Cybersecurity Maturity Model Certification (CMMC) 2.0 is no longer a future requirement. As of November 2025, Phase 1 enforcement is live, and defense contractors without a current CMMC assessment on file are already being passed over for new solicitations.
The CMMC2.0 program, codified under Title 32 of the Code of Federal Regulations (CFR), Part 170 and enforced through the Defense Federal Acquisition Regulation Supplement (DFARS) acquisition rule (48 CFR, effective November 10, 2025), establishes three levels of cybersecurity compliance for any organization in the defense supply chain. Your required level is determined by the type of information you handle as specified by the contracting officer in your solicitation. It is not negotiable, and it is not optional.
This guide breaks down what each of the three CMMC 2.0 levels actually requires: the number of controls, the assessment process, what Plans of Action and Milestones (POA&Ms) are permitted, and which organizations each level applies to. If you're a Department of Defense (DoD) (also known as the Department of War) contractor trying to determine where you stand and what comes next, this is your starting point.
The Shift to the Tiered Model
CMMC 1.0 divided contractor requirements across five unique levels. CMMC 2.0 consolidates the original model into a more efficient 3-tiered system for DoD contractors. According to the Department of Defense, there are a handful of advantages to the new CMMC framework:
- Focused on Critical Requirements: CMMC 2.0 consolidates the model from five to three compliance levels, streamlining the certification process. This simplification lets organizations to focus on the most critical cybersecurity requirements, encouraging a more targeted approach to risk mitigation.
- NIST SP 800-171: By leveraging the National Institute of Standards and Technology’s (NIST) cybersecurity standards, CMMC 2.0 aligns with established best practices to enhance cybersecurity effectiveness and promote compatibility with existing industry standards.
- Reduced Assessment Costs: The CMMC 2.0 program introduces a cost-saving measure by enabling companies at Level 1 (and some at Level 2) to demonstrate compliance through self-assessments. This reduction in assessment costs makes the certification process more accessible across the Defense Industrial Base (DIB) to foster greater participation in cybersecurity initiatives.
- Higher Accountability: With an increased focus on oversight, CMMC 2.0 enhances the accountability of third-party assessors, ensuring adherence to professional and ethical standards. This heightened oversight promotes trust and confidence in the validity of the certification levels, ultimately strengthening the integrity of cybersecurity assessments.
CMMC Level 1: Foundational:
CMMC Level 1 is for DoD contractors who handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). FCI is defined in Federal Acquisition Regulation (FAR) 52.204-21 as “Information not intended for public release, provided by or generated for the Government under a contract to develop or deliver a product or service to the Government” — think procurement data, pricing, delivery schedules, and basic contract performance details.
Level 1 requirements began appearing in applicable solicitations and contracts on November 10, 2025, as Part 1 of CMMC’s four-phased rollout. It establishes a baseline of cyber hygiene across 15 security requirements drawn from FAR clause 52.204-21. These aren't complex or exotic controls: they're the fundamentals every organization operating on a government network should already have in place.
Unlike CMMC Levels 2 and 3, which depend on triennial third-party evaluations, CMMC Level 1 requires an annual self-assessment and annual affirmation. Level 1 contractors must have the required CMMC status and affirmation recorded in the Supplier Performance Risk System (SPRS) as a condition of award.
Unlike Level 2, no POA&Ms are permitted at Level 1 — all 15 requirements must be fully met before you can affirm compliance. Assessment is conducted annually through self-assessment and submitted to the SPRS by a designated Affirming Official.
One critical point executives often misunderstand: the type of information flowing through your systems — not the size of your contract — determines your required level. If a subcontractor receives any CUI from a prime, Level 1 is no longer sufficient, regardless of contract value. Identifying exactly where CUI enters your environment is the first and most important step in scoping your compliance program.
CMMC Level 2: Advanced:
CMMC Level 2 is designed for companies that deal with CUI. To make sure this information stays safe, organizations in Level 2 need to comply with a set of rules called security controls. There are 110 of these rules split across 14 families that cover a range of security and compliance initiatives designed to safeguard CUI.
