CMMC 2.0: WHAT DEFENSE CONTRACTORS NEED TO KNOW

David C. Frier, CISM, CISSP, etc. September 25, 2025

CMMC 2.0 OVERVIEW

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense's framework for protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within the defense industrial base supply chain.

THE THREE LEVELS

Level 1: Foundational - Requires basic cyber hygiene practices corresponding to 17 controls from NIST 800-171. Annual self-assessments are permitted. This level focuses on protecting FCI.

Level 2: Advanced - Implements all 110 security requirements from NIST 800-171 to protect CUI. Most contractors will need this level. Level 2 allows for self-assessment or third-party assessment depending on contract requirements and criticality.

Level 3: Expert - Adds enhanced security measures based on a subset of NIST 800-172 controls for the most critical programs and highest risk contractors. Requires government-led assessment.

KEY CHANGES FROM CMMC 1.0

CMMC 2.0 streamlined the model significantly, reducing from five levels to three and aligning more closely with existing NIST standards. The new model allows for annual self-assessments at Levels 1 and 2 for most contractors, with third-party assessments required for higher priority programs or every three years.

ASSESSMENT AND CERTIFICATION

The certification process involves documentation review, technical testing, and interviews. Organizations must demonstrate not just implementation but effectiveness of controls. Plans of Action and Milestones (POA&Ms) provide a pathway for addressing gaps while maintaining certification eligibility.

PREPARING FOR CMMC

Start with a gap assessment against NIST 800-171 requirements. Develop a System Security Plan (SSP) documenting your security architecture and control implementations. Implement technical controls for access management, audit logging, and data protection. Establish processes for incident response, security awareness training, and continuous monitoring.

LET'S GET YOU CMMC READY

CMMC compliance doesn't have to be overwhelming. We help defense contractors navigate requirements, conduct gap assessments, and prepare for successful certification. Reach out to discuss your timeline and compliance needs.