CMMC 2.0: Complete guide for defense contractors [2026]

As of November 10, 2025, CMMC 2.0 has become a contractual requirement that directly affects your ability to bid on and win defense contracts. If your organization handles sensitive government information, understanding CMMC 2.0 and its implications for defense contractors is essential. 

This guide covers everything defense contractors need to know about CMMC 2.0, from the basics to practical compliance steps. 

Editor's note: As of April 2026, ISACA is the new CMMC Assessor & Instructor Certification Organization (CAICO). Learn how this affects your compliance journey in our webinar with ISACA. 

What is CMMC? 

The Cybersecurity Maturity Model Certification is the DoD's unified framework for verifying that defense contractors implement cybersecurity measures strong enough to protect sensitive government information. Rather than relying only on unsupported self-attestation, CMMC uses defined assessment and affirmation paths, including Level 1 self-assessments, Level 2 self-assessments or C3PAO assessments, depending on the solicitation, and Level 3 DIBCAC assessments. 

The Department of Defense developed CMMC starting in 2019, releasing version 1.0 in 2020. After industry feedback revealed excessive complexity and cost, the DoD revised the framework. CMMC 2.0, announced in November 2021, was streamlined to three levels and finalized through federal rules in 2024 and 2025. 

The Cyber Accreditation Body (Cyber AB) manages the CMMC ecosystem, accrediting third-party assessment organizations (C3PAOs) and maintaining the marketplace of authorized providers. As of April 2026, ISACA serves as the CMMC Assessor & Instructor Certification Organization (CAICO), administering training and certification for CMMC professionals, including CCPs, CCAs, LCCAs and CCIs. 

The technical requirements align with NIST standards. Level 1 draws from FAR 52.204-21 with 15 requirements, Level 2 implements all 110 requirements from NIST SP 800-171 and Level 3 adds 24 enhanced requirements from NIST SP 800-172. 

What information CMMC protects 

Understanding what information requires protection helps determine your certification requirements and properly scope assessment boundaries.

Federal Contract Information (FCI) 

FCI is information not intended for public release that's provided by or generated for the government under contract. This includes information you create for DoD work, not just what the government provides. 

Common examples include contract performance reports, project schedules, programmatic charts and financial information related to contracts. Technical drawings and engineering data should be reviewed carefully because, in DoD contexts, they may be CUI rather than simple FCI. Even emails discussing contract details can constitute FCI. 

FCI doesn't include publicly available information, government data released on public websites or simple transactional information for payments. If information relates to your government work and wouldn't normally be public, it's likely that FCI requires Level 1 protection. 

Controlled Unclassified Information (CUI) 

CUI is unclassified information that requires safeguarding in accordance with laws, regulations and government policies. The National Archives maintains the CUI Registry, which lists 20 categories, including export-controlled information, proprietary business data and law enforcement-sensitive information. 

In defense contexts, CUI often includes technical data on weapons systems, logistics information, infrastructure details and operational capabilities. CUI is generally marked with specific banners identifying it as controlled. If you see "CUI" markings, you're handling information requiring Level 2 or Level 3 protection. 

CUI Basic requires standard controls. CUI Specified requires additional handling procedures outlined by governing laws or policies. 

What CMMC doesn't cover 

CMMC focuses on FCI and CUI only. It doesn't apply to classified national security information, personal employee or customer information (unless also CUI), public information or commercially available off-the-shelf items purchased without modification. 

Why CMMC exists 

The defense industrial base has become a primary target for nation-state cyber espionage. Understanding the threat landscape helps explain why the DoD implemented such sweeping requirements for defense industrial base cybersecurity and DoD supply chain security.

The cybersecurity threat 

Nation-state adversaries, particularly China and Russia, have conducted systematic campaigns to steal U.S. defense technology through cyber means. These aren't opportunistic attacks but strategic operations by advanced persistent threat groups backed by foreign intelligence services. 

