The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework reached final rule status, and the Department of Defense is starting to roll the requirement into contract clauses. For defense contractors and their supply chains, CMMC compliance has shifted from a future concern to an immediate procurement reality. The companies that started preparing two years ago are positioned. The companies still treating CMMC as something to address later will find themselves losing contract opportunities to better-prepared competitors.
The Three Levels and Who They Apply To
CMMC 2.0 has three levels. Level 1 (Foundational) applies to companies handling Federal Contract Information (FCI) and requires the basic safeguarding controls from FAR clause 52.204-21 — fifteen practices total. Level 2 (Advanced) applies to companies handling Controlled Unclassified Information (CUI) and aligns with the 110 practices in NIST SP 800-171. Level 3 (Expert) applies to a narrow set of programmes handling the highest-priority CUI and adds additional requirements drawn from NIST SP 800-172. Most defense contractors fall into Level 1 or Level 2.
Self-Assessment vs Third-Party Assessment
Level 1 requires annual self-assessment with executive certification. Level 2 generally requires triennial assessment by a Certified Third-Party Assessment Organization (C3PAO), with self-assessment for a narrow subset of contracts. Level 3 requires government-led assessment. The C3PAO ecosystem is established but capacity is constrained — companies that wait to schedule an assessment until they need a certificate often find lead times of several months. Plan the assessment timing around contract requirements, not the other way around.
NIST 800-171 Is the Real Baseline
For Level 2, the substantive content is NIST SP 800-171 — 110 practices organised into 14 control families. Companies that have been working under DFARS 7012 for years already have the obligation to implement 800-171; CMMC 2.0 adds the assessment regime. Companies new to defense contracting are sometimes surprised by the specificity of 800-171 and the volume of evidence required to demonstrate implementation. The standard is achievable but not lightweight.
A pattern in mock assessments: the company has a System Security Plan (SSP) that describes its implementation of 800-171, and the SSP looks reasonable. The assessor asks for evidence on specific practices and finds gaps — controls described as implemented but without supporting artefacts, security policies that reference processes nobody runs in practice, audit logs that do not actually exist for the systems they are supposed to cover. The assessment is evidence-driven; descriptions of controls without underlying evidence do not pass.
The Plan of Action and Milestones (POA&M)
CMMC 2.0 allows certain practices to be addressed through a POA&M during the assessment, with closure required within 180 days. The POA&M is not a permanent excuse — it is a time-bounded remediation commitment. Practices that can be POA&M'd are limited (the higher-weighted practices cannot), and abuse of POA&M coverage is one of the easier ways to fail an assessment. Treat the POA&M as a real implementation plan with realistic remediation timelines, not as compliance theatre.
Where Programmes Most Often Have Gaps
- CUI scoping — a clear definition of what CUI the company holds and where it flows is often missing or incomplete
- System Security Plan quality — descriptions that are too generic to support evidence-based assessment
- Logging coverage — required across systems handling CUI; often partial in practice
- Multi-factor authentication coverage — extended to remote access but not always to all CUI access paths
- Incident response capability — documented but not exercised in conditions resembling real incidents
- Configuration management — change control on systems handling CUI is frequently looser than the standard expects
How to Sequence the Work
Start with CUI scoping — until you know what data is in scope and where it flows, the controls cannot be properly applied. Build or refresh the System Security Plan against actual implementation, not aspirational. Conduct a gap assessment against the relevant level's practices. Remediate the highest-weighted gaps and document evidence. Schedule a mock assessment with someone who knows the C3PAO process before booking the real one. Then, and only then, schedule the certified assessment with realistic lead time. Companies that do this in sequence emerge with both the certification and a meaningfully improved security programme.