For years, cybersecurity in the defense supply chain ran on the honor system. A contractor promised it met the standard, posted a score, and moved on. That era has ended. With the Cybersecurity Maturity Model Certification, known as CMMC 2.0, the Department of Defense has turned a long-standing requirement into something it can verify and enforce, and it is now a condition of being awarded the contract at all.
If your company handles Department of Defense information, this guide explains what CMMC 2.0 is, how it relates to NIST SP 800-171, the timeline you are now operating under, and the practical steps to get ready.
CMMC 2.0 is the Department of Defense program that requires contractors and subcontractors to prove they protect two kinds of sensitive information:
The program does not invent a brand new security standard. It takes a set of safeguards that defense contractors were already supposed to follow and adds a verification layer, ranging from a self-assessment to an independent audit, depending on the sensitivity of the data and the contract.
This is the part that confuses people, so it is worth being precise.
NIST Special Publication 800-171 is the underlying technical standard. It defines 110 security requirements across 14 families, covering areas like access control, audit and accountability, configuration management, and incident response. Defense contractors handling CUI have been contractually required to implement it since 2017, under DFARS clause 252.204-7012, largely on a self-attested basis.
CMMC 2.0 is the verification and enforcement wrapper around that standard. At its core level for CUI, CMMC simply requires you to fully implement the 110 requirements of NIST SP 800-171 Revision 2, and then to prove it. In short: NIST 800-171 is the test. CMMC is the proctor.
CMMC took effect through two separate regulations, and understanding both explains why the deadlines land where they do.
The first, the 32 CFR Part 170 program rule, became effective on December 16, 2024. It established the program itself: the levels, the assessment processes, and the rules. But on its own it did not force anyone to do anything, because it lacked a contractual hook.
The second, the 48 CFR acquisition rule, supplied that hook. Published in the Federal Register on September 10, 2025, it became effective on November 10, 2025, and it authorizes contracting officers to insert DFARS clause 252.204-7021 into solicitations and contracts. Once that clause appears, CMMC certification at the specified level becomes a condition of award. There is no grace period. A contractor that cannot show the required certification for a given opportunity is ineligible, regardless of price or past performance.
The Department is phasing the requirement in over roughly three years, in four phases:
The phased schedule is not permission to wait. Assessment capacity is finite, certification takes months of preparation, and a single missed clause in a solicitation can cost you a bid.
CMMC 2.0 has three levels. Which one applies to you depends on the type of information your contract involves, and your contracting officer specifies it in the solicitation.
| Level | Protects | Requirements | How it is Assessed | Cadence |
|---|---|---|---|---|
| Level 1 (Foundational) | FCI | 15 basic safeguarding requirements (FAR 52.204-21) | Annual self-assessment, results posted to SPRS | Annual |
| Level 2 (Advanced) | CUI | 110 requirements (NIST SP 800-171 Rev. 2) | Self-assessment or C3PAO certification, depending on the contract | Every 3 years, plus annual affirmation |
| Level 3 (Expert) | CUI on the highest-priority programs | The 110 Level 2 requirements plus a subset of 24 enhanced requirements from NIST SP 800-172 | Government-led assessment by DCMA’s DIBCAC | Every 3 years, plus annual affirmation |
The assessment method is set by your level and your contract.
Self-assessment applies to all of Level 1 and to certain Level 2 contracts where the data is less sensitive. You evaluate your own environment against the requirements and post the result to the Supplier Performance Risk System (SPRS).
C3PAO certification applies to most Level 2 work involving meaningful CUI. A Certified Third-Party Assessment Organization, selected from the CMMC Accreditation Body marketplace, conducts an independent audit against the 110 NIST 800-171 requirements. This is the path that requires the most lead time, and C3PAO schedules are already booked out, so waiting to engage one is itself a risk.
Government assessment applies to Level 3, conducted directly by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under the Defense Contract Management Agency. A Level 3 organization must first achieve Level 2 (C3PAO) certification for the relevant environment.
A few details matter more than their length in the rule suggests.
The SPRS score. Level 2 uses a scoring methodology that starts at 110 and subtracts weighted points for each unmet requirement, so a perfect implementation scores 110. That score, your assessment date, and your CMMC unique identifier live in SPRS.
The System Security Plan (SSP). Level 2 requires a documented SSP describing how each requirement is met, supported by policies, procedures, network diagrams, and inventories. Assessors test against your documentation, so vague or outdated documentation fails before the technology is even examined.
POA&Ms are limited. CMMC 2.0 allows Plans of Action and Milestones, which CMMC 1.0 did not, but with hard limits. You can earn a Conditional certification with some lower-weighted requirements still open, but you must close them within 180 days through a closeout assessment or the conditional status expires. The highest-weighted requirements cannot be placed on a POA&M at all, and you must clear a minimum score to qualify for conditional status in the first place.
Annual affirmation, and the legal teeth behind it. Certification is valid for three years, but a senior company official must submit an annual affirmation of continuous compliance in SPRS. That affirmation is not a formality. A false or careless affirmation can trigger liability under the False Claims Act, which the Department of Justice has been pursuing through its Civil Cyber-Fraud Initiative. Misrepresenting your security posture to win or keep a contract is now a legal exposure, not just a compliance gap.
If you process, store, or transmit FCI or CUI in performing a DoD contract, CMMC applies to you. The level follows the data: FCI alone points to Level 1, CUI points to Level 2, and the most sensitive programs point to Level 3.
Critically, the obligation flows down. A prime contractor must pass the appropriate CMMC requirement to any subcontractor that will handle FCI or CUI. That means a small machine shop or software vendor several tiers down the supply chain can find itself needing certification in order to keep a single defense customer. If you supply anyone who supplies the Department of Defense, assume CMMC reaches you until you confirm otherwise.
The contractors who handle this well start before a solicitation forces their hand. A practical sequence:
For many small and mid-sized contractors, the realistic answer is outside help: a gap assessment to find the problems, a remediation program to fix them, and ongoing security leadership to sustain the result.
CMMC 2.0 converts a decade of soft cybersecurity expectations into a hard condition of doing business with the Department of Defense. The standard underneath it, NIST SP 800-171, is not new, but the verification and the consequences are. With the acquisition rule in effect since November 2025 and Level 2 third-party certification arriving in late 2026, the window to prepare without pressure is already closing. The contractors who treat readiness as a project to finish before the clause shows up in a solicitation will keep bidding. The ones who wait may find themselves locked out of work they have done for years.
