Skip to content
Ready for your next security review? Take the Industrial Security Check
Talk to an Advisor
Talk to an Advisor

CMMC 2.0: A Comprehensive Guide for DoD Contractors

Key compliance insights and takeaways for defense contractors seeking CMMC compliance.

CMMC Comprehensive Guide1

Key Takeaways

  • Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to enhance cybersecurity standards across the Defense Industrial Base (DIB).
  • CMMC 2.0 aligns more closely with NIST SP 800-171 by requiring full implementation of its 110 security controls at Levels 2 and 3, eliminating additional process maturity requirements from the original CMMC 1.0 model. 
  • CMMC certification requirements are expected to be in contracts as early as October 2025.
  • Achieving certification generally takes 6–12 months, depending on your current compliance posture and the level your company needs to achieve.

Dig deeper and continue learning below!

Cybersecurity Maturity Model Certification (CMMC 2.0): An Overview

The Cybersecurity Maturity Model Certification (CMMC) is a DoD initiative designed to secure the supply chain and protect Controlled Unclassified Information (CUI) across the Defense Industrial Base (DIB). It creates a unified cybersecurity standard for all DoD contractors, including prime contractors and subcontractors.

CMMC 2.0 was officially introduced by the U.S. Department of Defense in November 2021 as a streamlined update to the original CMMC framework published as CMMC Version 1.0 in January, 2020. CMMC 2.0 requires organizations to demonstrate compliance through self-assessments or third-party assessments depending on the CMMC level applicable to their work.

Understanding the CMMC 2.0 Standard

Developed in response to evolving cyber threats and industry feedback, CMMC 2.0 simplified the 1.0 compliance process while aligning more directly with existing federal cybersecurity standards—most notably The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. CMMC 2.0 replaced the original five-tiered model with a simplified three-level structure. It preserves core cybersecurity requirements while improving clarity and reducing unnecessary complexity.

At its core, CMMC 2.0 aims to:

  • Strengthen the security of the defense supply chain
  • Increase accountability through a three-tiered certification model
  • Streamline the path to compliance for small and medium-sized contractors

How CMMC 2.0 Builds Upon Existing Federal Regulations

CMMC 2.0 integrates practices and controls from:

  • NIST SP 800-171 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems
  • DFARS Clause 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting

CMMC 2.0 aligns directly with these requirements but adds a tiered certification model that includes both self-assessments and third-party audits, depending on the level of sensitivity.

Unlike CMMC 1.0, which introduced five levels of certification and mandated third-party assessments for most contractors, CMMC 2.0 simplifies the model to three levels, eliminates unique maturity processes and practices, and allows Level 1 and some Level 2 organizations to self-assess annually. This shift was intended to make the framework more accessible, less burdensome, and better aligned with existing standards—while still raising the bar for cybersecurity accountability in the DIB.

» Read More About How CMMC 2.0 Differs From CMMC 1.0

Key Features of the CMMC 2.0 Standard

  • Three simplified levels of cybersecurity requirements (reduced from five in CMMC 1.0)
  • Alignment with NIST SP 800-171 at Level 2
  • Allowance for POA&Ms (Plan of Action & Milestones) under limited, time-bound conditions
  • Annual self-assessments for Level 1 and non-prioritized Level 2 contractors (though this latter category is rare)
  • Third-party assessment requirements for most Level 2 programs (about 95%)
  • Government-led assessments for the highest-risk contracts (Level 3)

These enhancements make the model more scalable, flexible, and attainable, especially for the small to mid-sized businesses who make up roughly 75% of the DIB.

Who Does CMMC 2.0 Apply To?

