The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is now a requirement for defense contractors handling Controlled Unclassified Information (CUI). With the final rule published and enforcement beginning, contractors need to understand their obligations and prepare for certification.
What Changed from CMMC 1.0 to 2.0
CMMC 2.0 simplified the original framework significantly. The five maturity levels were reduced to three, self-assessment options were introduced for lower levels, and the model now aligns directly with existing NIST standards.
- Level 1 (Foundational): 17 practices based on FAR 52.204-21. Annual self-assessment for FCI only.
- Level 2 (Advanced): 110 practices aligned with NIST SP 800-171. Third-party assessment required for critical CUI.
- Level 3 (Expert): 110+ practices including NIST SP 800-172 enhanced controls. Government-led assessment required.
Most contractors handling CUI will need Level 2 certification. This requires implementing all 110 security controls from NIST 800-171 and passing a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO).
The 14 Control Families
CMMC Level 2 organizes its 110 practices into 14 control families. Understanding these categories helps prioritize implementation efforts.
- Access Control (22 practices): Limit system access to authorized users and transactions
- Awareness and Training (3 practices): Ensure personnel understand security responsibilities
- Audit and Accountability (9 practices): Create and protect audit logs of system activity
- Configuration Management (9 practices): Establish and maintain system configurations
- Identification and Authentication (11 practices): Verify user and device identities
- Incident Response (3 practices): Detect, report, and respond to security incidents
- Maintenance (6 practices): Perform secure system maintenance
- Media Protection (9 practices): Protect and sanitize media containing CUI
- Personnel Security (2 practices): Screen individuals before granting access
- Physical Protection (6 practices): Limit physical access to systems and equipment
- Risk Assessment (3 practices): Assess security risks to operations and assets
- Security Assessment (4 practices): Periodically assess security controls
- System and Communications Protection (16 practices): Monitor and protect communications
- System and Information Integrity (7 practices): Identify and correct system flaws
Timeline and Enforcement
CMMC requirements are being phased into DoD contracts. The timeline depends on contract type and CUI sensitivity.
- 2025: CMMC requirements appear in select new contracts
- 2026: Broader rollout across new solicitations requiring CUI handling
- 2027-2028: Full implementation across the defense industrial base
- Existing contracts: Requirements flow down at option exercise or renewal
Contractors should not wait for specific contract requirements. Assessment preparation takes 6-18 months depending on current security posture. Starting now ensures readiness when CMMC clauses appear in your contracts.
Preparing for Assessment
Gap Assessment
Start with an honest evaluation of your current security controls against NIST 800-171 requirements. Document what exists, what is partially implemented, and what is missing entirely. This gap assessment forms your remediation roadmap.
System Security Plan (SSP)
The SSP documents how your organization implements each security control. Assessors will review this document extensively. It should describe your CUI boundaries, system architecture, and specific control implementations.
Plan of Action and Milestones (POA&M)
For controls not yet fully implemented, the POA&M documents your remediation plan with specific milestones and target dates. Assessors accept POA&Ms for some controls, but core security requirements must be in place.
Common Compliance Gaps
Based on our work with defense contractors, certain control areas consistently present challenges.
- Multi-factor authentication: Required for all CUI access, often missing on legacy systems
- Encryption: CUI must be encrypted at rest and in transit, including email and mobile devices
- Audit logging: Comprehensive logging with protection and retention requirements
- Incident response: Documented procedures and 72-hour DoD reporting requirements
- Supply chain: Flow-down requirements to subcontractors handling CUI
AI and Automation Considerations
Contractors implementing AI systems face additional CMMC considerations. AI tools that process CUI must operate within the certified boundary with appropriate controls.
- Public AI APIs cannot process CUI without specific authorization and controls
- Private AI deployments within the CUI boundary are the compliant path for most use cases
- AI-generated outputs derived from CUI inherit CUI handling requirements
- Model training on CUI requires careful data governance and access controls
We help defense contractors achieve CMMC certification while implementing compliant AI and automation solutions. Our approach addresses both the security controls and the operational improvements that make compliance sustainable. Contact us for a CMMC readiness assessment.