If your company does business with the US Department of Defense, CMMC is no longer optional. The rule is now final, contracts are beginning to include CMMC requirements, and self-attestation is only available at Level 1. If you’re handling Controlled Unclassified Information and haven’t started, the clock is ticking.
This guide walks you through what CMMC 2.0 actually is, which level your company needs to achieve, what the assessment process looks like, and how to avoid the most common implementation mistakes. Whether you’re a prime contractor, a subcontractor three tiers deep in the DoD supply chain, or somewhere in between, this framework applies to you.
What Is CMMC 2.0?
The Cybersecurity Maturity Model Certification is a DoD-created framework designed to measure and improve the cybersecurity posture of companies in the Defense Industrial Base. The operative word here is certification — not just compliance assessment, but third-party verification that you actually meet the standard.
CMMC 2.0, which became the official standard in 2023, addresses shortcomings in the original CMMC 1.0 framework. The new version is simpler, faster to achieve, and more directly tied to actual DoD contract language. It establishes three levels of maturity, each corresponding to specific practices and controls.
The DoD isn’t mandating CMMC out of bureaucratic habit. Defense contractors have been a prime target for nation-state cyber operations for years. The goal is straightforward: reduce the attack surface of the defense supply chain by ensuring that organizations handling sensitive information meet baseline security standards. For your company, that means CMMC requirements are now embedded in Requests for Proposal (RFPs), contract award language, and flow-down clauses to your subcontractors.
Who Does CMMC Apply To?
CMMC applies to any organization in the Defense Industrial Base that handles either Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). This includes prime contractors, subcontractors at any tier, and suppliers who touch defense contracts. If you’ve ever won a DoD contract, or you supply to someone who has, CMMC likely applies to you.
The scope can be broader than you’d expect. You don’t have to be a traditional defense contractor to be in scope. If you process, store, or transmit CUI or FCI — even in a small division of your company — then the organization as a whole typically falls under CMMC requirements. Smaller suppliers and niche vendors are increasingly asked to achieve CMMC certification as part of their contract requirements.
One critical note: CMMC requirements flow down through the supply chain. If you’re a prime contractor, you must ensure your subcontractors meet the same CMMC level (or sometimes a lower, specified level) that your contract demands. This creates cascading compliance obligations.
The Three CMMC Levels Explained
CMMC 2.0 establishes three distinct levels, each with increasing scope and rigor.
Level 1: Foundational covers 17 basic security practices focused on protecting Federal Contract Information. These practices are fundamental—things like access control, encryption of sensitive information, and awareness training. A Level 1 assessment is self-assessment; you perform the assessment internally and attest to compliance once yearly. There’s no third-party verification, no official certification from the DoD, and no C3PAO involvement. Level 1 is the entry point for organizations just beginning their cybersecurity maturity journey. It’s also the only level where self-assessment is permitted under CMMC 2.0.
Level 2: Advanced encompasses 110 practices drawn from NIST SP 800-171 (Security Requirements for Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations). Level 2 is where most mid-market DoD contractors end up. This level requires third-party assessment by a DoD-certified C3PAO (CMMC Third Party Assessment Organisation) for many organizations, though a carve-out exists for some smaller companies and service providers who can self-assess. The assessment is conducted triennially (every three years), though continuous monitoring expectations apply between assessments. Level 2 is substantially more comprehensive than Level 1 and involves documentation, policy review, and technical controls verification.
Level 3: Expert builds on Level 2 with additional advanced practices from NIST SP 800-172 and incorporates threat intelligence, incident response coordination, and advanced monitoring. Level 3 is government-led; the DoD’s DIB Cybersecurity Assessment Center (DIBCAC) conducts the assessment, not a C3PAO. Very few organizations are required to achieve Level 3; it’s reserved for prime contractors with access to the most sensitive defense information. Assessment frequency at Level 3 is also triennial, but the stakes are significantly higher, and the breadth of controls is substantially deeper.
