The Cybersecurity Maturity Model Certification programme — CMMC 2.0 in its current form — is the Department of Defense's mechanism for verifying that contractors handling Federal Contract Information and Controlled Unclassified Information meet the cybersecurity controls that have been formally required for years. The rule is now in effect and the contractual clauses will phase into DoD solicitations over a multi-year rollout. The substantive controls are not new — Level 1 covers basic FCI safeguards from FAR 52.204-21, and Level 2 implements the 110 controls of NIST SP 800-171 — but the verification mechanism is. Self-attestation is being replaced by third-party assessment for most Level 2 contracts.
The Three Levels and What Triggers Them
Level 1 applies to contractors handling only FCI and requires an annual self-assessment against 15 basic safeguards. Level 2 applies to most contractors handling CUI and requires either a self-assessment or third-party assessment by a C3PAO every three years, depending on the criticality of the CUI involved. Level 3 applies to contractors handling CUI associated with the highest-priority programmes and requires government-led assessment against a superset of controls. Most of the Defense Industrial Base will land at Level 2 with third-party assessment, and the assessor capacity to meet that demand is the constraint that shapes the realistic timeline for any contractor.
NIST SP 800-171 Is Not Optional Now
NIST SP 800-171 has been required for DoD contractors handling CUI since DFARS clause 252.204-7012 came into force in 2017. Many contractors documented partial implementation in their System Security Plan and Plan of Action and Milestones, scored themselves on the Supplier Performance Risk System, and operated for years without formal verification. CMMC 2.0 closes that gap by requiring third-party verification that the controls are actually implemented as documented. The contractors that genuinely implemented 800-171 in 2017 are in good shape; the contractors that documented implementation without implementing it face a substantial remediation programme before they can pass an assessment.
The Realistic Timeline
A contractor starting from a partial 800-171 implementation typically needs nine to eighteen months of dedicated effort to reach assessment readiness — closing control gaps, producing the evidence library, building the operational practices that will be observable on assessment day, and conducting a mock assessment. The C3PAO scheduling itself adds months. Contractors that wait until CMMC appears in a target solicitation will discover that the assessment cannot be completed within the proposal timeline. The contracts will go to competitors that started earlier.
A pattern that has emerged in CMMC readiness work: the contractor produced a System Security Plan that scores 110 out of 110 on the SPRS self-assessment, and on a real walkthrough cannot demonstrate the controls in operation. Multi-factor authentication is documented but configured permissively. Configuration baselines are documented but drift uncontrolled. Logging is documented but the logs are not reviewed. The remediation is the gap between documented and operational, and that gap is the substantive readiness work. Start from the operational reality, not from the SSP.
Enclaves and CUI Scope Reduction
The single largest lever for reducing CMMC implementation cost is reducing the scope of the environment that handles CUI. CUI enclaves — a logically and technically separated environment that handles CUI while the rest of the enterprise stays out of scope — are the dominant architectural pattern for contractors who do not handle CUI across their general-purpose IT. The enclave reduces the assessment surface, the control implementation cost, and the risk of a finding outside the CUI environment derailing the assessment. The enclave decision is consequential and should be made before the implementation work begins.
A Realistic Readiness Programme
- Determine the likely CMMC level for your contract portfolio and confirm the CUI you handle
- Decide on the architectural approach — enterprise-wide implementation or CUI enclave
- Conduct a genuine SPRS self-assessment against operational reality, not against intended state
- Close the gaps with a defensible Plan of Action and Milestones tied to executive sponsorship
- Build the evidence library — the artefacts a C3PAO will sample on assessment
- Conduct a mock assessment with a Registered Practitioner Organization before scheduling the C3PAO
- Schedule the C3PAO assessment well in advance of when the contractual requirement will hit
Why the Investment Is Defensible
CMMC 2.0 will appear as a contractual requirement across most DoD acquisitions over the rollout window. Contractors without certification will be ineligible for those contracts. The implementation cost is meaningful — particularly for small and mid-sized contractors that have not historically invested in formal cybersecurity programmes — and the investment is defensible against the alternative of losing access to the DoD market. The contractors that approach CMMC strategically rather than reactively retain that access; the ones that approach it reactively learn that the assessor capacity, the implementation timeline, and the contractual deadlines do not align with a last-minute response.