The Complete Guide to CMMC 2.0 Compliance in 2026

What Is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a Department of Defense framework that establishes mandatory cybersecurity requirements for contractors in the Defense Industrial Base (DIB). It replaced the original CMMC 1.0 in November 2021 with a streamlined three-level model and became legally enforceable with the publication of the 32 CFR Part 170 final rule in December 2024.

If your organization handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on behalf of the DoD, CMMC requirements apply to you. With approximately 220,000 contractors in the DIB supply chain, CMMC is one of the broadest cybersecurity mandates in U.S. federal contracting history.

CMMC 2.0 is no longer a future requirement. It is being incorporated into DoD solicitations now, with full rollout through the DFARS rulemaking process.

The Three Levels

Level 1 — Foundational

Applies to: Contractors handling Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI).

Requirements: 15 basic cybersecurity practices from FAR 52.204-21, covering fundamental cyber hygiene — access control, identification and authentication, incident response, and system and communications protection basics.

Assessment: Annual self-assessment. No third-party assessor required. Results submitted to the Supplier Performance Risk System (SPRS).

Scope: Most small contractors who work on DoD programs will fall at Level 1 if they don't handle CUI.

Level 2 — Advanced

Applies to: Contractors who handle, process, or store Controlled Unclassified Information (CUI) under DoD contracts.

Requirements: 110 security requirements from NIST SP 800-171 Rev 2, organized across 17 control families:

• Access Control (AC) — 22 requirements
• Audit and Accountability (AU) — 9 requirements
• Awareness and Training (AT) — 3 requirements
• Configuration Management (CM) — 9 requirements
• Identification and Authentication (IA) — 11 requirements
• Incident Response (IR) — 3 requirements
• Maintenance (MA) — 6 requirements
• Media Protection (MP) — 9 requirements
• Personnel Security (PS) — 2 requirements
• Physical Protection (PE) — 6 requirements
• Risk Assessment (RA) — 3 requirements
• Security Assessment (CA) — 4 requirements
• System and Communications Protection (SC) — 16 requirements
• System and Information Integrity (SI) — 7 requirements

Assessment: Mandatory third-party assessment by an authorized C3PAO (Certified Third-Party Assessor Organization) for "prioritized" acquisitions. Triennial reassessment cycle.

Who falls here: The vast majority of defense contractors who touch CUI will require Level 2. This includes subcontractors who receive CUI from prime contractors.

Level 3 — Expert

Applies to: Contractors supporting DoD's highest-priority programs, typically involving advanced persistent threat (APT) risks.

Requirements: Level 2 requirements plus a subset of NIST SP 800-172 controls, focused on enhanced protections against sophisticated adversaries.

Assessment: Government-led assessments conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Who falls here: A relatively small number of contractors, primarily working on classified or highly sensitive programs.

The Assessment Process

Selecting a C3PAO

For Level 2, you must work with an organization certified by the Cyber AB (CMMC Accreditation Body) as a Certified Third-Party Assessor Organization. Key considerations:

Verify certification. Check the Cyber AB Marketplace at cyberab.org to confirm a C3PAO's current authorization status. Certifications expire and can be revoked.

Assess industry experience. Look for C3PAOs with experience in your sector — defense manufacturing, software development, national security IT — and your specific CUI handling context.

Understand scheduling. C3PAO capacity is constrained. Assessment slots often require 6-12 months of lead time. Factor this into your compliance timeline.

Clarify scope. Understand exactly what systems and environments the C3PAO will assess before engaging. Surprises during assessment preparation are expensive.

The Assessment Itself

A CMMC Level 2 assessment typically involves:

1. Document review — Assessment of your System Security Plan (SSP), policies, and procedures
2. Technical interviews — Discussions with system administrators, security personnel, and end users
3. Configuration verification — Direct examination of systems, including cloud environments
4. Evidence review — Examination of evidence for each of the 110 controls

Assessments typically run 1-4 weeks depending on scope. Results are submitted to SPRS.

Scoring

The CMMC Level 2 scoring methodology assigns point values to each practice. A score of 110 represents full compliance. The DoD has defined minimum acceptable scores for contract award, though the threshold can vary by program.