Russian state-sponsored actors have maintained persistent access to contractor networks for six months or longer, exfiltrating weapons platform development timelines, communications infrastructure plans and specific military technologies. Chinese government-backed groups have similarly stolen blueprints, proprietary research and technical data that provide insight into U.S. military capabilities. 

DIBCAC assessments consistently found contractors struggling with basic cybersecurity. The weak link isn't typically prime contractors but smaller supply chain companies lacking dedicated security resources. These breaches compromise individual programs and threaten the technological advantage central to U.S. military superiority. 

Failed self-attestation model 

Before CMMC, the DoD relied on contractor self-attestation. Under DFARS 252.204-7012, contractors submitted compliance scores without verification. This created two problems: contractors could claim compliance without actually implementing controls, and DIBCAC assessments revealed claimed scores often didn't match reality. 

The self-attestation model created no market differentiation. Companies investing heavily in cybersecurity had no competitive advantage over those doing the minimum. There was no incentive to exceed baseline requirements.

The CMMC solution 

CMMC addresses these failures through three mechanisms. First, it establishes standardized requirements applying consistently across the defense industrial base. Every contractor at the same level faces identical requirements. 

Second, CMMC requires third-party verification for Level 2 contractors when the solicitation requires Level 2 (C3PAO). Some Level 2 programs allow Level 2 (Self) assessment. Certified C3PAOs conduct objective assessments, examining documentation, testing controls and verifying implementation. You must prove compliance to independent assessors when a C3PAO assessment is required. 

Third, CMMC makes certification a contractual requirement enforced at award. Contracting officers cannot award contracts without a valid CMMC status at the required level. The program also requires annual compliance affirmations and periodic reassessments.

CMMC 1.0 vs 2.0: Key changes 

CMMC 1.0 established five maturity levels with a cumulative total of 171 practices that assess both security practices and process maturity. This created challenges, including extensive documentation requirements, prohibitive costs and multi-year timelines. 

CMMC 2.0 has been streamlined to three levels, mapping to information sensitivity, making CMMC 2.0 compliance more achievable. Key improvements include: 

• Simplified structure: Three levels instead of five, mapping directly to information types (Level 1 for FCI, Level 2 for CUI, Level 3 for critical CUI). 
• Process maturity removal: Focuses solely on practice implementation without demonstrating process maturity, significantly reducing documentation burden. 
• Self-assessment options: Reintroduced for Level 1 annually and Level 2 non-critical CUI, reducing costs while maintaining third-party verification where risk is highest. 
• Plans of Action and Milestones: POA&Ms allow conditional certification with a minimum score of 80% to close within 180 days. 
• Phased implementation: Three-year rollout provides preparation time. 

Level 2 still requires all 110 NIST SP 800-171 controls. Changes affect verification method and documentation, not security rigor. 

CMMC 2.0 levels explained 

The three CMMC 2.0 levels determine your certification requirements based on the sensitivity of the information. Understanding which level applies to your contracts is the first step toward compliance. For detailed guidance on the certification process, see our guide on how to get your organization CMMC certified. 

Level 1: Foundational (FCI protection) 

Level 1 implements 15 requirements from FAR 52.204-21 covering basic cyber hygiene across six areas: access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. 

Level 1 requires annual self-assessment. You evaluate compliance, score each practice and submit results through SPRS. Full implementation of all 15 practices is required. Partial implementation doesn't count, and POA&Ms aren't available. 

Who needs Level 1: Any contractor processing, storing or transmitting FCI on contractor systems.

Level 2: Advanced (CUI protection) 

Level 2 addresses CMMC 2.0 requirements for CUI protection by implementing all 110 NIST SP 800-171 requirements across 14 control families: access control (22), awareness and training (3), audit and accountability (9), configuration management (9), identification and authentication (11), incident response (3), maintenance (6), media protection (9), personnel security (2), physical protection (6), risk assessment (3), security assessment (4), system and communications protection (16) and system and information integrity (7). 