Achieving CMMC 2.0 compliance at Level 2 requires implementing all 110 controls from NIST Special Publication (SP) 800-171 Revision 2, mapped across 14 security domains. Every information system that touches CUI falls within scope.
Assessment runs one of two ways: annual self-assessment for non-prioritized programs or a triennial third-party assessment conducted by an accredited Certified Third-Party Assessment Organization (C3PAO) for most contracts involving CUI. Either pathway requires annual affirmation by a senior official.
Your System Security Plan (SSP) is the foundation of your Level 2 assessment. This document maps every control to your environment, identifies which information systems are in scope, and demonstrates how your organization detects and remediates vulnerabilities. Assessors review it first — a weak or incomplete SSP is the fastest way to fail a CMMC assessment before it begins.
Level 2 permits POA&Ms, but with strict limits. Plans of Action and Milestones are only allowed for controls weighted at one point on the SPRS scale. Higher-weighted controls must be fully met. If you carry a POA&M, your minimum SPRS score must be 88, and every open item must be closed within 180 days — no extensions.
For most DIB contractors, Level 2 isn’t optional — it's a condition of contract award. The question isn't whether to pursue it, but how prepared you are when the assessor arrives.
CMMC Level 3: Expert
Level 3 targets contractors managing CUI in the DoD’s most critical programs, necessitating advanced cybersecurity measures to combat Advanced Persistent Threats (APTs). It incorporates sophisticated practices from both NIST SP 800-171 and NIST SP 800-172.
Organizations face more rigorous CMMC compliance requirements, including selected practices from NIST 800-172, to protect against Advanced Persistent Threats (APTs).
Certification assessment is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) on behalf of the DoD, focusing on enhanced protection measures and advanced cybersecurity practices.
What’s the Difference Between FCI and CUI?
FCI (Federal Contract Information) and CUI (Controlled Unclassified Information) are two different types of information the Department of Defense requires contractors to protect.
- FCI is information provided by or generated for the government under a contract that isn’t intended for public release. Organizations that only handle FCI typically fall under CMMC Level 1.
- CUI includes more sensitive data tied to national security, export controls, or other regulated programs. Because CUI carries a higher risk profile, it triggers stricter security requirements under NIST SP 800-171, the regulatory framework that underlies CMMC Level 2 certification.
Contractors handling CUI must demonstrate stronger access control, authentication, and incident response capabilities across their information systems.
What Is the Phased Rollout Timeline for CMMC?
The Department of Defense is implementing CMMC through a four-phased rollout tied to rulemaking in Title 32 and Title 48 of the CFR.
Phase 1 began on November 10, 2025, the effective date listed in the final 48 CFR rule. Certain contracts have begun requiring annual self-assessments for CMMC Level 1 and some CMMC Level 2 programs.
Phase 2 begins one year later, in November 2026. This phase introduces mandatory third-party assessments (i.e., C3PAO assessments) for contractors who handle CUI and must meet CMMC Level 2 certification. Defense contractors must successfully complete a CMMC assessment conducted by an authorized C3PAO before receiving certain contract awards. (Note: While Phase 2 doesn’t start till November 2026, these requirements can be flowed down sooner by primes.)
Phase 3 starts in November 2027. In Phase 3, CMMC requirements expand to a broader set of defense contracts, including programs that require the advanced protections associated with CMMC Level 3 and corresponding DIBCAC certification.
Phase 4 in November 2028 marks full implementation across the DoD acquisition system. By this point, the framework is expected to be fully integrated into DoD procurement and supply-chain security requirements.
Do Subcontractors Need To Be CMMC Certified?
Yes. If a subcontractor receives or processes FCI or CUI as part of a contract, the prime contractor must ensure that the appropriate security requirements flow down through the supply chain. This typically occurs through a DFARS clause included in the contract. In practice, the majority of subcontractors will need CMMC Level 2 certification. See what your prime is saying about CMMC 2.0.
How Much Does CMMC Level 2 Certification Cost?
