Get assessment-ready for CMMC without rebuilding your security program

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's verification program for ensuring that every organization in the defense industrial base adequately protects sensitive federal information. CMMC takes the cybersecurity standards the DoD has required for years and turns them into a verifiable certification that contractors must hold before a contract can be awarded.

Before CMMC, defense contractors were expected to comply with DFARS clause 252.204-7012 and the 110 security requirements in NIST SP 800-171 on the honor system. They self-attested. A 2018 DoD Inspector General report and the 2019 MITRE "Deliver Uncompromised" study both found the self-attestation model was failing — contractors claimed compliance they had not achieved, and nation-state adversaries were quietly stealing terabytes of Controlled Unclassified Information (CUI) from the supply chain. CMMC is the DoD's response: instead of trust, the Pentagon now requires verification.

CMMC 1.0 to CMMC 2.0

The first version of CMMC — sometimes called CMMC 1.0 — was announced in January 2020. It had five maturity levels, added its own unique practices and maturity processes on top of NIST SP 800-171, and would have required third-party assessment for almost everyone in the defense supply chain. Industry pushback was substantial. Small businesses said the compliance burden was unaffordable. Cybersecurity teams argued that the custom CMMC practices and "maturity processes" diverged from established standards without clear security benefit.

In November 2021 the DoD announced CMMC 2.0, a streamlined successor. CMMC 2.0 collapsed the five levels into three, eliminated the custom CMMC practices, and aligned Level 2 directly with NIST SP 800-171 so there is no daylight between the two. It also re-introduced self-assessment as a compliant path for many contracts — a concession to cost that CMMC 1.0 did not allow.

The CMMC 2.0 program rule (32 CFR Part 170) was published in the Federal Register on October 15, 2024, and took effect on December 16, 2024. The companion DFARS rule (48 CFR) was published on September 10, 2025, and took effect on November 10, 2025 — the moment CMMC moved from a program on paper to an enforceable contract requirement. When we talk about "CMMC" today, we mean CMMC 2.0 as enforced through DFARS.

The three CMMC levels

CMMC uses a tiered model so that a small contractor handling a bill of materials gets a proportionate requirement, while a prime contractor engineering a weapons system gets a much heavier one. Each CMMC level builds on the one below it. See the full breakdown of CMMC levels for control counts, assessment types, and scoping rules.

• Level 1 — Foundational. Covers the basic safeguarding of Federal Contract Information (FCI). It requires 17 practices drawn directly from FAR 52.204-21. Any organization that processes FCI under a DoD contract must meet Level 1. It is verified through an annual self-assessment with a senior official affirming the results in the Supplier Performance Risk System (SPRS).
• Level 2 — Advanced. Protects Controlled Unclassified Information (CUI). It requires all 110 security requirements from NIST SP 800-171 Rev 2 across 14 control families. Level 2 has two assessment paths — self-assessment for less sensitive CUI, and third-party C3PAO assessment for more sensitive CUI or critical programs. Level 2 is where most defense contractors will land.
• Level 3 — Expert. Reserved for the most sensitive DoD programs where advanced persistent threats are a credible risk. It includes every Level 2 requirement plus 24 enhanced requirements selected from NIST SP 800-172. Level 3 is verified through a government-led DIBCAC assessment and requires a valid Level 2 C3PAO certification as a prerequisite.

The CMMC level you need is determined by the specific solicitation or contract — not by company size or industry. A small engineering firm with a CUI-sensitive subcontract may need Level 2 C3PAO, while a larger prime on a less sensitive contract may only need Level 1.

NIST SP 800-171 is the heart of CMMC

CMMC Level 2 is a direct one-to-one mapping to NIST SP 800-171 Rev 2. There are no extra practices, no CMMC-specific maturity processes, no layered-on requirements. Every CMMC Level 2 practice corresponds to a single NIST SP 800-171 security requirement. This alignment was intentional: it made CMMC easier to implement and easier to audit, and it meant organizations that had been working toward NIST SP 800-171 compliance since 2017 did not have to start over.