These controls require technical security architecture (network segmentation, encryption, monitoring), formal documentation (System Security Plans), incident response capabilities and ongoing assessment processes. 

Assessment requirements vary by contract sensitivity. Select Level 2 programs may allow Level 2 (Self) assessment every three years, with annual affirmations. Level 2 (C3PAO) requires a C3PAO assessment every three years, with annual affirmations. C3PAO assessments involve certified teams reviewing documentation, interviewing personnel, observing implementations and testing controls. 

POA&Ms are available with a minimum score of 80%, requiring a 180-day closeout for eligible requirements only. 

Who needs Level 2: Contractors handling CUI, which includes most defense contractors beyond simple services or COTS providers. 

Level 3: Expert (High-value CUI protection) 

Level 3 adds 24 enhanced requirements from NIST SP 800-172 to Level 2's 110 controls, addressing advanced persistent threats through enhanced authentication, threat hunting and security automation. 

Assessment is conducted by the DIBCAC every 3 years. Few contractors require Level 3, primarily those on the most sensitive programs. 

CMMC timeline and implementation phases 

Phase 1 (November 10, 2025–November 9, 2026) 

Phase 1 began when the CMMC 2.0 final rule took effect on November 10, 2025. DoD has discretion to include Level 1 or Level 2 self-assessment requirements in new solicitations. It’s also important to note that some Level 2 C3PAO assessments can begin appearing in Phase 1. Once included, requirements are mandatory for the award. DoD may add requirements to existing contracts through bilateral modification. 

For detailed guidance on preparing for these requirements, see our CMMC compliance planning guide. 

Phase 2 (November 10, 2026–November 9, 2027) 

Phase 2 adds Level 2 C3PAO certification for critical national security CUI contracts. The assessment ecosystem must scale to handle thousands of contractors. DoD may require CMMC for option exercises on existing contracts. 

Phase 3 (November 10, 2027–November 9, 2028) 

Phase 3 introduces Level 3 DIBCAC assessments for high-value CUI facing APT threats. 

Phase 4 (November 10, 2028 onward) 

Full implementation begins November 10, 2028. The CMMC compliance deadline is when requirements become mandatory for all applicable contracts involving FCI or CUI (excluding COTS-only contracts). Understanding when CMMC is required is straightforward after this date: any contract processing FCI or CUI must include appropriate CMMC certification. Discretionary period ends; inclusion is automatic. 

Timeline planning 

Understanding the CMMC 2.0 timeline and CMMC 2.0 implementation phases is critical for planning. Level 2 compliance typically takes 6–18 months, depending on the starting security posture, plus months for C3PAO scheduling. Start based on your information handling, not specific contract requirements. 

Who needs CMMC? 

Prime contractors with direct DoD contracts that handle FCI or CUI must obtain CMMC status at the level and assessment type specified in the solicitation or contract. Subcontractors at all tiers must achieve the CMMC status appropriate for the information and assessment type flowed down to them. Requirements flow through the supply chain. 

Your required level depends on contract information, not company size or contract value. Examine your contracts to determine whether they involve only FCI or CUI. Program offices or contracting officers can clarify. Identify which information systems will process covered information. These systems must achieve the required level. 

Certain contracts are excluded: solely COTS items and contracts not involving FCI or CUI. However, exclusions are narrow. Even routine services often generate contract performance information constituting FCI. 

CMMC assessment process 

Understanding how assessments work helps you prepare effectively. For comprehensive details on what to expect, consult our complete CMMC assessment guide. 

Self-assessment (Level 1 and some Level 2) 

Self-assessment requires evaluating compliance using assessment guides. Define your assessment scope, conduct the assessment by reviewing each requirement and examining evidence and submit results through SPRS, including assessment scores and affirmation of continuous compliance. 

Self-assessment must be objective. False attestations can result in contract termination, False Claims Act liability and exclusion from future contracts. Level 1 requires annual self-assessment and annual affirmation. Level 2 (Self) requires self-assessment every three years, with annual affirmations between assessments.

