| Commercial item suppliers (non-CUI) | FCI only | Level 1 | Annual self-assessment |
| Most DoD prime and sub contractors | CUI | Level 2 | Triennial C3PAO assessment |
| Some Level 2 programs (lower risk) | CUI (limited) | Level 2 | Triennial self-assessment |
| Critical national security programs | CUI + sensitive | Level 3 | Triennial DCMA/DIBCAC assessment |
It is important to note that CMMC applies to the entire supply chain. A prime contractor certified at Level 2 must ensure that any subcontractor who receives, processes, stores, or transmits CUI is also certified at the appropriate level. Flow-down requirements must be included in subcontract agreements, and primes can be held responsible for subcontractor non-compliance.
Key Insight: Government estimates suggest that over 80% of CMMC Level 2 contractors will require third-party assessment by a C3PAO rather than self-assessment, based on the sensitivity of the programs they support. If your organization handles technical data packages, export-controlled information, or acquisition-sensitive information, plan for C3PAO assessment.
Industry surveys and early C3PAO assessment data consistently identify the same control domains as the primary sources of non-compliance. More than 60% of DoD contractors are estimated to be not yet Level 2 ready, with average SPRS scores significantly below the required 110-point benchmark. Understanding where organizations most commonly fall short allows for focused remediation investment.
The Access Control domain contains 22 requirements at Level 2, more than any other domain. Common failures include insufficient enforcement of least-privilege principles, inadequate management of privileged accounts, lack of session lock controls after periods of inactivity, and insufficient control over remote access sessions. Many organizations also fail AC.L2-3.1.3, which requires controlling the flow of CUI in accordance with approved authorizations — a control that requires detailed data flow mapping.
Configuration management gaps are pervasive, particularly around CM.L2-3.4.1 (establishing and maintaining baseline configurations) and CM.L2-3.4.2 (establishing and enforcing security configuration settings). Contractors often lack formal change control processes, approved baseline documentation, and automated tools to detect unauthorized changes.
Many organizations have informal incident response processes that do not meet the specificity required by NIST SP 800-171. IR.L2-3.6.1 requires establishing an operational incident-handling capability, while IR.L2-3.6.2 requires tracking, documenting, and reporting incidents. Organizations frequently lack tested response plans, defined reporting timelines (particularly for the 72-hour DoD reporting requirement), and documented tabletop exercise records.
IA.L2-3.5.3 requires multi-factor authentication for local and network access to privileged accounts, and IA.L2-3.5.4 requires MFA for remote access to non-privileged accounts. Despite MFA being a well-understood control, many smaller contractors still rely on single-factor authentication for at least some system access, creating direct assessment findings.
The SC domain includes 16 requirements at Level 2. Common gaps include SC.L2-3.13.3 (separating user and system management functionality), SC.L2-3.13.8 (implementing cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission), and SC.L2-3.13.11 (employing FIPS-validated cryptography). Many organizations transmit CUI over unencrypted channels or use non-FIPS-validated cryptographic modules.
Media protection requirements address the physical and logical controls over devices that store CUI. MP.L2-3.8.3 (sanitizing or destroying system media before disposal) and MP.L2-3.8.5 (controlling access to media containing CUI) are frequently deficient. Removable media policies are often absent or unenforced, and many organizations lack documented media sanitization procedures that follow NIST SP 800-88 guidelines.
Not sure where your organization stands? Take our free 5-minute CMMC 2.0 readiness assessment and get an instant gap report across all 14 NIST SP 800-171 control domains.
Check Your CMMC Readiness →Use this 10-point checklist as an initial readiness self-assessment. Each item represents a foundational requirement that assessors will evaluate. Organizations should be able to produce written evidence for each item before scheduling a C3PAO assessment.
Understanding the CMMC ecosystem and assessment mechanics is critical for planning your compliance program. The path from current state to certified organization involves multiple actors and a structured assessment workflow.
The CMMC Accreditation Body (CMMC-AB) oversees the accreditation of organizations and individuals who perform assessments. C3PAOs (CMMC Third Party Assessment Organizations) are the accredited firms that conduct formal Level 2 assessments of Organizations Seeking Certification (OSCs). Individual assessors within C3PAOs must be certified as CCAs (Certified CMMC Assessors). The government also has CCPs (Certified CMMC Professionals) who can help organizations prepare but cannot conduct formal assessments.
Complete your NIST SP 800-171 self-assessment, develop your SSP, identify and remediate critical gaps, and develop a POA&M for remaining items. Engage a C3PAO early — booking windows can be 3-6 months out given current demand.
Many C3PAOs offer pre-assessment readiness reviews (not an official CMMC assessment) to identify remaining gaps before the formal assessment. This can prevent costly findings and rescheduling delays.
The C3PAO conducts the assessment using CMMC assessment guides and objective evidence review. Assessment methods include examination (documentation review), interviews, and testing. Assessments typically span 1-4 weeks depending on scope complexity.
Assessment findings are submitted to the CMMC-AB for quality review and adjudication. The DoD CIO makes the final certification decision. Conditional certifications may be granted with POA&M items that must be closed within 180 days.
Certification is valid for three years. Organizations must maintain compliance between assessments and report changes to their certified environment. Annual affirmations of compliance are required for the SPRS.
Timeline Reality: Organizations beginning their CMMC 2.0 journey today should plan for 6–18 months from initial gap assessment to formal C3PAO certification, depending on current maturity, the complexity of the CUI environment, and remediation resource availability. Highly mature organizations with existing ISO 27001 or FedRAMP implementations may achieve readiness in 6-9 months; organizations starting from scratch should plan for 12-18 months.
CMMC 2.0 compliance costs vary significantly based on organization size and current maturity. Independent studies estimate average remediation costs for a small-to-medium contractor at $100,000–$300,000 for initial compliance, plus $50,000–$150,000 per year in ongoing maintenance. C3PAO assessments typically cost $30,000–$100,000+ depending on scope. While significant, these costs must be weighed against the revenue risk of losing DoD contract eligibility.
IR.L2-3.6.1 and IR.L2-3.6.2 together require not just having an incident response plan, but demonstrating that it works. Assessors specifically look for documented evidence of incident response testing, including tabletop exercises. Organizations that can show a structured exercise program aligned to DoD-relevant threat scenarios — ransomware targeting CUI systems, supply chain compromises, insider threats — are in a significantly stronger position during assessment.
Skyhigh Cybersecurity's tabletop exercise platform includes DoD contractor-specific scenarios across CMMC-relevant threat categories, with built-in After Action Report templates that generate audit-ready documentation — evidence directly usable during C3PAO assessments.
Get a free, instant gap analysis across all 14 NIST SP 800-171 control domains. Understand your current SPRS score estimate and identify your highest-priority remediation actions before engaging a C3PAO.
Take the Free CMMC 2.0 Assessment →No credit card required. Results in 5 minutes. Designed for DoD contractors.