CMMC 2.0 applies to any organization doing business with the Department of Defense that handles Federal Contract Information (FCI) or CUI or is contractually obligated to demonstrate their ability to handle FCI or CUI. This includes:

       ⇒ Prime contractors

       ⇒ Subcontractors across the supply chain

       ⇒ Vendors handling information systems, even if not directly contracting with the government

 

Learn More About Flow Down Requirements for Subcontractors

The Role of CUI

Controlled Unclassified Information (CUI) is data created or possessed by the government (or by entities working on its behalf) that isn’t classified, but that still requires protection according to applicable laws, regulations, or government-wide policies. The presence of CUI in your environment will typically place your organization in CMMC Level 2 or Level 3, triggering heightened assessment requirements.

Check Out Our Comprehensive Guide to Understanding CUI

 

The 3 Levels of CMMC 2.0

CMMC 2.0 defines three cybersecurity maturity levels that determine the extent of safeguards an organization must implement.

CMMC Level 1 – Foundational

Level 1 is the foundational tier of CMMC. It’s for DoD contractors—both prime and subcontractors—who handle FCI but not CUI. (However, contractors who don’t handle CUI but are contractually obligated to be able to, will generally fall under Level 2, not Level 1.

Level 1 requires adherence to 17 basic practices drawn from FAR 52.204-21 (the Federal Acquisition Regulation clause). These practices are straightforward and designed to ensure contractors meet a minimal standard of cybersecurity hygiene.

Key Features:

  • Level 1 protects FCI, but not CUI
  • It requires adherence to 17 basic practices drawn from FAR 52.204-21
  • Level 1 allows for self-assessment rather than requiring third-party audits, making it less resource-intensive than higher levels. Results are posted to SPRS (Supplier Performance Risk System)
  • Applies to 10% of contracts

 

CMMC Level 2 – Advanced

Level 2 certification is required for DoD contractors and subcontractors that handle CUI, which includes sensitive but unclassified data such as technical specifications and procurement details. This certification applies to all companies within the DIB working on or bidding on contracts that specify CUI protection requirements. 

CMMC Level 2 is fully aligned with the NIST SP 800-171. To ensure that CUI is protected from unauthorized access and advanced threats, Level 2 requires contractors to implement and maintain 110 security controls and 320 objectives across 14 domains.

To achieve Level 2 certification, most companies will have to undergo an audit by a Cyber AB-certified CMMC Third Party Assessor Organization (C3PAO). At least two CMMC Certified Assessors (CCAs) review your security processes along with all relevant documentation, interview key personnel at your company about implementation and procedures, then test your cybersecurity tech and protocols themselves to determine whether they meet the standards set by NIST 800-171.

Key Features:

  • Level 2 applies to all companies handling CUI or contractually required to be able to handle CUI. 
  • The vast majority of DoD contractors will fall under CMMC Level 2.
  • Unlike Level 1, which allows self-assessments, Level 2 requires evaluations by C3PAOs to ensure compliance.
  • Contractors must maintain robust documentation, including a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M), to demonstrate compliance and address gaps.
  • Applies to 85% of contracts
CMMC Level 3 – Expert

Level 3 represents the most advanced tier of CMMC. It’s designed for DoD contractors and subcontractors handling highly sensitive CUI from critical programs that could impact national security if compromised.

CMMC Level 3 includes the 110 security controls from NIST SP 800-171 but adds another 24 enhanced practices from a subset of NIST 800-172 for advanced, comprehensive cybersecurity measures to protect against Advanced Persistent Threats (APTs). Companies seeking Level 3 must first undergo Level 2 certification by a C3PAO then seek an assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to be renewed triennially.

Key Features:

  • Out of over 80,000 contractors in the DIB, only around 1% are expected to need Level 3 certification.
  • Level 3 encompasses 134 practices, including all 110 controls from NIST SP 800-171 and an additional 24 practices drawn from NIST SP 800-172.
  • It focuses on advanced cyber threat detection, incident response, and proactive defense and recovery mechanisms.
  • A DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) assessment is required every three years for Level 3 certification, along with an annual affirmation.
  • Applies to 5% of contracts

ISI Insight: Don’t confuse CMMC Level 2 with CMMC 2.0. The former is a security level; the latter refers to the updated version of the overall program.