The 110 requirements are organized into 14 control families including Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, System and Communications Protection, and System and Information Integrity. CMMC Level 3 layers 24 additional enhanced requirements on top, drawn from NIST SP 800-172. See the detailed NIST SP 800-171 mapping for the full control family breakdown and cross-framework overlap with NIST CSF and ISO 27001.

Who needs CMMC?

Any organization that processes, stores, or transmits FCI or CUI as part of a DoD contract or subcontract will need CMMC certification. That is a much broader population than "defense contractors" in the traditional sense. CMMC applies to:

• Prime contractors holding contracts directly with the DoD
• Subcontractors at every tier in the supply chain
• Cloud service providers hosting DoD contractor data
• Managed service providers and IT vendors with access to FCI or CUI
• Foreign suppliers in the defense industrial base handling covered information

CMMC flow-down is one of the most important operational realities. If a prime contractor shares CUI with a subcontractor, that subcontractor must hold the same CMMC level. If that subcontractor further shares CUI with a tier-three supplier, the tier-three supplier must also be certified. CMMC's reach extends deep into the supply chain. See who needs CMMC for detailed scoping guidance, and our government industry page for broader public-sector compliance context.

Roughly 80,000 organizations are expected to pursue CMMC Level 2, and a few thousand the most stringent CMMC Level 3 — numbers from the DoD's own economic analysis of the CMMC rule.

The CMMC assessment process

CMMC assessments come in three flavors that align to the three CMMC levels: self-assessment, C3PAO third-party assessment, and DIBCAC government-led assessment. Regardless of type, the assessment methodology is the same — scoring is based on the DoD Assessment Methodology and NIST SP 800-171A objectives.

A CMMC Level 2 C3PAO assessment typically runs through five stages: scoping, readiness review, evidence collection and review, on-site or virtual assessment, and scoring with any final findings. A Level 2 assessment starts with a score of 110 and subtracts points for each unmet objective. A score of 110 yields full certification. A score of 88 or above with remaining gaps documented in a Plan of Action and Milestones (POA&M) yields a conditional certification with a 180-day remediation window. A score below 88 yields no certification at all.

See the full CMMC assessment process for scoring details, POA&M rules, and what you can and cannot defer.

C3PAOs and certified assessors

Third-party CMMC assessments are conducted by CMMC Third-Party Assessment Organizations (C3PAOs) accredited by the Cyber AB (the Cyber Accreditation Body, formerly the CMMC Accreditation Body). C3PAOs employ Certified CMMC Assessors (CCAs) and Certified CMMC Professionals (CCPs) who conduct the actual assessment work. CCAs must pass a certification exam administered by the Cyber AB and complete ongoing professional development.

The pool of accredited C3PAOs is deliberately limited — growing from just a handful at the start of 2024 to several dozen by early 2026. That scarcity matters. As CMMC Phase 2 enforcement begins in November 2026 and more contracts require C3PAO assessment, assessor availability will tighten. Organizations that wait to begin CMMC preparation until a contract requires it will likely find assessment slots booked six to twelve months out.

CMMC implementation timeline

CMMC enforcement follows a four-phase rollout under the DFARS rule. The rollout gradually expands CMMC requirements over four years so the assessor ecosystem can scale and contractors have time to prepare. See the full CMMC implementation timeline for dates and milestones.

• Phase 1 (November 2025 – November 2026). Active now. CMMC Level 1 and Level 2 self-assessments appear as conditions of award in select solicitations. A limited number of contracts require Level 2 C3PAO assessments at DoD discretion.
• Phase 2 (November 2026 – November 2027). CMMC Level 2 C3PAO certification requirements expand significantly. Level 3 requirements begin appearing in select solicitations.
• Phase 3 (November 2027 – November 2028). CMMC Level 2 and Level 3 requirements appear broadly across applicable DoD contracts.
• Phase 4 (November 2028 onward). All DoD contracts requiring FCI or CUI handling include the appropriate CMMC level as a condition of award. Full CMMC enforcement.

