In response to growing cyberattacks targeting defense contractors and subcontractors, the Department of War (DOW) created the Cybersecurity Maturity Model Certification (CMMC) program to strengthen the security posture of the U.S. Defense Industrial Base (DIB).
CMMC is a verification framework designed to ensure contractors handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) have implemented the appropriate cybersecurity protections.
The CMMC program is designed to support the goal of safeguarding sensitive government data across the defense supply chain by standardizing and enforcing security expectations for contractors and their partners.
What Is CMMC 2.0?
CMMC 2.0 introduces a structure with three compliance levels, with each level reflecting the sensitivity of the data being handled and the rigor of the appropriate cybersecurity measures.
Level 1: Foundational
Designed for organizations that handle only Federal Contract Information (FCI), Level 1 requires implementation of 15 basic cybersecurity practices outlined in FAR 52.204-21. These practices focus on safeguarding systems from common threats like unauthorized access and data loss.
The Level 1 requirements are based on organizations completing an annual self-assessment and submitting an affirmation of compliance.
Example of Who Needs Level 1
| Industry/Function | Example Data Handled |
| Basic Manufacturers | Contract details, delivery schedules, and purchase orders. |
| General Service Providers | Janitorial services, landscaping, catering, or other services that do not touch sensitive systems. |
| Commercial Off-the-Shelf (COTS) Suppliers | Companies providing standard, unmodified commercial products (note: COTS product providers are generally exempt from CMMC, but the service providers they use may need Level 1). |
Level 2: Advanced
Level 2, which applies to organizations that handle Controlled Unclassified Information (CUI), requires adherence to 110 security controls based on the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171).
Level 2 assessment requirements vary:
- For “prioritized” acquisitions (systems, services, or capabilities critical to national security or mission success), a triennial third-party assessment must be conducted by a Certified Third-Party Assessment Organization (C3PAO).
- For “non-prioritized” acquisitions, organizations may complete an annual self-assessment.
Example of Who Needs Level 2
| Industry/Function | Example Data Handled |
| Aerospace & Defense Subcontractors | Manufacturing blueprints, test procedures, engineering designs, and technical specifications. |
| IT & Managed Service Providers (MSPs/MSSPs) | Companies managing network security, email, or cloud infrastructure for other defense contractors that contain CUI. |
| Research & Development (R&D) Firms | Early-stage design information, research data, or analysis related to DOW programs. |
| Specialized Component Manufacturers | Companies making custom parts for weapons systems, aircraft, or sensitive technology. |
Level 3: Expert
Reserved for organizations managing the most sensitive CUI, often in environments targeted by Advanced Persistent Threats (such as sophisticated attacks by nation-state actors), Level 3 builds on the NIST SP 800-171 controls and adds a subset of requirements from NIST SP 800-172.
Assessments at this level are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Example of Who Needs Level 3
| Industry/Function | Example Data Handled |
| Major Defense Prime Contractors | Large firms handling weapon system development and integration. |
| Key Intelligence & Warfare Support | Companies involved in highly sensitive research, intelligence gathering, or operational technology for critical missions. |
| Developers of Highly Sensitive Technology | Contractors working on classified program components or data that could significantly impact national security if compromised. |
Scope and Applicability
CMMC applies to all defense contractors and subcontractors that handle FCI or CUI. This includes prime contractors and their supply chains. The “flow-down” requirement means subcontractors may need to meet the same compliance level as the prime contractor when handling sensitive data.
Commercial off-the-shelf (COTS) products are exempt from CMMC requirements, but most service providers and manufacturers in the DIB will need to comply.
The CMMC Compliance Timeline and Key Deadlines
The final rules for CMMC have been published in the Federal Register under 32 CFR and 48 CFR. The rollout will occur in phases, giving contractors time to prepare.
Phase 1: Enforcement Begins
On November 10, 2025, CMMC requirements began appearing in new DOW solicitations and contracts. At this stage, Level 1 and Level 2 self-assessments are required for contract eligibility.
Phase 2: Third-Party Assessments Introduced
On November 10, 2026, contracts involving prioritized CUI will begin requiring third-party assessments for Level 2 compliance. Organizations should plan ahead to schedule and complete these assessments.
Full Implementation Across New Contracts
By November 10, 2026, all new defense contracts will include CMMC requirements. Contractors must have a valid certification or self-assessment recorded in the Supplier Performance Risk System (SPRS) to be eligible for award.
Full Operational Rollout
CMMC is expected to be fully integrated across all applicable defense contracts by 2028. At that point, compliance will be a standard requirement for doing business with the DOW.
The Path to Compliance: What Contractors Must Do Now
With deadlines approaching, contractors and subcontractors must take proactive steps to prepare:
1. Determine Your Required Level
Start by identifying the type of data your organization handles. If you work with FCI, Level 1 may be sufficient. If you handle CUI, you’ll likely need to meet Level 2 or Level 3 requirements.
2. Perform a Gap Analysis
Conduct a thorough self-assessment against the required security controls. For Level 2, this means evaluating your environment against all 110 controls outlined in NIST SP 800-171 r2. The goal is to identify gaps and prioritize remediation.
3. Develop a System Security Plan (SSP)
An SSP is a mandatory document that outlines your cybersecurity environment, including implemented controls and how they are implemented. It serves as the foundation for your assessment and must be kept up to date.
4. Submit to SPRS
Once your assessment is complete, whether self-assessed or validated by a C3PAO—you must submit the results to the DoD’s Supplier Performance Risk System. This includes an affirmation of compliance and supporting documentation.
5. Understand the Role of C3PAOs
C3PAOs are authorized to conduct Level 2 assessments for prioritized acquisitions. Engaging a C3PAO early can help avoid delays and ensure your organization is ready when enforcement begins.
How Registered Provider Organizations Can Help
A Registered Practitioner Organization (RPO) can play an important role in helping companies prepare for CMMC certification. Their support can be valuable during the early stages of readiness, where understanding and implementing the necessary cybersecurity controls can be challenging.
One of the primary ways an RPO contributes is by helping organizations interpret the CMMC framework and its alignment with the requirements of NIST SP 800-171 r2. This involves clarifying each level of certification and how those requirements apply to the organization’s specific environment.
RPOs often begin with a readiness assessment or gap analysis to identify where the organization’s current cybersecurity posture falls short of CMMC requirements. This analysis results in a clear roadmap for remediation, allowing the organization to prioritize actions and allocate resources effectively.
Beyond identifying gaps, RPOs assist in developing and implementing the technical controls, policies, and procedures needed to meet CMMC requirements. This includes helping with Controlled Unclassified Information (CUI) scoping, risk management strategies, and system hardening.
They also support the creation of documentation critical for passing a formal CMMC assessment, such as:
- System Security Plans (SSPs)
- Plans of Action and Milestones (POA&Ms)
- Incident response plans
- Risk assessments
RPOs may also provide training and education to internal teams to ensure team members are equipped to maintain compliance over time.
Some RPOs offer ongoing monitoring and advisory services to help organizations address evolving standards and threats.
RPOs can also assist Organizations Seeking Assessment (OSAs) during their C3PAO assessment as subject matter experts, helping OSAs understand the questions being asked and deliver the appropriate evidence to the C3PAO. It’s good to have a trusted advisor during stressful assessments.
Providing a Competitive Edge
CMMC has evolved from a future consideration into an active requirement with fast-approaching deadlines. Organizations that fail to comply risk losing access to defense contracts and exposing sensitive information to cyber threats.
In contrast, contractors that demonstrate CMMC compliance will be well-positioned to compete in the defense marketplace.
To learn more about CMMC compliance, contact us.