C3PAO assessment (Level 2 for critical programs) 

Third-party assessment involves certified teams conducting a comprehensive evaluation of NIST SP 800-171 implementation. The process includes assessment planning, documentation review, personnel interviews, observation of security implementations and testing of technical controls. 

Assessment concludes with findings review. If all requirements are satisfied, the C3PAO assessment supports a Final Level 2 (C3PAO) CMMC status valid for three years, with annual affirmations required. With deficiencies, you may use POA&Ms for conditional certification when the unmet requirements are eligible, then address gaps within 180 days.

DIBCAC assessment (Level 3) 

Level 3 assessment is government-led by DIBCAC using rigorous evaluation. DIBCAC prioritizes assessments based on program criticality and threat level, conducting assessments every three years.

Understanding assessment scope 

Assessment scope includes all information systems that process, store or transmit FCI or CUI, plus systems on the same network that could provide attack paths. Many contractors create separate enclaves for CUI with well-defined boundaries, limiting the scope of assessment and reducing compliance costs.

Plans of Action and Milestones (POA&Ms) 

POA&Ms document how you'll address security requirement deficiencies, providing flexibility for conditional certification while addressing gaps. 

POA&Ms are only available for Level 2 and Level 3. You can use POA&Ms for eligible controls if your organization earned a minimum score of 80%. All POA&Ms must close within 180 days of conditional certification. This is a hard deadline. 

A strong POA&M includes specific tasks with assigned owners, resource requirements, milestones with target dates and regular status reporting. Prioritize by risk and implementation timeline. Track progress rigorously with a POA&M manager monitoring status. 

When remediation is complete, demonstrate closure to the assessment organization. For C3PAOs, they verify implementation and update certification from conditional to final. Failing to close POA&Ms within 180 days results in your conditional certification expiring, requiring a full reassessment. 

CMMC compliance requirements 

Continuous compliance and annual affirmation 

CMMC certification requires ongoing maintenance. Each year, your affirming official must submit an affirmation through SPRS confirming continued compliance. This formal attestation carries legal implications if false. Conduct internal reviews before affirming to verify controls remain in place. 

SPRS reporting requirements 

The Supplier Performance Risk System is the authoritative source for CMMC status. Register information systems processing FCI or CUI in SPRS and receive unique identifiers (CMMC UIDs). When submitting proposals, provide CMMC UIDs for the systems you'll use, so contracting officers can verify status before awarding. 

Subcontract flowdown requirements 

Prime contractors must ensure subcontractors meet CMMC requirements. Before awarding subcontracts involving FCI or CUI, verify the subcontractor's current CMMC status at the appropriate level. Flow down CMMC requirements in subcontract language, making certification a condition of award and continuing performance. 

Maintaining current status 

CMMC certifications have defined validity periods: Level 1 requires annual self-assessment, while Level 2 and Level 3 statuses are generally valid for three years with annual affirmations required between assessments. Schedule reassessment months before expiration to maintain continuous certification. If your certification expires, you become ineligible for contract awards that require CMMC.

CMMC ecosystem roles 

The Cyber AB (Accreditation body) 

The Cyber Accreditation Body serves as the program's official accreditation organization, accrediting C3PAOs, approving RPOs and maintaining the CMMC Marketplace. The Cyber AB Marketplace is the authoritative source for finding authorized service providers. 

ISACA as CAICO 

As of April 2026, CAICO services fully transitioned to ISACA. ISACA now administers training, examinations and certifications for CMMC professionals. Organizations seeking CMMC professional certifications work with ISACA-approved training providers, like Infosec Institute. This transition brings ISACA's established credentialing infrastructure to help scale the assessor workforce.