Each level builds on the previous one. You don’t replace Level 1 practices when moving to Level 2; you add to them. Understanding which level your specific contracts require is your first priority. Don’t assume you need Level 3. Most companies in the DIB are Level 2.
What Is CUI and Why Does It Matter?
Controlled Unclassified Information is unclassified information that requires safeguarding and has limitations on distribution. CUI includes technical data, contract information, proprietary business information, and sensitive personal information of DoD personnel or contractors. The key distinction: CUI is unclassified but still subject to strict handling requirements under federal regulation.
Federal Contract Information is a subset of CUI; it’s information that identifies a DoD contract and includes contract data, pricing, and technical specifications. If you’re processing FCI, CMMC applies to your organization. If you’re processing broader CUI categories (think defense-related technical information), CMMC still applies.
The reason CUI matters for CMMC is that the entire framework is organized around protecting it. Level 1 explicitly focuses on FCI protection. Level 2 extends to broader CUI categories. Level 3 assumes the most sensitive unclassified information is in scope. Your CMMC implementation should be explicitly built around identifying where CUI and FCI are located, who accesses it, and what controls protect it.
Many companies underestimate the scope of CUI in their operations. It’s not just in a secure server in your IT infrastructure. CUI can be embedded in design documents, email, project management systems, vendor communications, and employee devices. Your gap assessment should include a thorough CUI inventory as a foundational step.
CMMC 2.0 vs. CMMC 1.0: What Changed
CMMC 1.0, introduced in 2019, was ambitious but flawed. It defined five maturity levels with 171 practices across all five levels. The model was comprehensive but unwieldy, expensive to implement, and slower to assess. The DoD received significant pushback from industry about implementation costs, timeline complexity, and assessment bottlenecks (the government had too few authorized assessors to process all the required certifications).
CMMC 2.0, finalized in 2023, simplified the framework significantly. The most visible change is the reduction from five levels to three. The 2.0 model also aligned directly with NIST SP 800-171 and NIST SP 800-172, eliminating a separate CMMC-specific control taxonomy. For practitioners, this means if you’re already familiar with NIST controls, CMMC 2.0 won’t feel like a completely new framework.
The second major change is the move away from universal third-party assessment. In CMMC 1.0, third-party assessment was mandatory for all levels above the foundational level. In CMMC 2.0, self-assessment is permitted at Level 1, and some smaller organizations can self-assess at Level 2 if they meet specific criteria (typically organizations with fewer than 100 employees or those in certain service provider categories). This change reduces costs and timeline pressure for smaller organizations.
A third significant shift is the introduction of self-attestation and POA&M flexibility. If you’re not ready to achieve full Level 2 compliance before a contract starts, you can work with the DoD on a Plan of Action and Milestones to reach compliance within an agreed timeframe. This wasn’t cleanly available under CMMC 1.0.
The timeline for assessment has also changed. CMMC 1.0 required annual or triennial recertification depending on level. CMMC 2.0 specifies triennial assessments for both Level 2 and Level 3, with continuous monitoring expectations in between. This reduces the frequency of formal re-assessment but increases expectations for ongoing security monitoring.
CMMC 2.0 vs. NIST SP 800-171: Understanding the Relationship
NIST SP 800-171 is a NIST special publication that provides security requirements for protecting CUI in nonfederal systems. CMMC 2.0 Level 2 directly implements the NIST SP 800-171 control set. If you achieve CMMC Level 2, you’ve essentially implemented NIST 800-171 controls.
NIST SP 800-172, published more recently, provides enhanced security requirements for protecting CUI in nonfederal systems. CMMC 2.0 Level 3 incorporates NIST SP 800-172 controls on top of the NIST SP 800-171 foundation.
The relationship is direct: CMMC 2.0 is the DoD’s certification model for NIST compliance in the defense supply chain. You don’t implement both NIST 800-171 and CMMC separately; CMMC certification confirms NIST 800-171 compliance.
