CMMC 2.0: What Defense Contractors Need to Know
The CMMC program is officially active with assessments underway. Here’s a practical guide for contractors navigating the requirements.
- 01CMMC 2.0 is officially active — the 32 CFR Part 170 final rule took effect in December 2024, and assessments are underway through authorized C3PAOs.
- 02Level 2 certification (110 NIST 800-171 controls) is required for most contractors handling CUI, with mandatory third-party assessment.
- 03Reducing scope through CUI environment segmentation is the single most effective way to lower assessment cost and complexity.
- 04CMMC requires continuous monitoring, not one-time audits — automated compliance platforms dramatically reduce the operational burden of maintaining certification.
- 05Common mistakes include treating CMMC as a checkbox exercise, waiting too long to start, and ignoring cloud environment configurations.
CMMC 2.0 Overview
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework establishes cybersecurity requirements for the Defense Industrial Base (DIB). It streamlines the original five-level model down to three levels and codifies the requirement for third-party assessments at Level 2 and above.
If you handle Controlled Unclassified Information (CUI) for the Department of Defense, CMMC affects you.
The Three Levels
Level 1 — Foundational covers 15 basic cybersecurity practices from FAR 52.204-21. This level requires annual self-assessment and applies to contractors handling Federal Contract Information (FCI).
Level 2 — Advanced maps directly to the 110 security requirements in NIST SP 800-171. Most contractors handling CUI will need Level 2 certification, which requires assessment by an authorized C3PAO (Certified Third-Party Assessor Organization).
Level 3 — Expert adds requirements from NIST SP 800-172 for enhanced security against advanced persistent threats. This level requires government-led assessment and applies to a smaller set of critical programs.
Timeline and Enforcement
The CMMC program is now officially active. The 32 CFR Part 170 final rule took effect in December 2024, and CMMC requirements are being phased into DoD contracts through the 48 CFR DFARS rulemaking process.
This is no longer a future requirement. Contractors who haven’t started preparation are already behind.
Practical Steps for Preparation
1. Scope Your CUI Environment
Identify exactly where CUI flows and is stored in your organization. The scope of your assessment — and the cost — depends entirely on this boundary.
2. Conduct a Gap Assessment
Map your current security posture against all 110 NIST 800-171 practices. Common problem areas include access control, audit log management, configuration management, incident response, and system communications protection.
3. Build Your System Security Plan (SSP)
Your SSP documents how you implement each security requirement.
4. Address Gaps with a POA&M
A Plan of Action and Milestones (POA&M) documents known gaps and your plan to close them.
5. Establish Continuous Monitoring
CMMC is not a one-time audit. Organizations must maintain their security posture continuously between assessments.
Common Mistakes
Treating CMMC as a checkbox exercise. The assessors are looking at actual security posture, not just documentation.
Waiting too long to start. Achieving compliance takes most organizations months, not weeks. C3PAO availability is limited.
Ignoring the cloud. Many contractors use AWS, Azure, or GCP without properly configuring these environments for CUI handling.
Cloud misconfigurations are among the top findings in CMMC assessments. If your CUI touches cloud infrastructure, your cloud environment is in scope.
Replace 4 tools with one platform.
See how PolicyCortex consolidates compliance, security, AI governance, and cost — autonomously.
- R-01CMMC Level 2 Requirements in 2026: The Complete Guide for Defense ContractorsCMMC Phase 2 enforcement begins November 2026. This guide breaks down every requirement - 110 NIST 800-171 controls, C3PAO assessment process, timelines, costs, and what happens if you're not certified.
- R-02The Safety Sandwich: How PolicyCortex Gives AI Safe Write Access to Cloud EnvironmentsGiving AI autonomous write access to production cloud environments sounds dangerous. It is - without the right architecture. Here's the three-layer system we built to make it safe enough for defense contractor environments.
- R-03CMMC Level 2 Compliance Costs: The Complete Breakdown for 2026Most defense contractors budget for the C3PAO assessment and forget about everything else. Here's the full cost picture - including the hidden line items that blow budgets and how automation changes the math.