How CMMC 2.0 Differs From NIST 800-171

While NIST SP 800-171 provides the foundational security requirements for protecting CUI in non-federal systems, CMMC 2.0 is the certification framework developed by the DoD to verify that contractors have actually implemented these requirements — and are ready to handle sensitive information as part of their DoD contracts.

Think of it like this: If NIST 800-171 is the textbook, CMMC is the test. It’s a way for the DoD to ensure you’ve implemented NIST 800-171 with documentation, evidence, and accountability.

CMMC adds teeth to NIST. It introduces formal assessments by a C3PAO or the DIBCAC and disqualifies contractors from awards if they cannot prove compliance.

 

Category

NIST 800-171

CMMC 2.0

Purpose

Framework for safeguarding CUI

DoD certification program to enforce implementation

Authority

Published by NIST, required under DFARS 252.204-7012

Managed by the DoD, part of the CMMC program

Focus

Technical security controls and accompanying documentation

Certification of implementation, plus oversight

Compliance

Self-attested (via SPRS score)

Formal assessments required at Levels 2 & 3

Assessment

No standard process or required audit

3rd-party or government-led assessments required depending on level

Certification Body

None

Cyber AB (the CMMC Accreditation Body) & DIBCAC

Enforceability

Indirect — via DFARS clause

Direct — through contract language tied to certification

How To Achieve CMMC 2.0 Certification

Getting certified under CMMC 2.0 is a strategic journey. Here’s how to plan your path to compliance.

1. Assess Your Data

The quickest way to tell if CMMC compliance is a requirement of your contracts is to look for the DFARS clauses governing the protection of CUI in your contracts. These are:

  • DFARS 252.204-7012: Requirement for NIST 800-171a Compliance
  • DFARS 252.204-7019: Requirement to submit self-assessment score for NIST 800-171a to the SPRS database
  • DFARS 252.204-7020: Requirement for contractors to have an SSP (System Security Plan) and a self-assessment score no more then 3 years old
  • DFARS 252.204-7021: Contractor must be CMMC certified to the level specified by the contract at the time of award

Review your data environment—including digital files, emails, and physical records—to determine what types of CUI you handle, where your CUI resides, and who interacts with it. Assess your current retention policies to see if they align with compliance requirements.

2. Determine Your CMMC Level

Review your contracts to confirm which CMMC level corresponds to your obligations. If you're unsure, consult contracting officers or CMMC experts to ensure you're targeting the correct one. Planning ahead for higher-level requirements may also be beneficial if your organization intends to pursue more complex contracts in the future.

ISI Insight: The vast majority of DoD contractors that need to meet CMMC requirements will fall under Level 2.

3. Decide Who Owns CMMC Compliance for Your Organization

Clear accountability is essential for a successful CMMC compliance effort. Choose someone at your organization to act as the CMMC Compliance Owner. (Common choices include IT managers or FSOs). Assemble a compliance team to support them and clearly define your team members’ roles and responsibilities. Establishing ownership early helps your organization maintain focus and momentum throughout the compliance process.

ISI Insight: An expert partner, like ISI, will help you develop a Shared Responsibility Matrix to provide clear expectations for what is being handled by your consultant and what will be handled by your team.

4. Review Your Existing Cybersecurity Framework

Assess your current cybersecurity framework so you can identify any high-level gaps in your policies, tools, and practices that may need adjustment for CMMC readiness. Here are some basic steps:

  • Catalogue the cybersecurity measures you already have in place and document your current policies, procedures, and incident response plans.
  • Compare your cybersecurity environment with the broader requirements of the CMMC model.
  • Evaluate your current cybersecurity training for employees, paying particular attention to gaps in training that may leave your organization vulnerable.
  • Make sure you have a clear structure for managing cybersecurity, with designated roles for monitoring and enforcing policies.
5. Conduct a NIST 800-171A Rev2 Self-Assessment

NIST 800-171A is an assessment guide that provides detailed procedures for evaluating the 110 security controls outlined in NIST 800-171. Performing a self-assessment with this guide will show you how well your organization is implementing the controls required to protect CUI.