CMMC and DFARS

CMMC is the certification. DFARS is the contractual mechanism that makes the certification binding. DFARS 252.204-7012 has required safeguarding of covered defense information and rapid incident reporting since 2017. DFARS 252.204-7019 and -7020 added the requirement to post NIST SP 800-171 assessment scores to SPRS. DFARS 252.204-7021, effective November 10, 2025, added the requirement to hold the specific CMMC level called out in the solicitation before contract award. See how CMMC and DFARS relate for the full clause-by-clause picture. For blog-length coverage of DFARS and CMMC in context, see our compliance framework comparison.

Self-assessment vs third-party assessment

Not every CMMC obligation requires bringing in a C3PAO. CMMC Level 1 is always a self-assessment. CMMC Level 2 splits — some contracts accept self-assessment, and some require C3PAO certification. CMMC Level 3 is always government-led by DIBCAC. Self-assessment is cheaper and faster, but it comes with False Claims Act exposure if the attestation misrepresents your posture. Third-party CMMC assessment is more expensive but produces a defensible certification. Compare CMMC self-assessment vs third-party to decide which applies to you and how to budget.

Handling CUI the CMMC way

Controlled Unclassified Information sits at the center of CMMC Level 2 and CMMC Level 3. Identifying CUI in your environment, marking it correctly, applying the right access controls, and documenting the CUI boundary are all preconditions for a successful CMMC assessment. FCI and CUI are not the same thing, and the differences drive which CMMC level you need. See CUI handling under CMMC for marking rules, scoping guidance, and common mistakes.

Subcontractor requirements

CMMC flow-down affects nearly every defense prime. If you share FCI or CUI with a subcontractor, the subcontractor must hold the required CMMC level before you share the data. That means primes need to track subcontractor CMMC status across their supply chain, verify SPRS entries, and plan for the long tail of small suppliers that may not have started their CMMC journey. See CMMC subcontractor requirements for the full flow-down model and how to reduce the burden.

Getting CMMC ready

CMMC readiness is not a last-mile sprint. Most organizations need 6 to 18 months to close gaps across all 110 NIST SP 800-171 requirements and prepare for CMMC Level 2. The high-leverage moves to start today:

1. Scope your CMMC environment. Map where FCI and CUI enter, flow through, and are stored in your systems. Your CMMC assessment boundary is only as good as your scoping work.
2. Complete your SSP. A System Security Plan that documents every NIST SP 800-171 requirement — implementation status, responsible party, and evidence reference — is the backbone of any CMMC assessment.
3. Submit a SPRS score. Even before any contract requires CMMC, a current SPRS score demonstrates good faith and exposes gaps early. DoD agencies increasingly reference SPRS scores in source selection.
4. Stand up a POA&M register. Track every gap with an owner, a remediation plan, and a 180-day countdown. CMMC conditional certification lives or dies on POA&M closure.
5. Review your flow-down. Inventory every subcontractor, cloud service provider, and managed service provider that touches FCI or CUI. Confirm they are on their own CMMC path.
6. Schedule a readiness review. A mock CMMC assessment — internal or with a consultant or C3PAO — surfaces problems while there is still time to fix them.

Common CMMC challenges

• Scoping complexity. Determining which systems, people, and processes handle CUI is often the hardest first step and the source of the most CMMC assessment rework.
• NIST SP 800-171 gaps. Many contractors self-attested NIST SP 800-171 compliance for years but never closed all 110 requirements. CMMC exposes that gap.
• POA&M management. Tracking remediation across teams within a 180-day window is hard without tooling. CMMC conditional certifications are revoked when POA&Ms go stale.
• Subcontractor flow-down. Primes must verify subcontractor CMMC status continuously, not once at onboarding.
• Evidence organization. A CMMC assessment can touch hundreds of evidence artifacts. Without a single source of truth, assessors burn billable hours chasing documents.

A structured approach that maps controls to NIST SP 800-171, reuses evidence across CMMC and other frameworks, tracks POA&M progress, and monitors the assessment timeline removes most of this friction — and that is exactly what the episki CMMC workspace is designed for.