CMMC 2.0: The Cybersecurity Certification Every DoD Contractor Needs

#Why DoD finally ran out of patience

For a decade, defense contractors treated cybersecurity like a checkbox. NIST 800-171 was a self-assessment. Nobody was really checking. Meanwhile Chinese APT40, Russian intelligence, and North Korean operators were pulling Controlled Unclassified Information out of the Defense Industrial Base in bulk. F-35 specs. Missile defense research. Satellite engineering. Submarine designs. Billions in stolen IP. The numbers are public and ugly.

The Pentagon had enough. CMMC 2.0 is the result.

Every contractor that handles CUI now has to be independently certified. No more self-attestation. No more "we'll get to it after this contract." An accredited third-party assessor signs off or your contract doesn't close. The rollout runs from 2024 through 2028 in staged phases, and the DoD has published explicit consequences: miss your level, lose your eligibility.

Rollout happens in phases from 2024 through 2028. Contractors who can't meet their required CMMC level won't be eligible for DoD contracts at their level. This affects:

• Prime contractors (Lockheed, Raytheon, Boeing, etc.)
• Large and mid-size subcontractors
• Small businesses selling parts, services, or research to DoD
• Software vendors with DoD customers
• IT services firms supporting DoD work
• International partners who want DoD contracts

Estimated scope: ~300,000 contractors and subcontractors in the Defense Industrial Base.

This post walks through what CMMC 2.0 requires, the three levels, the assessment process, common preparation mistakes. And the realistic timeline to get ready.

#The high-level framework

CMMC 2.0 has three levels:

#Level 1: Foundational

For contractors handling only Federal Contract Information (FCI). Not CUI.

• 17 practices from NIST SP 800-171 (the underlying control framework)
• Self-assessment. Contractor certifies their own compliance
• Senior official attestation required
• Annual reassessment

Most small contractors with limited DoD scope end up at Level 1. Low bar, but still requires real implementation.

#Level 2: Advanced

For contractors handling Controlled Unclassified Information (CUI).

• All 110 practices from NIST SP 800-171
• Third-party certified assessment (for most contracts)
• Self-assessment with senior attestation (for lower-priority contracts)
• Every three years recertification
• Plan of Action and Milestones (POA&M) for known gaps

Most prime contractors and significant subcontractors will end up at Level 2. This is the critical level for most the Defense Industrial Base.

#Level 3: Expert

For contractors handling CUI for the most sensitive DoD programs (nuclear, certain intelligence, critical national security systems).

• All 110 NIST 800-171 practices plus selected additional practices from NIST SP 800-172
• DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) assessment. Federally-conducted
• Every three years recertification

Fewer contractors. Typically large defense primes with specific highest-sensitivity work.

#The NIST SP 800-171 foundation

CMMC 2.0 largely wraps NIST SP 800-171, which has been the underlying requirement for DoD contractors handling CUI since 2017. The 110 practices are organized into 14 families:

#3.1 Access Control (22 practices)

• Limit system access to authorized users and devices
• Separate duties to reduce risk of malevolent activity
• Employ least privilege
• Use non-privileged accounts for normal activity
• Prevent unauthorized execution of user code
• Log access control events

#3.2 Awareness and Training (3 practices)

• Ensure managers, administrators, and users are aware of security risks
• Provide training on cybersecurity best practices
• Provide security awareness training on insider threat indicators

#3.3 Audit and Accountability (9 practices)

• Create and retain system audit logs
• Ensure actions of individual system users can be uniquely traced
• Review and update logged events
• Alert in the event of audit logging failure
• Protect audit information
• Limit management of audit logging to authorized users

#3.4 Configuration Management (9 practices)

• Establish and maintain baseline configurations
• Track and approve configuration changes
• Analyze security impact of changes
• Define, document, approve, and enforce security configuration settings
• Employ principle of least functionality
• Restrict non-essential programs
• Apply deny-by-exception for application whitelisting

#3.5 Identification and Authentication (11 practices)

• Identify system users, processes, and devices
• Authenticate (or verify) identities before granting access
• Use multi-factor authentication for privileged accounts and for access to sensitive CUI
• Use replay-resistant authentication mechanisms
• Prevent reuse of identifiers
• Disable inactive identifiers
• Enforce a minimum password complexity
• Prohibit password reuse

#3.6 Incident Response (3 practices)

• Establish an operational incident-handling capability
• Track, document, and report incidents
• Test the organizational incident response capability

#3.7 Maintenance (6 practices)