The CMMC Assessment Process: What to Expect
Understanding the assessment process helps you plan realistic timelines and budgets. Here’s how it works for Level 2 (the most common assessment):
Your organization engages a DoD-authorized C3PAO to conduct the assessment. The C3PAO reviews your security policies, controls documentation, and technical environment to verify that your practices align with NIST SP 800-171 requirements. The assessment typically takes several months from kick-off to conclusion.
Before the official assessment, most organizations conduct a gap assessment—an internal or third-party review to identify weaknesses before the formal evaluation. A gap assessment isn’t required by CMMC, but it’s highly recommended; it gives you a chance to remediate obvious gaps without failure on the official assessment record.
Once you’re confident you’re ready, you formally engage a C3PAO. The C3PAO conducts interviews, reviews documentation, tests controls, and validates that your organization has implemented and operationalized the required practices. For Level 2, the C3PAO produces a detailed CMMC Assessment Report (CAR) that becomes part of your compliance record with the DoD.
If you pass, the DoD’s DIB Risk Management Accountability System (DRMIS) updates to reflect your Level 2 certification. Your company is now CMMC-authorized for three years. During those three years, you’re expected to maintain the controls and participate in continuous monitoring (typically logging security metrics and incident reports).
If you fail or are found to be non-compliant, you don’t lose your certification immediately, but you’re expected to develop a Plan of Action and Milestones to address deficiencies. You can be reassessed before the triennial deadline if you believe you’ve remediated gaps.
For Level 3, the process is similar, but the DIB Cybersecurity Assessment Center (DIBCAC) conducts the assessment on behalf of the DoD. DIBCAC assessment is more intensive and typically involves government assessors visiting your facility. Level 3 assessment is also less frequent because fewer organizations are in scope.
Common CMMC Compliance Mistakes
Several patterns emerge across organizations implementing CMMC. Avoiding them saves time, money, and reassessment cycles.
The first mistake is treating CMMC as a checkbox exercise rather than a maturity initiative. CMMC isn’t just a compliance document to store in a folder. It requires actual operationalization of security practices. Many organizations pass assessment and then immediately relax controls, only to discover non-compliance during continuous monitoring or re-assessment. The controls have to stick.
Second, many organizations underestimate the scope of information systems in scope. They often identify only IT infrastructure that’s obviously connected to CUI but miss systems that indirectly process, store, or transmit it—development environments, test systems, cloud storage, third-party tools, and even personal devices used for work. A comprehensive system boundary is essential before assessment.
Third, insufficient documentation is rampant. CMMC requires evidence that practices are documented and operationalized. Policies need to exist, be current, and be actively followed. Many organizations have outdated policies or policies that exist but aren’t enforced. Your documentation review during assessment is your first real test. If policies can’t be found or are obsolete, you’ll face findings.
Fourth, organizations often fail to train staff on the practices they’re claiming to implement. If your security awareness program exists but employees haven’t actually completed it, or if your access control policy exists but permissions are granted ad-hoc, you’ll fail assessment. Controls need to be understood and consistently applied.
Fifth, many miss the continuous monitoring requirement between triennial assessments. CMMC 2.0 doesn’t require constant third-party surveillance, but it does expect organizations to maintain audit logs, track security metrics, report incidents, and demonstrate that controls remain in place. If you wait until re-assessment to dig through logs and incidents, you may not have the evidence to prove continuous compliance.
Finally, organizations often choose the wrong C3PAO or rush the selection process. Not all C3PAOs are created equal. Some have deep defense industry experience; others are newer to the framework. Taking time to vet assessors, understand their methodology, and ensure they have relevant experience in your industry reduces friction during assessment.
How Long Does CMMC Certification Take?
Timelines vary significantly based on your starting posture and the level you’re targeting.