Findings that receive a "NOT MET" status generate POA&M items that must be remediated within defined timeframes.

Scoping: The Highest-Leverage Activity

Your CUI boundary determines your assessment scope. Every system, application, and environment in scope must meet all 110 requirements. This makes scoping decisions among the most consequential in your CMMC program.

What Defines Scope

The CMMC scoping guidance defines several categories of assets:

In-Scope Assets:

• Systems that process, store, or transmit CUI
• Security systems that protect in-scope assets (firewalls, IDS/IPS, identity providers)
• Systems that provide services to in-scope assets (DNS, logging, patch management)

Out-of-Scope (with documentation):

• Systems with no CUI flow and no connectivity to in-scope systems
• Contractor-owned facilities used for incidental contractor personnel work

Segmentation Strategies

Organizations typically reduce scope through one of several approaches:

Network segmentation: A dedicated CUI network segment isolated from the general corporate network. Dramatically reduces the scope of systems subject to CMMC controls.

Dedicated workstations: Issue CUI-specific endpoints (laptops, workstations) that only connect to the CUI environment. Other business activities use separate devices.

External service provider (ESP) leverage: If CUI processing is handled by a cloud service provider (CSP) or managed service provider (MSP) that is themselves CMMC certified, this can reduce your assessment burden.

Cloud environment isolation: Dedicated cloud accounts, subscriptions, or projects for CUI workloads. This is the cloud analog of network segmentation.

Proper scoping can reduce the number of systems in assessment scope by 70-80% in many organizations. The ROI on scoping analysis is enormous compared to the cost of certifying systems that don't need to be in scope.

Cloud Environments and CMMC

Cloud infrastructure is frequently the highest-risk area in CMMC Level 2 assessments. The combination of rapid change velocity, complex configuration surfaces, and shared responsibility models creates a compliance environment where misconfigurations are common and often invisible.

Common Cloud Assessment Findings

Access control misconfigurations:

• Excessive IAM permissions (not least privilege)
• Service accounts with unnecessary cross-service access
• No MFA enforcement for console access
• Unused privileged accounts not disabled

Audit logging gaps:

• CloudTrail not enabled in all regions
• S3 access logging disabled
• VPC flow logs not enabled
• Log retention not meeting 3-year requirement (for CUI)

Network protection failures:

• Security groups with 0.0.0.0/0 ingress on sensitive ports
• Lack of network segmentation between CUI and non-CUI workloads
• No WAF deployed for externally accessible applications

Encryption deficiencies:

• Unencrypted storage volumes
• S3 buckets without server-side encryption
• Data in transit without TLS enforcement

Configuration drift:

• Compliant resources that drift out of compliance after the initial configuration
• Resources created outside approved IaC pipelines without required controls

The Shared Responsibility Challenge

Cloud providers (AWS, Azure, GCP) are responsible for security of the cloud — the physical infrastructure, hypervisor, and managed service foundations. You are responsible for security in the cloud — everything you configure, deploy, and operate.

For CMMC purposes, your configuration choices are your compliance responsibility. "The cloud provider handles that" is not an acceptable answer for most of the 110 controls.

FedRAMP and CMMC

If your cloud service provider holds a FedRAMP Authorization, this can streamline your CMMC compliance in several ways. FedRAMP-authorized services have pre-assessed security controls that you can inherit. However, FedRAMP doesn't automate your CMMC compliance — you still need to configure the services correctly and document your control implementations.

Key Documentation

System Security Plan (SSP)

Your SSP is the cornerstone of your CMMC program. It describes:

• The boundary of your assessment scope
• Each of the 110 security requirements and how you implement them
• The people, processes, and technologies that implement each control
• Your continuous monitoring approach

The SSP must reflect your actual implementation, not an aspirational state. Assessors will verify SSP claims against actual system configurations.

Plan of Action and Milestones (POA&M)

A POA&M documents known gaps in your compliance posture and your plan to close them. CMMC 2.0 allows limited POA&M items at assessment time — not all 110 controls need to be fully met at assessment, but the rules governing which controls can be in POA&M are specific and risk-stratified.

