TruePillar Healthcare
TruePillar Finance
CMMC 2.0: What Defense Contractors Must Do Now
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is now in effect. For the 300,000+ companies in the Defense Industrial Base (DIB), compliance is no longer optional—it's a prerequisite for winning and retaining Department of Defense contracts. This guide explains the requirements, levels, timelines, and the practical steps contractors must take to achieve certification and maintain eligibility.
Key Takeaways
- CMMC 2.0 is now the standard. The program has transitioned from pilot to full implementation. DoD contracts now require contractors to meet CMMC certification levels before award—no more self-attestation for Level 2.
- Level 1 applies to all contractors handling Federal Contract Information (FCI). Seventeen basic security requirements from FAR 52.204-21. Self-assessment required. No third-party assessment needed.
- Level 2 applies to contractors handling Controlled Unclassified Information (CUI). 110 security requirements aligned with NIST SP 800-171. Requires third-party assessment by a C3PAO (Certified Third-Party Assessment Organization).
- Level 3 is for the most sensitive programs. Reserved for contractors handling critical national security information. Requires NIST SP 800-172 controls and government-led assessments.
- Compliance is a journey, not a sprint. The average timeline for Level 2 certification is 12-24 months. Start with a gap assessment, build a remediation plan, and allocate resources now—waiting will cost contracts.
The Department of Defense spends over $400 billion annually with contractors in the Defense Industrial Base (DIB). For decades, cybersecurity requirements for these contractors were inconsistently enforced. Self-attestation was the norm. Compliance was assumed. The reality—as demonstrated by breaches at major defense contractors and the theft of terabytes of sensitive data—was far different.
The Cybersecurity Maturity Model Certification (CMMC) program was created to close this gap. After significant revision, CMMC 2.0 is now the standard. It replaces self-attestation with verified compliance. It requires third-party assessment for contractors handling sensitive information. And it applies to the entire supply chain—primes and subcontractors alike.
This guide explains everything defense contractors need to know about CMMC 2.0: the levels, the requirements, the timelines, and the practical steps to achieve certification.
The CMMC 2.0 Framework
CMMC 2.0 establishes three levels of certification, aligned with the sensitivity of information handled.
| Level | Information Type | Requirement | Assessment |
|---|---|---|---|
| Level 1 | Federal Contract Information (FCI) | 17 controls (FAR 52.204-21) | Self-assessment, annual affirmation |
| Level 2 | Controlled Unclassified Information (CUI) | 110 controls (NIST SP 800-171) | Third-party (C3PAO) triennial assessment |
| Level 3 | Critical national security information | 110+ enhanced controls (NIST SP 800-172) | Government-led assessment |
What Changed from CMMC 1.0:
- —Reduced from 5 levels to 3
- —Eliminated Level 4 and Level 5
- —Aligned Level 2 directly with NIST SP 800-171 (previously 800-171 plus 20 additional practices)
- —Established triennial assessments for Level 2
- —Maintained third-party assessment requirement for Level 2 (no self-attestation)
"CMMC 2.0 is not a suggestion. It is a requirement for doing business with the Department of Defense. Contracts will not be awarded to contractors who cannot demonstrate compliance."
Level 1 — Foundational (FCI Contractors)
Who It Applies To:
Any contractor that handles Federal Contract Information (FCI)—even if they don't handle Controlled Unclassified Information (CUI). FCI includes information generated under a contract that is not intended for public release.
The Requirement:
Seventeen basic security requirements from FAR 52.204-21. These are foundational controls that every contractor should already have in place:
- •Access control (3 controls)
- •Awareness and training (1 control)
- •Audit and accountability (2 controls)
- •Configuration management (2 controls)
- •Identification and authentication (1 control)
- •Incident response (1 control)
- •Media protection (2 controls)
- •Physical protection (1 control)
- •System and communications protection (2 controls)
- •System and information integrity (2 controls)
Assessment:
- •Self-assessment conducted by the contractor
- •Annual affirmation of continued compliance
- •No third-party assessment required
- •Documentation must be maintained for potential DoD review
Timeline:
Level 1 requirements are already in effect. Contractors must be compliant to be eligible for contracts requiring Level 1.
Level 2 — Advanced (CUI Contractors)
Who It Applies To:
Any contractor that handles Controlled Unclassified Information (CUI). This includes most prime contractors and many subcontractors in the defense supply chain.
