If you’re a defense contractor or subcontractor, CMMC 2.0 is probably on your radar.
Our team has been tracking CMMC changes since the first draft. In this guide, we are breaking down the updates, explaining the CMMC 2.0 levels and requirements, answering the most common questions, and talking next steps.
What is CMMC 2.0?
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense’s updated framework to ensure defense contractors and subcontractors have the required safeguards in place to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
Contractors can achieve CMMC certification through a self-assessment, Certified Third-party Assessor Organization (C3PAO) assessment, or Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) evaluation based on their CMMC level.
What is the difference between CMMC 1.0 and 2.0?
The biggest changes:
When will CMMC 2.0 be required in DoD contracts?
In September 2025, the DoD published the 48 CFR final rule, which makes CMMC certification and continuous compliance a requirement in new DoD contracts or solicitations. Rule 48 CFR part 204 will go into effect on November 10, 2025, .
Once rule 48 CFR part 204 goes into effect, CMMC Phase 1 implementation will begin. During this phase, DoD contracts and solicitations will require CMMC Level 1 or Level 2 self-assessments. By Phase 4, CMMC requirements will be included in all applicable DoD contracts, solicitations, and option periods on contracts.
What are the CMMC requirements at each level?
CMMC 2.0 has three tiered levels, and they are tied to the type of information you handle.
Level 1 (Self)
All requirements must be met; no POA&M (Plan of Action & Milestones) is allowed. After each self-assessment, companies must affirm compliance in the Supplier Performance Risk System (SPRS).
Level 2 (Self & C3PAO)
- Self-assessment is allowed for CUI outside the National Archive’s Defense Index Grouping.
- C3PAO certification is required for higher-risk CUI that is categorized under the National Archive’s Defense Index Grouping.
Companies can earn conditional Level 2 status with at least 80% compliance and a POA&M listing unmet requirements. All gaps must be closed within 180 days, followed by a closeout assessment to achieve final certification. If not completed on time, conditional status expires. Compliance must be reaffirmed in SPRS annually, but full reassessment is only required every three years.
Level 3
- CUI associated with a breakthrough, unique, and/or advanced technology
- Significant aggregation or compilation of CUI in a single information system or IT environment
- Ubiquity – when an attack on a single information system or IT environment would result in widespread vulnerability across DoD
It builds on Level 2 and requires 110 controls from NIST SP 800-171 R2 plus 24 advanced controls from NIST SP 800-172. Assessment is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Like Level 2, a POA&M is allowed at the conditional stage. Companies must score at least 80% on the Level 3-specific controls and close all POA&M items within 180 days to reach final certification.
At a glance: CMMC 2.0 levels compared
| CMMC 2.0 Level | Who Needs It? | Requirements | Assessment Type | POA&M Allowed? | Renewal |
| Level 1 (Self) | Companies handling Federal Contract Information (FCI) | 15 controls aligned with FAR clause 52.204-21 (access controls, malware protection, system scans, audit logs) | Self-assessment | No | Annual affirmation in SPRS |
| Level 2 (Self & C3PAO) | Companies handling Controlled Unclassified Information (CUI) | 110 controls from NIST SP 800-171 R2 covering access control, incident response, configuration management, and more | Self-assessment or C3PAO assessment based on categorization of CUI in National Archive’s CUI Registry Defense Organizational Index Grouping | Yes, must close gaps within 180 days | Annual affirmation; full reassessment every 3 years |
| Level 3 (DIBCAC) | Companies handling high-priority CUI (advanced tech, system ubiquity, CUI with significant aggregation in a single system) | 110 controls from NIST SP 800-171 R2 + 24 controls from NIST SP 800-172 | Assessed by DIBCAC | Yes, must close gaps within 180 days | Annual affirmation; full reassessment every 3 years |
What steps should you take now?
Even if your first contract with CMMC 2.0 requirements is some time away, starting now puts you ahead of the competition and reduces a last-minute scramble.
Here’s what we recommend:
Need assistance with CMMC 2.0 certification & compliance?
Our skilled information security team offers comprehensive CMMC 2.0 gap assessments and readiness preparation to help you identify weaknesses, close security gaps, and build a compliant System Security Plan. We are also partnered with a C3PAO, giving you a direct path from readiness to official certification.
Whether you need to achieve CMMC 2.0 Level 1, Level 2, or Level 3, our team can provide the strategic guidance you need to get started!
Click below to explore our CMMC compliance services or contact us today to get started!
Related articles
Cyber Risks in Higher Education: Why Universities Need Regular Penetration Testing
We explore cyber risks in higher education and how penetration testing can help universities protect their people, data, and reputation.
Cybersecurity Q&A Series: How to Check if my Business Email Has Been Compromised?
Learn how to check if your business email address has been compromised and what steps to take next to protect your business.
Cybersecurity Q&A Series: How to Detect AI-Generated Phishing Emails?
In this blog post, we break down the behavioral signs that can help you recognize an AI-generated phishing email.