• Perform maintenance on organizational systems
• Provide controls on maintenance tools
• Ensure equipment removed for off-site maintenance is sanitized
• Check media containing diagnostic programs for malicious code
• Require multifactor authentication for nonlocal maintenance sessions
• Supervise maintenance activities

#3.8 Media Protection (9 practices)

• Protect media containing CUI
• Limit access to CUI on media
• Sanitize or destroy media containing CUI before disposal or reuse
• Mark media with necessary CUI markings
• Control access to media and maintain accountability
• Implement cryptographic mechanisms for media containing CUI in transit

#3.9 Personnel Security (2 practices)

• Screen individuals before authorizing access to systems containing CUI
• Ensure CUI and systems are protected during and after personnel actions

#3.10 Physical Protection (6 practices)

• Limit physical access to organizational systems, equipment, and operating environments
• Protect and monitor the physical facility and support infrastructure
• Escort visitors and monitor visitor activity
• Maintain audit logs of physical access
• Control and manage physical access devices
• Enforce safeguarding measures for CUI at alternate work sites

#3.11 Risk Assessment (3 practices)

• Periodically assess risk to organizational operations
• Scan for vulnerabilities in organizational systems
• Remediate vulnerabilities in accordance with risk assessments

#3.12 Security Assessment (4 practices)

• Periodically assess the security controls in organizational systems
• Develop and implement plans of action
• Monitor security controls on an ongoing basis
• Develop, document, and periodically update system security plans

#3.13 System and Communications Protection (16 practices)

• Monitor, control, and protect organizational communications
• Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security
• Separate user functionality from system management functionality
• Prevent unauthorized and unintended information transfer via shared system resources
• Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission
• Terminate network connections at the end of sessions or after defined time periods
• Establish and manage cryptographic keys

#3.14 System and Information Integrity (7 practices)

• Identify, report, and correct system flaws in a timely manner
• Provide protection from malicious code
• Monitor system security alerts and advisories
• Update malicious code protection mechanisms
• Perform periodic scans of organizational systems
• Monitor inbound and outbound communications traffic
• Identify unauthorized use of systems

The bare framework. Each practice expands into multiple sub-requirements.

#The assessment process

#For Level 1 (self-assessment)

1. Contractor implements 17 practices
2. Documents implementation via a System Security Plan (SSP)
3. Senior official attests to implementation
4. Submits annual attestation via Supplier Performance Risk System (SPRS)

#For Level 2 (C3PAO-assessed)

1. Contractor implements all 110 practices
2. Develops and maintains System Security Plan (SSP)
3. Develops Plan of Action and Milestones (POA&M) for any gaps
4. Engages a Certified Third-Party Assessment Organization (C3PAO)
5. C3PAO conducts on-site / remote assessment
6. Identifies any deficiencies, ensures remediation
7. Issues certification (typically valid 3 years)
8. Maintains continuous compliance
9. Triennial reassessment

C3PAO selection: there are ~50 accredited C3PAOs across the US. Assessment costs typically run $30K-$300K+ depending on organization size and complexity. Lead times can be 3-12 months currently given capacity constraints.

#For Level 3 (DIBCAC-assessed)

1. Level 2 requirements plus additional NIST SP 800-172 practices
2. Federally-conducted assessment by DIBCAC
3. More rigorous than C3PAO assessments
4. Limited availability. DIBCAC has capacity constraints

#The rollout timeline

Phased implementation starting late 2024:

Phase 1 (late 2024 - late 2025): CMMC requirements start appearing in select DoD solicitations. Contractors bidding on affected contracts must be certified by contract award.

Phase 2 (late 2025 - mid 2026): CMMC Level 1 and Level 2 requirements broadly applied to most DoD contracts.

Phase 3 (2026-2027): CMMC Level 3 requirements phase in for highest-sensitivity work.

Full implementation (by 2028): All applicable DoD contracts have CMMC requirements. Non-compliant contractors can't compete.

Current state (April 2026): we're in Phase 2. Most defense contractors are actively preparing or have preliminary certifications.

#The timeline reality

The gap between "we should start preparing" and "we've our CMMC certification" is typically 12-24 months for an unprepared organization.

