The Cybersecurity Maturity Model Certification 2.0 final rule (32 CFR Part 170) took effect on December 16, 2024, establishing mandatory cybersecurity certification requirements for Department of Defense contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
CMMC replaces the previous self-attestation model under DFARS 252.204-7012 with a tiered certification framework that requires independent verification for higher levels.
CMMC 2.0 Levels
| Level | Name | Controls | Assessment Type | Applies To |
|---|---|---|---|---|
| Level 1 | Foundational | 15 practices (FAR 52.204-21) | Annual self-assessment | FCI only |
| Level 2 | Advanced | 110 controls (NIST SP 800-171 Rev 2) | Third-party assessment (C3PAO) or self-assessment depending on contract | CUI |
| Level 3 | Expert | 110+ controls (NIST SP 800-172) | Government-led assessment (DIBCAC) | Highest-sensitivity CUI |
Level 1: Foundational
Covers 15 basic safeguarding practices for access control, identification, media protection, physical protection, system integrity, and communications protection. All contractors handling FCI must achieve Level 1 at minimum.
Level 2: Advanced
Maps directly to the 110 security controls in NIST SP 800-171 Revision 2. Most contractors handling CUI will require Level 2. The assessment type depends on the sensitivity of the CUI. Prioritized acquisitions require third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) accredited by the Cyber AB. Non-prioritized acquisitions require annual self-assessment with senior official affirmation.
Level 3: Expert
Adds controls from NIST SP 800-172 (Enhanced Security Requirements) on top of the Level 2 baseline. Required for the most sensitive DoD programs. Assessment is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Plans of Action and Milestones (POA&Ms)
CMMC 2.0 allows limited use of POA&Ms for Level 2 and Level 3. Contractors can achieve conditional certification with some controls in a POA&M. Not all controls are eligible for POA&M; certain critical controls must be fully implemented at the time of assessment. POA&M items must be remediated within 180 days of the conditional certification. Level 1 does not allow POA&Ms, so all 15 practices must be met.
Phased Rollout
CMMC requirements are being incorporated into DoD contracts in four phases:
| Phase | Timeline | Requirement |
|---|---|---|
| Phase 1 | Starts mid-2025 | Level 1 self-assessment and Level 2 self-assessment in applicable contracts |
| Phase 2 | Starts mid-2026 | Level 2 C3PAO assessments required in applicable contracts |
| Phase 3 | Starts mid-2027 | Level 3 government-led assessments in applicable contracts |
| Phase 4 | Starts mid-2028 | Full CMMC inclusion in all applicable contracts |
Key Challenges
Cloud Environments
CUI processed in cloud must be hosted in environments meeting FedRAMP Moderate (or equivalent) with additional DoD requirements. This affects cloud service selection and architecture.
Supply Chain Flow-Down
CMMC requirements flow down to subcontractors that handle FCI or CUI. Prime contractors must ensure their supply chain meets the appropriate CMMC level, which creates cascading compliance requirements through the defense industrial base.
Assessment Ecosystem
The C3PAO ecosystem is still scaling. The Cyber AB (formerly the CMMC Accreditation Body) accredits C3PAOs, but the number of accredited assessors may not meet demand as Phase 2 begins.
Practical Steps
Determine your CMMC level by identifying whether your contracts involve FCI (Level 1) or CUI (Level 2/3). Scope your CUI environment by defining the boundaries of systems that process, store, or transmit CUI. Conduct a gap assessment comparing current controls against NIST SP 800-171 Rev 2 for Level 2 and document gaps. Implement missing controls and maintain a current System Security Plan. For Level 2, select a C3PAO and schedule assessment; for Level 1, conduct self-assessment and affirm in SPRS. Make sure subcontractors understand their CMMC obligations and are preparing for certification. Understand which controls can use POA&Ms and plan remediation within the 180-day window.