Cybersecurity

CMMC 2.0: A Practical Guide for Defense Contractors

January 10, 2025

The Cybersecurity Maturity Model Certification 2.0 is now a contract requirement for many DoD suppliers. If your business holds federal contracts or is in the defense industrial base supply chain, here is what you need to understand about CMMC levels, self-assessment vs. third-party assessment, and how to close the gaps.

CMMC 2.0 is no longer a future concern for defense contractors. If your organization handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) and you contract with the Department of Defense, CMMC compliance is a contract requirement.

Understanding the Three Levels

CMMC 2.0 simplified the original five-level model into three levels that align more directly with NIST SP 800-171.

Level 1 (Foundational) covers organizations that handle FCI only. It requires annual self-assessment against 17 basic cyber hygiene practices drawn from FAR 52.204-21.

Level 2 (Advanced) applies to organizations that handle CUI. It requires implementation of all 110 practices from NIST SP 800-171. Organizations handling prioritized CUI programs must undergo a third-party assessment by a C3PAO (CMMC Third-Party Assessor Organization). Others may self-assess annually with senior official affirmation.

Level 3 (Expert) applies to organizations supporting critical DoD programs with the highest-value CUI. It requires assessment by DCSA and is based on NIST SP 800-172.

Where Most Contractors Fall Short

The most common gaps we encounter involve multi-factor authentication enforcement across all users accessing CUI, system and communications protection controls, audit log management, and incident response documentation.

System Security Plan (SSP) documentation is also frequently missing or incomplete. CMMC assessors will look at your SSP first. If it does not accurately reflect your environment and controls, the assessment will not go well.

Plan of Action and Milestones

If you have gaps against NIST 800-171, you are required to document them in a Plan of Action and Milestones (POA&M). Having a POA&M is not a disqualifier by itself, but gaps in high-value control families will be scrutinized.

Cyber One Solutions provides CMMC readiness assessments, gap analysis against NIST 800-171, and remediation planning for defense contractors. Contact us to discuss your environment.