C3PAOs (Assessment organizations) 

CMMC Third-Party Assessment Organizations conduct Level 2 certifications. When selecting a C3PAO, consider their experience with organizations like yours, assessor qualifications, methodology, scheduling availability and pricing. Check the Cyber AB website for the official list of accredited C3PAOs. Learn more about understanding C3PAOs, RPOs and other CMMC marketplace providers. 

RPOs (Registered Practitioner Organizations) 

Registered Practitioner Organizations provide consulting, preparation and advisory services, including gap assessments, implementation guidance, documentation support and readiness reviews. RPOs cannot conduct official assessments for consulting clients but can provide valuable preparation support. 

CMMC professionals 

The CMMC program defines several professional roles with specific certifications and responsibilities. To explore which certification path is right for you, see our guide to CMMC career paths and certifications. 

CMMC Certified Professional (CCP) is the foundational credential for individuals working in the CMMC ecosystem. CCP training provides a deep understanding of requirements and assessment methodology. 

CMMC Certified Assessor (CCA) qualifies professionals to conduct Level 2 assessments as part of C3PAO teams. Lead CMMC Certified Assessor (LCCA) represents senior qualification, leading assessment teams and serving as the final authority for complex determinations. 

CMMC Certified Instructor (CCI) authorizes qualified individuals to deliver official CMMC training. Visit ISACA's CMMC credentialing page for current availability, requirements and exam information as the program scales through 2026. 

Common CMMC challenges 

Contractors face predictable challenges. Many struggle with the technical controls required at Level 2, including network segmentation, endpoint detection and security monitoring. Legacy systems may not support modern security features, requiring upgrades or compensating controls. Cloud environments add complexity around boundary protection and shared responsibility models. 

CMMC requires substantial documentation: System Security Plans, security policies and procedures, network diagrams, configuration standards and incident response plans. Creating accurate, complete documentation takes significant effort, especially for organizations without formal security programs. 

Achieving Level 2 compliance requires financial investment, staff time, specialized expertise and ongoing resources. Small businesses often struggle to justify costs against defense revenue. Budget appropriately for both initial compliance and ongoing maintenance. 

Contractors frequently face timeline pressure. Realistic Level 2 compliance is 6-18 months, depending on the starting point. Build buffer into schedules for assessor availability, technical implementations and documentation review. 

Consider engaging an RPO for readiness assessment 2-3 months before the official C3PAO assessment to identify gaps while you have time to address them.

CMMC cost considerations 

Direct costs 

Self-assessment is essentially free beyond internal labor. C3PAO assessment fees typically range from $15,000 to $50,000+, depending on scope and complexity. Treat these as market estimates. 

Technology costs vary widely. Organizations with existing security infrastructure may need a modest investment. Those starting from scratch could spend $50,000 to $300,000+ on firewalls, endpoint protection, monitoring tools, encryption and infrastructure upgrades. Actual costs vary by assessment scope, existing architecture, number of systems, cloud strategy, enclave approach and remediation needs. 

Consulting support from RPOs typically runs $50,000 to $200,000+, depending on scope. Training and personnel development add another cost layer.

Indirect and ongoing costs 

Staff time for implementation, security monitoring and management oversight represents a high indirect cost. Operational impacts from security controls may slow some processes or require workflow changes. 

Ongoing costs include reassessment fees, security tool licenses, staff time for monitoring, security awareness training and incident response capabilities. Budget 10-20% of initial compliance costs annually for maintenance. 

Cost-benefit analysis 

Compare compliance costs against defense business value. If you have $5 million in annual defense contracts and compliance costs $300,000, that's 6% of revenue or 2% annually spread over three years. 

The alternative is loss of defense business entirely. Many contractors find implementing CMMC also improves overall cybersecurity, providing benefits beyond compliance, including reduced breach risk, improved security awareness, enhanced customer confidence and competitive advantages. 

Next steps for defense contractors 

Immediate actions 

Determine which CMMC level applies by reviewing contracts, consulting program offices and identifying whether you handle FCI only or CUI. Assess your current cybersecurity posture by conducting an internal review of existing controls and determining gaps. 