Policies and Procedures

Each control family typically requires documented policies and procedures. These don't need to be elaborate, but they must exist and reflect actual practice.

Continuous Compliance After Certification

CMMC certification is triennial, but compliance is continuous. The 32 CFR Part 170 rule includes requirements for maintaining compliance between assessments, including annual affirmations and continuous monitoring.

The Certification Trap

Many contractors achieve CMMC certification and then relax their compliance controls as attention shifts to other priorities. When their triennial reassessment arrives, they've drifted substantially from their certified state. This pattern — achieving certification and then losing it — is predictable and preventable.

Continuous Monitoring Requirements

CMMC explicitly requires continuous monitoring of your security posture. This means:

• Real-time detection of configuration drift
• Timely remediation of identified issues
• Ongoing evidence collection for all 110 controls
• Regular risk assessments

Manual approaches to continuous monitoring — periodic configuration audits, quarterly evidence reviews — don't meet the spirit (or letter) of continuous monitoring requirements.

Automated Compliance Maintenance

The most effective approach to post-certification compliance is automated continuous monitoring that:

1. Continuously evaluates cloud resources against CMMC control mappings
2. Detects drift the moment a configuration changes
3. Remediates automatically for deterministic, low-risk issues
4. Generates evidence continuously into an assessment-ready format
5. Alerts on exceptions that require human judgment

This approach converts post-certification compliance from a recurring sprint into a continuous background process.

Common CMMC Compliance Mistakes

Treating CMMC as a Checkbox Exercise

The most common and costly mistake. CMMC assessors are trained to test actual implementations, not documentation. An SSP that says you do multifactor authentication doesn't satisfy the control if assessors find systems without MFA enforcement.

Underestimating Scoping

Organizations that fail to properly analyze and minimize their CUI boundary end up certifying far more infrastructure than necessary. This inflates assessment cost and creates an ongoing compliance burden for systems that don't need to handle CUI.

Starting Too Late

CMMC preparation typically takes 6-18 months depending on your starting state. Add 6-12 months for C3PAO scheduling, and organizations that start when they see CMMC language in a solicitation are already significantly behind.

Ignoring Subcontractor Flow-Down

If you're a prime contractor, CMMC requirements flow down to subcontractors who handle CUI. Failing to ensure your supply chain is compliant can create contract performance issues and liability exposure.

Treating Certification as a Destination

CMMC certification is a point-in-time achievement. Compliance is a continuous state. Organizations that invest heavily in certification preparation and then reduce compliance investment after certification are setting themselves up for painful reassessments.

Getting Started: A Practical Roadmap

Month 1-2: Scoping and Gap Analysis

• Map your CUI flows and establish your assessment boundary
• Conduct a gap assessment against all 110 NIST 800-171 controls
• Prioritize gaps by risk and remediation complexity

Month 3-4: Documentation

• Begin drafting your System Security Plan
• Document policies for each control family
• Identify systems requiring configuration changes

Month 5-8: Technical Remediation

• Address configuration gaps, starting with highest-risk findings
• Implement cloud environment controls
• Deploy continuous monitoring

Month 9-12: C3PAO Engagement and Assessment

• Select and engage your C3PAO
• Complete pre-assessment readiness activities
• Submit to formal assessment

Ongoing: Post-Certification Compliance

• Maintain continuous monitoring
• Address POA&M items within committed timelines
• File annual affirmations

The organizations that approach CMMC as a security improvement program — not just a compliance exercise — consistently outperform their peers at assessment time and maintain compliance more efficiently after certification.

Conclusion

CMMC 2.0 is the most significant mandatory cybersecurity requirement to hit the Defense Industrial Base in a generation. With 220,000 contractors affected and enforcement underway, the time for preparation is now.

The organizations that will succeed are those that treat CMMC as an opportunity to build a genuinely strong security program — one that uses continuous monitoring, automated evidence collection, and autonomous remediation to maintain compliance as a background process rather than a periodic crisis.

Related reading:

• NIST 800-171 Compliance: From Manual Checklists to Autonomous Enforcement
• Cloud Security for Defense Contractors: The Definitive Guide
• CMMC Compliance Cost Calculator
• CMMC Level 2 Readiness Checklist