Specific steps and timelines:

Month 1-3: Gap analysis

• Identify current state against NIST SP 800-171 requirements
• Scope the CUI environment
• Identify missing practices
• Estimate remediation cost and effort

Month 3-9: Remediation

• Implement missing practices
• Document implementations
• Develop System Security Plan
• Develop Plan of Action and Milestones

Month 9-12: Readiness testing

• Internal assessment or mock assessment
• Close any remaining gaps
• Tune documentation
• Train staff

Month 12-18: C3PAO engagement

• Select and contract C3PAO
• Scope assessment
• Conduct assessment
• Respond to findings
• Obtain certification

Month 18-24: Maintenance cadence established

• Continuous compliance monitoring
• Quarterly internal reviews
• Annual attestation updates
• Planning for triennial reassessment

Contractors who start 6 months before their contract requires certification are often unable to be ready on time. DoD has flexibility, but the contract award may go to a competitor who is certified.

#Common preparation mistakes

#Mistake 1: Believing you don't handle CUI

Many contractors believe they don't handle CUI. Actual practice often includes:

• Schematics and drawings of DoD-related products
• Specifications and performance data
• Export-controlled technical data
• Personnel information about cleared employees
• Communications with DoD customers that reference sensitive programs
• Code for defense applications

Anything that's marked as CUI or that's "controlled unclassified information" per DoD guidelines counts. Most contractors with any DoD business handle some CUI.

#Mistake 2: Self-assessment shortcut

Contractors expected to do Level 2 C3PAO assessment sometimes attempt self-assessment first. The self-assessment is valid only for a subset of Level 2 contracts (lower-priority). For most Level 2 needs, third-party assessment is required. Self-assessment documents aren't directly reusable for C3PAO assessment.

#Mistake 3: Scoping too broadly

Contractors sometimes put every system in their organization under CMMC scope. This multiplies assessment effort and cost. Narrower scope (only the "Authorization Boundary" where CUI lives) reduces effort dramatically.

Best practice: segment CUI systems into a distinct, well-defined enclave. Scope CMMC to the enclave. Keep CUI out of the broader corporate environment.

#Mistake 4: Treating SSP as a checkbox document

The System Security Plan is the foundational document that assessors scrutinize. A generic template with placeholder text won't pass assessment.

Effective SSPs describe:

• Actual architecture
• Actual control implementations with evidence references
• Actual policy language
• Named responsible parties
• Operational reality, not aspirational statements

#Mistake 5: POA&M treated as a permanent bucket for gaps

Plans of Action and Milestones identify gaps and commit to remediation timelines. Some contractors use POA&M as a permanent holding bin ("we'll fix this later"). CMMC assessors evaluate whether POA&M items are being remediated on schedule. Stale POA&M items become compliance findings.

#Mistake 6: MFA deployment half-done

Multi-factor authentication is required for privileged accounts and CUI access. "We have MFA" is a common claim that doesn't hold up when assessors check:

• Service accounts without MFA
• Legacy systems exempted from MFA
• SMS-only MFA (deprecated under new NIST guidance)
• MFA only on email, not on file systems containing CUI

#Mistake 7: Supply chain oversight

Your subcontractors and suppliers handling CUI must also meet CMMC requirements at appropriate levels. Managing subcontractor certification is an ongoing program, not a one-time exercise.

Common failure: prime contractor passes assessment, then subcontractor without certification is found to have handled CUI during the contract. Prime is on the hook.

#Mistake 8: Documentation archeology

Documentation must be current, versioned, and available. Contractors who point to "documentation in SharePoint somewhere" fail assessment. Assessors expect documents they can retrieve, with clear ownership and update history.

#Mistake 9: Staff turnover without knowledge transfer

CMMC implementations often depend on specific individuals' knowledge. When those individuals leave, the organization may not be able to demonstrate controls during assessment. Treat CMMC knowledge as critical operational knowledge. Document, cross-train, ensure continuity.

#Mistake 10: Thinking cloud providers solve the problem

Using AWS GovCloud or Azure Government for CUI workloads transfers some responsibility to the cloud provider but doesn't fully solve CMMC. The contractor is still responsible for:

• Proper configuration of cloud services
• Access controls
• Incident response
• Audit logging
• Personnel security
• Physical security of endpoints

The cloud provider inherits some infrastructure-level controls. Everything else is on the contractor.