The Requirement:
110 security requirements aligned with NIST SP 800-171 (Revision 2). These controls are organized into 14 families:
| Family | Controls |
|---|---|
| Access Control (AC) | 22 controls |
| Awareness and Training (AT) | 3 controls |
| Audit and Accountability (AU) | 9 controls |
| Configuration Management (CM) | 7 controls |
| Identification and Authentication (IA) | 11 controls |
| Incident Response (IR) | 3 controls |
| Maintenance (MA) | 3 controls |
| Media Protection (MP) | 4 controls |
| Personnel Security (PS) | 2 controls |
| Physical Protection (PE) | 6 controls |
| Risk Assessment (RA) | 3 controls |
| Security Assessment (CA) | 5 controls |
| System and Communications Protection (SC) | 16 controls |
| System and Information Integrity (SI) | 6 controls |
Assessment:
- •Third-party assessment conducted by a C3PAO
- •Assessments are valid for 3 years
- •Organizations must maintain continuous compliance between assessments
- •Results are submitted to the DoD's SPRS (Supplier Performance Risk System)
Key Changes:
- •No more self-attestation for Level 2
- •C3PAO assessment required for all contractors
- •Annual affirmation of compliance between triennial assessments
Timeline:
- •Level 2 requirements are now in effect
- •Contractors must be certified before award for contracts requiring Level 2
- •Assessment capacity is increasing, but scheduling lead times are 6-12 months
Level 3 — Expert (Critical Programs)
Who It Applies To:
A subset of contractors handling the most sensitive information, typically on high-priority defense programs.
The Requirement:
All 110 NIST SP 800-171 controls, plus enhanced requirements from NIST SP 800-172. These additional controls address:
- •Advanced persistent threats (APTs)
- •Supply chain risk management
- •Enhanced audit and monitoring
- •Advanced access controls
- •Cyber resiliency requirements
Assessment:
- •Government-led assessment (not C3PAO)
- •Assessments are conducted by DoD or designated federal agencies
- •Valid for 3 years, with annual affirmations
Timeline:
- •Phased implementation for Level 3
- •Prioritized for highest-priority programs
- •Contractors will be notified if they are required to achieve Level 3
The Assessment Process
For Level 2 contractors, the assessment process is the most significant change from previous requirements.
Step 1: Prepare Your Organization
- •Inventory CUI across your environment
- •Implement NIST SP 800-171 controls
- •Develop and document policies and procedures
- •Establish continuous monitoring and evidence collection
- •Conduct internal readiness assessment
Step 2: Select a C3PAO
- •The DoD maintains a list of authorized C3PAOs
- •C3PAOs are accredited by the CMMC Accreditation Body (Cyber-AB)
- •Request quotes and assess availability (lead times vary)
- •Verify the C3PAO has experience in your industry and scope
Step 3: Conduct the Assessment
- •The C3PAO reviews documentation (policies, procedures, evidence)
- •The C3PAO tests controls (interviews, technical testing, site visits)
- •Findings are documented and scored
- •A final assessment report is submitted to SPRS
Step 4: Achieve Certification
- •If the assessment demonstrates compliance, the contractor receives certification
- •Certification is valid for 3 years
- •The certification is recorded in SPRS
Step 5: Maintain Compliance
- •Between assessments, contractors must maintain continuous compliance
- •Annual affirmations of continued compliance
- •Remediate any findings from the assessment
- •Prepare for triennial reassessment
Assessment Costs:
Level 2 assessments typically cost:
- •Small contractors: $20,000 – $50,000
- •Mid-size contractors: $50,000 – $150,000
- •Large contractors: $150,000 – $500,000+
These costs vary based on scope, environment complexity, and readiness.
The Compliance Timeline — How to Get Ready
Achieving CMMC 2.0 Level 2 certification typically requires 12-24 months of preparation. Here's a realistic timeline.
Phase 1: Gap Assessment
Months 1-3- •Engage a CMMC-registered practitioner or C3PAO for readiness assessment
- •Map current controls against NIST SP 800-171 requirements
- •Identify gaps and prioritize remediation
- •Document the current state
Deliverable: Gap Assessment Report with remediation roadmap
Phase 2: Remediation
Months 3-12- •Implement missing controls
- •Update policies and procedures
- •Deploy necessary tools (MFA, logging, encryption, etc.)
- •Train staff on new processes
- •Establish continuous monitoring and evidence collection
Deliverable: Fully implemented controls, documented evidence
Phase 3: Pre-Assessment
Months 12-15- •Conduct internal readiness assessment
- •Engage C3PAO for pre-assessment (optional but recommended)
- •Remediate identified gaps
- •Organize evidence for assessment
Deliverable: Readiness validated, evidence organized
Phase 4: Formal Assessment
Months 15-18- •C3PAO conducts assessment
- •Remediate any findings identified during assessment
- •Address requests for additional evidence
Deliverable: CMMC certification
Phase 5: Continuous Compliance
Ongoing- •Maintain controls
- •Update documentation
- •Collect evidence continuously
- •Prepare for triennial reassessment
"The organizations that succeed with CMMC start early. The ones that wait until RFPs require certification find themselves scrambling—or worse, ineligible."