Understand your timeline, develop a budget, secure resources and decide on an approach (internal vs. consultants). Engage leadership early. CMMC requires executive sponsorship and organizational commitment. 

Planning your compliance approach 

Don't wait for CMMC requirements in solicitations. Start based on your information handling and market position. Develop a project plan with clear milestones, responsibilities, resources and target dates. 

Consider a professional gap assessment to understand exactly where you stand. If you need Level 2 certification, prioritize implementing the 110 NIST SP 800-171 controls before worrying about assessment. 

Building internal capability 

Build internal CMMC knowledge by training key staff through CCP certification. Understanding CMMC from a professional perspective helps your team maintain compliance, prepare for assessments and make informed security decisions. 

For organizations pursuing CCA certification for staff, you gain technical assessment capability, which is valuable for internal audits. 

Staying informed 

Monitor DoD CMMC website updates, review Cyber AB guidance, participate in industry associations and follow authoritative sources. The landscape continues evolving as the program scales. 

Resources for defense contractors 

Official sources 

The DoD CIO CMMC Website provides official guidance and program updates. The DoD Acquisition CMMC Policy Page covers policy and regulatory information. The Cyber AB Website serves as the accreditation body's official site with CMMC Model documentation and the marketplace of authorized providers. ISACA CMMC Credentialing covers professional certifications. 

Federal regulations 

32 CFR Part 170 establishes program structure and requirements. 48 CFR DFARS 252.204-7021 implements contractual requirements. NIST SP 800-171 Revision 2 is the foundational requirement document for Level 2. 

Finding professional help 

The Cyber AB Marketplace lists authorized C3PAOs and RPOs. Verify provider credentials before engaging. When selecting service providers, review experience, check references, understand methodology, compare pricing and ensure availability. 

Training and development 

Infosec Institute offers a CCP boot camp for professionals supporting compliance efforts and a CCA boot camp for advanced assessment knowledge. Visit Infosec's government solutions page for team training options. 

Conclusion 

CMMC 2.0 represents a fundamental shift in how the Department of Defense ensures cybersecurity across its supply chain. The program moves beyond trust-but-don't-verify to a framework where contractors must demonstrate actual implementation of required security controls. 

For defense contractors, CMMC creates a clear mandate: implement appropriate cybersecurity measures or lose the ability to compete for contracts. While compliance requires investment of time, money and resources, it's now tabled stakes for participating in the defense market. 

The phased implementation provides time to prepare, but that window is closing. Contractors should assess requirements, develop compliance plans and begin implementation now. Waiting until CMMC requirements appear in specific solicitations leaves insufficient time for proper preparation. 

Ready to build your CMMC compliance roadmap? Explore CCP training and CCA training or visit Infosec's government solutions for comprehensive team training options. 

Frequently asked questions 

How is CMMC 2.0 different from 1.0?  

Streamlined from five levels to three, eliminated maturity process requirements, reintroduced self-assessment for lower-risk situations and added POA&Ms. 

Is CMMC the same as NIST 800-171?  

Level 2 is based on NIST SP 800-171, but CMMC adds verification through assessment rather than self-attestation. 

Full implementation occurs on November 10, 2028. 

How long does CMMC compliance take?  

Typically, 6–18 months for Level 2, depending on your starting security posture. Level 1 is faster, potentially 2–4 months. 

How much does CMMC cost?  

Level 1 compliance might cost $10,000 to $100,000. Level 2 typically ranges from $100,000 to $1,000,000+, depending on organization size and existing security posture. Treat these as planning estimates, not official DoD cost figures.

What if we don't comply?  

You cannot bid on or win contracts requiring CMMC certification or CMMC status. You may lose existing contracts if you modify them to add CMMC requirements. 

Do subcontractors need CMMC?  

Yes, subcontractors at all tiers must have CMMC certification or status at the level and assessment type appropriate for the information they handle.