#The cost reality

Rough CMMC cost estimates for Level 2 certification:

Small business (< 50 employees): $50K-$200K first-year preparation + $30K-$80K assessment + $20K-$50K annual maintenance

Mid-size contractor (50-500 employees): $200K-$1M first-year preparation + $80K-$200K assessment + $50K-$200K annual maintenance

Large contractor (500+ employees): $1M-$5M+ first-year preparation + $150K-$500K assessment + $200K-$1M+ annual maintenance

Most significant costs:

1. Security tool deployment (EDR, SIEM, PAM, DLP if not already present)
2. Network architecture (segmentation, CUI enclave)
3. Consulting / implementation support
4. Policy and documentation development
5. Staff training
6. Assessment fees

Ongoing costs:

• Monitoring and operations
• Annual audits
• Triennial reassessment
• Compliance technology subscriptions

For a small contractor primarily interested in DoD work, the cost of compliance is a meaningful share of revenue. For some small businesses, this has been a "CMMC or quit DoD" decision. A significant fraction of small defense contractors have exited the DoD market because they couldn't justify the investment.

#What small contractors should consider

If you're a small business selling to DoD and looking at CMMC:

#Decision 1: Stay in DoD, exit DoD, or pivot

• Stay in: investment required, but DoD contract revenue justifies if the contracts are significant portions of your business.
• Exit: if DoD is a minor revenue share, the compliance investment may not justify. Refocus on commercial markets.
• Pivot: increase commercial work, maintain DoD capability at lower levels, reduce certification scope.

#Decision 2: Compliance approach

• Full internal implementation: build the program in-house. Best long-term outcome, highest upfront cost.
• Outsourced compliance: use a managed service provider (MSP) that specializes in CMMC compliance. Reduces internal burden, costs more monthly.
• Inherited compliance: use cloud services (AWS GovCloud, CMMC-aligned SaaS vendors) that provide much of the control infrastructure. Still requires contractor-side work but reduces what you need to build.

#Decision 3: Subcontracting strategy

• Prime contracts: you hold the contract, you need the certification.
• Subcontracting: work through primes who hold certification. They flow down requirements to you. You may need lower-level certification.
• Partnership: join with a CMMC-certified partner who provides the CUI-handling capability. You provide specialized skills without CUI access.

#For mid-size and large contractors

If you're a prime or significant sub, the approach is different:

• CMMC compliance is table stakes for retention of current contracts
• Competitive differentiation comes from speed, depth, and maturity of compliance
• Your subcontractor management program directly affects your compliance
• Continuous compliance investment is a permanent line item in your operating budget

Strategic considerations:

• Integrate CMMC with ISO 27001 / SOC 2 / other frameworks you maintain
• Use compliance investment as a marketing differentiator
• Support your supply chain's compliance (accelerates your own program)
• Maintain specialists in CMMC requirements. They'll be needed for the indefinite future

#International contractors and partners

CMMC applies to non-US contractors if they handle CUI:

• UK, Canada, Australia, other allied contractors can get certified
• Process is similar but assessment availability varies by region
• ITAR / EAR export controls add complexity
• Some CUI types may not be accessible to non-US nationals regardless of certification

If you're an international partner targeting DoD work, CMMC is a real requirement. Start early.

#For Valtik clients

Valtik provides CMMC preparation services for Connecticut, Massachusetts, Rhode Island, and Dallas / Fort Worth defense contractors:

• Gap assessment against CMMC Level 1 or Level 2 requirements
• System Security Plan development
• Penetration testing scoped to CMMC requirements (the 3.11 family, 3.12 assessments)
• Security control implementation support (MFA, EDR, network segmentation)
• Pre-assessment readiness review before C3PAO engagement
• Ongoing compliance monitoring

Our typical engagement with a mid-size defense contractor runs 6-12 months from start to C3PAO readiness. For small contractors with defined scope, 3-6 months. Reach out via https://valtikstudios.com.

#The honest summary

CMMC 2.0 is the biggest DoD supply chain cybersecurity regulation in the history of the Defense Industrial Base. It's expensive, complex, and unavoidable if you want DoD work.

The reality for most affected contractors: start now if you haven't, get serious about the investment, commit to continuous compliance. And recognize that the 2028 deadline is closer than it looks when you're running multiple 12-24 month preparation programs.

For contractors who genuinely can't afford the investment, the honest decision is to exit DoD work than partially comply and lose contracts anyway. For contractors who can afford it, CMMC is the new cost of doing defense business.

#Sources

1. CMMC Program Overview. DoD
2. NIST SP 800-171 Rev 2: Protecting CUI
3. NIST SP 800-172: Enhanced Security Requirements for Protecting CUI
4. CMMC Accreditation Body (The Cyber AB)
5. Certified Third-Party Assessment Organizations (C3PAOs)
6. DIBCAC. Defense Contract Management Agency
7. DFARS 252.204-7012
8. CMMC Rollout Timeline. DoD
9. AWS GovCloud (US)
10. Microsoft Azure Government