Common Pitfalls and How to Avoid Them
Pitfall 1: Treating CMMC as an IT Project
The Problem: Organizations treat CMMC as a technical checklist managed by IT. They miss the governance, policy, and process requirements.
The Solution: CMMC is an organizational program. Engage compliance, legal, HR, and executive leadership. IT implements controls; the organization maintains them.
Pitfall 2: Underestimating Documentation
The Problem: Organizations focus on technical controls and underestimate the documentation required—policies, procedures, plans, evidence.
The Solution: Documentation is 40-50% of the effort. Start early. Use templates. Assign documentation owners. Review and update regularly.
Pitfall 3: Waiting for the RFP
The Problem: Organizations wait until a contract requires CMMC to begin preparation. By then, it's too late—certification takes 12-24 months.
The Solution: Start now. Every defense contractor will eventually need CMMC. Early preparation positions you to win contracts when competitors are ineligible.
Pitfall 4: Not Involving the Supply Chain
The Problem: Prime contractors don't flow down requirements to subcontractors. Subcontractors aren't prepared when primes need certified partners.
The Solution: Primes must communicate requirements to subcontractors early. Subcontractors must prepare in parallel with primes.
Pitfall 5: Selecting the Wrong C3PAO
The Problem: Organizations choose the cheapest or fastest C3PAO without assessing experience, methodology, or fit.
The Solution: Interview multiple C3PAOs. Ask about experience with organizations your size, industry, and environment. Request references. Evaluate approach.
Special Considerations for Subcontractors
CMMC applies to the entire supply chain, not just prime contractors.
Subcontractor Requirements:
- •Subcontractors handling FCI must meet Level 1
- •Subcontractors handling CUI must meet Level 2
- •Primes are responsible for ensuring subcontractors are certified
Key Challenges:
- •Subcontractors may not have direct relationships with DoD
- •Subcontractors may receive conflicting requirements from multiple primes
- •Smaller subcontractors may lack resources for compliance
Recommendations for Subcontractors:
- •Engage with your primes early—understand what they require
- •Start your compliance journey regardless of prime requirements
- •Consider shared services or consortium models for smaller contractors
- •Document your compliance to demonstrate to multiple primes
Resources and Support
Official Resources:
- •CMMC Website: dodcio.defense.gov/CMMC/
- •CMMC Accreditation Body (Cyber-AB): cyberab.org
- •NIST SP 800-171: csrc.nist.gov
- •SPRS: DoD system for recording assessments
Finding a C3PAO:
- •The Cyber-AB maintains a list of authorized C3PAOs
- •Interview multiple C3PAOs before selecting
- •Verify credentials and experience
Finding a Registered Practitioner:
- •Registered Practitioners (RPs) can help with readiness assessments
- •RPs cannot conduct formal assessments (only C3PAOs can)
- •RPs are a cost-effective way to prepare
The Cost of Non-Compliance
The consequences of non-compliance are significant:
Loss of Contract Eligibility:
- •DoD contracts now require CMMC certification
- •Without certification, you cannot bid on new contracts
- •Existing contracts may require certification for renewal
Supply Chain Exclusion:
- •Primes will not subcontract to uncertified vendors
- •Certification becomes a competitive requirement
Legal and Financial Exposure:
- •Violations of DFARS 252.204-7012 can result in contract penalties
- •Data breaches involving CUI trigger breach notification and potential liability
Reputational Damage:
- •Non-compliance signals poor security posture
- •Customers may question your ability to protect sensitive information
Conclusion: The Time to Act is Now
CMMC 2.0 is no longer a pilot or a future requirement. It is the standard for doing business with the Department of Defense. Contracts are being awarded to certified contractors. Primes are requiring certification from subcontractors. And the window for preparation is closing.
For contractors who start now, the path is clear:
- 1.Determine your required level (Level 1 for FCI, Level 2 for CUI)
- 2.Conduct a gap assessment against the requirements
- 3.Build a remediation plan and allocate resources
- 4.Implement controls, document policies, and collect evidence
- 5.Engage a C3PAO and achieve certification
For contractors who wait, the cost is not just the expense of compliance—it's the loss of contracts, exclusion from the supply chain, and the inability to compete in the defense market.
The DoD has made its position clear: verified cybersecurity is a prerequisite for doing business. CMMC 2.0 is how they enforce it. The question is not whether you will need certification. It's whether you'll have it when you need it.
Ready to start your CMMC journey?
Let's discuss how TruePillar can help your organization navigate CMMC 2.0 requirements—from gap assessment through remediation and third-party assessment with a C3PAO.
Start the Conversation