6. Establish a System Security Plan (SSP)

A System Security Plan (SSP) is the cornerstone of your cybersecurity compliance efforts. Your SSP should: 

  • Identify the systems, applications, and environments that store, process, or transmit CUI
  • Spell out employees’ roles and responsibilities in maintaining security
  • Document your existing security controls

Your SSP provides assessors with a clear understanding of your cybersecurity framework. Update it regularly as your systems or practices evolve.

ISI Insight: Your SSP is a critical document needed for each maturity level of CMMC 2.0. If you submit your SPRS without developing or updating your SSP, you’re putting your business at a greater risk for a False Claims Act violation.

7. Build a Plan of Action and Milestones (POA&M)

Your SSP documents what you currently do. Your POA&M documents what you need to fix. It’s a project plan to guide remediation efforts, prioritize actions, and track progress toward full CMMC compliance.

Review your findings from steps 5 and 6, pinpoint areas where controls are missing or need improvement, and specify precisely what steps are needed to fix them. Prioritize tasks based on their importance to your overall security posture and their urgency for meeting compliance goals. Create a timeline for each action with realistic deadlines and clear roles and responsibilities.

ISI Insight: Build your POA&M at the objective level, not the control level. This is the most foolproof way of ensuring full compliance.

8. Set a Timeline for Full CMMC Compliance and Conduct a Self-Assessment

You can now take actionable steps to close compliance gaps and set a clear timeline for achieving full CMMC 2.0 compliance. 

Here's how to conduct a thorough self-assessment:

  • Review your documentation: Make sure your SSP, POA&M, and any other supporting documents are complete, accurate, and up to date. 
  • Test control implementations: Verify that all security controls required for your CMMC level are fully implemented and operational. 
  • Run mock interviews: Prepare your team by running mock interviews based on likely questions a CMMC assessor might ask. Focus on demonstrating understanding and implementation of practices across the 14 CMMC domains.
  • Conduct a peer or external review: If possible, engage a third-party consultant or peer reviewer with CMMC expertise to validate your self-assessment findings. Their perspective can help uncover issues you might have overlooked.

Finalize remediation tasks: Address any remaining gaps or weaknesses identified during the self-assessment to ensure your organization is fully prepared for the formal certification process.

How To Choose a CMMC Third Party Assessor Organization (C3PAO)

Selecting a qualified C3PAO is the crucial final step in your journey toward certification. This organization will evaluate your compliance efforts and determine if your organization meets the requirements for your targeted CMMC level.

Only authorized third-party assessment organizations can conduct official CMMC certification assessments, so make sure the C3PAO is accredited by the Cyber AB. Some C3PAOs offer additional services, such as readiness reviews or ongoing support, but remember: you cannot undergo a CMMC audit by the same organization that’s been helping you prepare for assessment.

Before finalizing your choice, have a detailed discussion with the C3PAO about their process, timeline, and any preparatory requirements. This ensures clarity and reduces surprises during the assessment.

ISI Insight: Plan ahead. Demand for assessments is growing. There are over 80,000 contractors in the DIB. Contact potential C3PAOs early to inquire about scheduling availability to align with your compliance timeline.

July Recap 1

How Can ISI Help Your Business?

We put our money where our mouth is. As of March 10, 2025, we’re one of the first Managed Service Providers (MSPs) to achieve a CMMC Level 2 Certificate of Status under the new standards outlined in CMMC 2.0.

With 3 Registered Providers on staff, 150+ years of combined experience, and a track record of supporting over 1,000 customers in the DIB, we provide expert guidance grounded in NISPOM directives, managed security solutions, and powerful compliance tools to help you navigate CMMC, DFARS, and NIST 800-171 with confidence.

Talk to One of Our Advisors