Level 1 is the quickest. Many organizations claiming Level 1 can do so within weeks if they’re already maintaining basic access controls and awareness training. The self-assessment is straightforward, and there’s no third-party delay.
Level 2 typically takes 6 to 12 months from decision to certification, assuming you’re starting from a moderate security baseline. If you’re building controls from scratch—no existing policies, no access control system, no vulnerability scanning—add 6 to 12 months more. Add another 2 to 3 months if you conduct a pre-assessment gap review before engaging a C3PAO. The C3PAO assessment itself typically spans 3 to 6 months depending on your organization’s complexity and system scope.
Level 3 assessment is less common but typically takes 12 to 24 months because of the intensity of government-led assessment and the complexity of the additional controls required.
These timelines assume you’re not starting from zero. If your company has never implemented a security program, add significant time. Conversely, if you already have a mature NIST SP 800-171 implementation from other federal contracts, you might compress Level 2 to 3 to 4 months.
One critical point: don’t confuse assessment timeline with implementation timeline. You can’t rush implementation just because assessment is fast. Controls take time to operationalize, staff need training, and systems need hardening. Most delays in CMMC programs stem from underestimating implementation time, not assessment time.
CMMC Compliance Checklist: Where to Start
Starting a CMMC program? Here’s the sequence:
Determine your required CMMC level based on your current and anticipated DoD contracts. Review your contract language, RFPs, and prime contractor requirements to establish whether you need Level 1, 2, or 3.
Conduct or commission a gap assessment. This identifies the gap between your current state and the target level. A gap assessment isn’t a formal CMMC assessment, but it tells you what work lies ahead.
Establish governance. Assign clear ownership for the CMMC program. Typically, this lands with your CISO, IT director, or Chief Compliance Officer. Create a steering committee or working group that includes IT, legal, procurement, and business leadership.
Develop a detailed implementation roadmap. Based on your gap assessment, outline the specific controls you need to implement, the order of implementation, timeline estimates, and resource requirements.
Build or update policies. CMMC relies heavily on documented policies and procedures. Review NIST SP 800-171 requirements and develop policies that address each practice your level requires. Policies should be specific to your organization and actually used (not generic boilerplate).
Implement technical controls. Hardening systems, deploying vulnerability scanning, configuring access controls, and establishing encryption take substantial time and resources. Prioritize high-impact controls that address common findings.
Train your workforce. Security awareness training is required at all CMMC levels. More importantly, users need to understand the specific controls affecting their work—how to handle CUI, how to manage access, what to do with physical information, etc.
Establish continuous monitoring. Set up logging, metrics tracking, and incident reporting processes. These will be required during assessment and for ongoing compliance.
Engage a C3PAO (for Level 2 and 3). Once you’re confident you’re near compliance, formally engage a certified assessor. Timing this correctly is important—too early and you’ll have findings that require rework; too late and you miss contract deadlines.
How Soter Advisory Can Help
CMMC 2.0 implementation is complex, and the stakes are real. If you’re in the Defense Industrial Base, ignoring CMMC means losing access to new DoD contracts or jeopardizing existing ones. But implementing it correctly—building sustainable security practices rather than rushing to assessment—requires expertise.
Soter Advisory works with DoD contractors at every stage of CMMC maturity. We conduct initial gap assessments to understand your current state and what’s required to reach your target level. We help design security policies and controls aligned with NIST SP 800-171, then support implementation and operationalization. We prepare your organization for C3PAO assessment by conducting pre-assessment reviews and remediation support. And we work alongside you during the transition to continuous monitoring, ensuring compliance persists between triennial assessments.
Whether you’re a prime contractor managing CMMC requirements across your supply chain or a smaller subcontractor taking on your first DoD contract, we have the depth to guide you efficiently.
Need help with CMMC 2.0? Soter Advisory works with companies at every stage—from initial gap assessment through to certification and ongoing support. Book a free consultation →