CMMC Phase 2 enforcement begins November 2026. See how to get certified →

Book a DemoLogin
All Insights
CMMC

CMMC 2.0: What Defense Contractors Need to Know

PolicyCortex Team|November 20, 2025|2 min read
CMMCdefense contractorscomplianceNIST 800-171

Key Takeaways

  • CMMC 2.0 is officially active — the 32 CFR Part 170 final rule took effect in December 2024, and assessments are underway through authorized C3PAOs.
  • Level 2 certification (110 NIST 800-171 controls) is required for most contractors handling CUI, with mandatory third-party assessment.
  • Reducing scope through CUI environment segmentation is the single most effective way to lower assessment cost and complexity.
  • CMMC requires continuous monitoring, not one-time audits — automated compliance platforms dramatically reduce the operational burden of maintaining certification.
  • Common mistakes include treating CMMC as a checkbox exercise, waiting too long to start, and ignoring cloud environment configurations.

CMMC 2.0 Overview

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework establishes cybersecurity requirements for the Defense Industrial Base (DIB). It streamlines the original five-level model down to three levels and codifies the requirement for third-party assessments at Level 2 and above.

If you handle Controlled Unclassified Information (CUI) for the Department of Defense, CMMC affects you.

The Three Levels

Level 1 — Foundational covers 15 basic cybersecurity practices from FAR 52.204-21. This level requires annual self-assessment and applies to contractors handling Federal Contract Information (FCI).

Level 2 — Advanced maps directly to the 110 security requirements in NIST SP 800-171. Most contractors handling CUI will need Level 2 certification, which requires assessment by an authorized C3PAO (Certified Third-Party Assessor Organization).

Level 3 — Expert adds requirements from NIST SP 800-172 for enhanced security against advanced persistent threats. This level requires government-led assessment and applies to a smaller set of critical programs.

Timeline and Enforcement

The CMMC program is now officially active. The 32 CFR Part 170 final rule took effect in December 2024, and CMMC requirements are being phased into DoD contracts through the 48 CFR DFARS rulemaking process.

This is no longer a future requirement. Contractors who haven’t started preparation are already behind.

Practical Steps for Preparation

1. Scope Your CUI Environment

Identify exactly where CUI flows and is stored in your organization. The scope of your assessment — and the cost — depends entirely on this boundary.

2. Conduct a Gap Assessment

Map your current security posture against all 110 NIST 800-171 practices. Common problem areas include access control, audit log management, configuration management, incident response, and system communications protection.

3. Build Your System Security Plan (SSP)

Your SSP documents how you implement each security requirement.

4. Address Gaps with a POA&M

A Plan of Action and Milestones (POA&M) documents known gaps and your plan to close them.

5. Establish Continuous Monitoring

CMMC is not a one-time audit. Organizations must maintain their security posture continuously between assessments.

Common Mistakes

Treating CMMC as a checkbox exercise. The assessors are looking at actual security posture, not just documentation.

Waiting too long to start. Achieving compliance takes most organizations months, not weeks. C3PAO availability is limited.

Ignoring the cloud. Many contractors use AWS, Azure, or GCP without properly configuring these environments for CUI handling.

Cloud misconfigurations are among the top findings in CMMC assessments. If your CUI touches cloud infrastructure, your cloud environment is in scope.

Ready to automate your cloud governance?

See how PolicyCortex replaces your disconnected compliance tools with one autonomous platform.

Request a DemoContact Us

Related Insights

CMMC Level 2 Requirements in 2026: The Complete Guide for Defense Contractors

CMMC Phase 2 enforcement begins November 2026. This guide breaks down every requirement — 110 NIST 800-171 controls, C3PAO assessment process, timelines, costs, and what happens if you're not certified.

The Safety Sandwich: How PolicyCortex Gives AI Safe Write Access to Cloud Environments

Giving AI autonomous write access to production cloud environments sounds dangerous. It is — without the right architecture. Here's the three-layer system we built to make it safe enough for defense contractor environments.

CMMC Level 2 Compliance Costs: The Complete Breakdown for 2026

Most defense contractors budget for the C3PAO assessment and forget about everything else. Here's the full cost picture — including the hidden line items that blow budgets and how automation changes the math.