The cost of CMMC Level 2 certification varies widely depending on the maturity of a contractor’s existing cybersecurity program. Organizations with strong controls already aligned to NIST SP 800-171 may spend tens of thousands of dollars preparing documentation and completing a CMMC assessment, while companies with major vulnerabilities or outdated information systems may need to invest significantly more in infrastructure, policies, and compliance support. For many small businesses, preparation and remediation represent the largest investment rather than the assessment itself.
How Many Controls Are in Each CMMC Level?
Level 1 contains 15 basic safeguards focused on protecting FCI. Level 2, which aligns with NIST SP 800-171, includes 110 controls covering areas such as access control, authentication, configuration management, media protection, and incident response. Level 3 builds on Level 2 with an additional subset of advanced security practices derived from NIST SP 800-172, designed to defend against more sophisticated cyber threats.
How Many Companies Will Need CMMC Level 2?
The DoD estimates that roughly 80,000 contractors across the DIB will need CMMC Level 2 certification because they handle CUI. This group includes many small businesses, subcontractors, and mid-sized defense suppliers.
Can You Self-Assess CMMC Level 2?
In some cases, organizations may perform an annual self-assessment for CMMC Level 2, but only when the contract allows it. The majority of companies that fall under Level 2 will need a third-party assessment performed by a C3PAO instead. Even when self-assessments are permitted, contractors must still document their system security plan (SSP), evaluate their cybersecurity posture against the assessment guide, and report results through DoD reporting systems.
How Long Does It Take to Get CMMC Level 2 Certified?
The Level 2 certification timeline varies depending on your initial readiness: companies that already meet most NIST SP 800-171 security requirements may complete preparation and a formal CMMC assessment in a few months. Others may need a year or more to address gaps. Assessment lead times are currently 9–12 months out and growing as we approach the November 2026 deadline for Phase 2 implementation, when Level 2 certification requirements will begin appearing in contract language. Organizations that start early and follow a structured risk management approach generally reach certification faster.
What Happens If You Fail CMMC Certification?
Failing a CMMC assessment can delay or exclude you from contract eligibility and damage your reputation in the DIB. Depending on the situation, contractors may need to remediate gaps identified during the assessment and schedule a follow-up evaluation before receiving CMMC 2.0 certification.
What Are POA&Ms and When Are They Allowed?
Plans of Action and Milestones (POA&Ms) document specific security gaps and outline the steps required to fix them within a defined timeframe. Under CMMC 2.0, limited POA&Ms may be allowed during a CMMC assessment, but only for certain non-critical controls. High-risk issues involving CUI protection, such as failures in access control, authentication, or incident response, typically must be resolved before certification. POA&Ms are tracked against defined milestones, ensuring organizations close remaining gaps quickly and maintain a strong cybersecurity posture across their information systems.
ISI not only builds your System Security Plan (SSP) and POA&Ms, we also keep them accurate and audit-ready year-round. Unlike general MSPs that provide templates or one-time checklists, ISI uses a purpose-built DIB compliance platform to map every NIST 800-171 control, assign owners, track evidence, and automate updates as your environment changes. Our compliance experts maintain the documentation, our engineers close technical gaps, and our platform ensures your SSP and POA&Ms always reflect your true security posture to make CMMC Level 2 certification far easier and more dependable.
ISI: Your Trusted Partner for CMMC Compliance in the Defense Industrial Base
ISI specializes exclusively in the DIB, helping mid-sized contractors meet the rigorous cybersecurity and documentation standards required by the DoD (also known as the Department of War). As one of the first MSPs in the U.S. to earn CMMC Level 2 certification, we understand both the technical requirements of CMMC/NIST SP 800-171 and the day-to-day realities faced by small DIB IT teams.
What sets us apart from general IT providers?
- Purpose-built expertise: Our compliance frameworks, assessment tools, and managed services were developed specifically for DoD contractors handling CUI.
- End-to-end support: From gap assessments and remediation planning to readiness reviews and C3PAO coordination, we help you streamline every step toward certification.
- Integrated platform: ISI combines cybersecurity, IT, and compliance management under one roof—reducing vendor complexity and ensuring continuous protection and documentation.
- Real-world results: We’ve guided hundreds of DIB clients through successful assessments, helping them stay contract-eligible and audit-ready without disrupting daily operations.
