What Is CMMC 2.0?

A Brief History

The Cybersecurity Maturity Model Certification (CMMC) was created by the Department of Defense to address a persistent problem: sensitive defense information flowing through contractor networks that lacked adequate security controls.

The original CMMC 1.0 framework, introduced in 2020, defined five maturity levels with varying degrees of complexity. While well-intentioned, the model drew criticism from the defense industrial base for being overly burdensome, especially for small and mid-sized contractors.

In November 2021, the DoD announced CMMC 2.0, a streamlined revision that collapsed five levels into three, eliminated unique CMMC-specific practices, and aligned directly with existing NIST standards. The final rule (32 CFR Part 170) was published in October 2024, with enforcement beginning in 2025.

Why CMMC Exists

The DoD supply chain is a prime target for nation-state adversaries. Every year, billions of dollars worth of intellectual property, weapons system designs, and operational data are compromised through contractor networks. CMMC exists to set a verifiable floor for cybersecurity across every organization that handles federal contract information or controlled unclassified information.

Put simply: if you work with the DoD, you must prove your cybersecurity posture. Self-attestation alone is no longer sufficient for most contractors.

Who It Affects

CMMC applies to all organizations within the Defense Industrial Base (DIB), including:

• Prime contractors holding DoD contracts
• Subcontractors at any tier who handle FCI or CUI
• Commercial product and service providers whose offerings touch DoD data
• IT and cloud service providers supporting DIB organizations

If your contracts include DFARS clause 252.204-7012, 7019, 7020, or 7021, CMMC applies to you.

The Three Levels Explained

Level 1: Foundational

• Controls: 17 practices based on FAR 52.204-21
• Data type: Federal Contract Information (FCI)
• Assessment: Annual self-assessment
• Who needs it: Contractors who handle FCI but not CUI

Level 1 covers basic cyber hygiene: using antivirus, limiting physical access, using unique passwords, and similar foundational controls. If your only obligation is protecting FCI, this is your target.

Key point: Self-assessments must be submitted to the Supplier Performance Risk System (SPRS) with an annual affirmation by a senior company official.

Level 2: Advanced

• Controls: 110 practices from NIST SP 800-171 Rev 2
• Data type: Controlled Unclassified Information (CUI)
• Assessment: Third-party assessment by a C3PAO (for critical contracts) or self-assessment (for select contracts)
• Who needs it: Contractors who handle CUI

This is where the majority of DIB contractors will land. Level 2 requires full implementation of all 110 NIST 800-171 controls, a complete System Security Plan (SSP), and either a self-assessment or a formal evaluation by a CMMC Third-Party Assessment Organization (C3PAO).

Key point: Even if your contract only requires a self-assessment at Level 2, the DoD can still audit your score. Inflated SPRS scores carry legal risk under the False Claims Act.

Level 3: Expert

• Controls: 110 NIST 800-171 controls plus 24 selected controls from NIST SP 800-172
• Data type: CUI associated with critical programs
• Assessment: Government-led assessment by DIBCAC
• Who needs it: Contractors supporting the highest-priority DoD programs

Level 3 is reserved for contractors working on the most sensitive programs. The assessment is conducted directly by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), and the bar is significantly higher.

Which Level Do I Need?

Use this decision guide:

1. Do you handle CUI?
2. Does your contract involve critical national security information or priority programs?
3. Not sure if your data qualifies as CUI?

• No → You likely need Level 1
• Yes → Continue to question 2
• No → You likely need Level 2
• Yes → You likely need Level 3
• Review your contract for references to DFARS 252.204-7012
• Check if your data falls under any CUI category in the National Archives CUI Registry
• Ask your prime contractor or contracting officer

Pro tip: When in doubt, prepare for Level 2. It covers the full NIST 800-171 control set and positions you for the broadest range of DoD opportunities.

The Four-Phase Rollout Timeline

CMMC 2.0 is rolling out in four phases, each expanding the scope of contracts that require certification.

Phase 1 (Starting Q1 2025)

What happens:

• CMMC requirements begin appearing in new DoD solicitations and contracts.
• Level 1 self-assessments required where specified
• Level 2 self-assessments required where specified
• Contractors must have a current SPRS score on file
• Senior official must sign an annual affirmation of compliance

Your action:

Ensure your SPRS score is accurate and current. Begin self-assessment preparation immediately.

Phase 2 (Starting Q1 2026)

What happens:

• Third-party assessments (C3PAOs) become required for applicable Level 2 contracts.
• New contracts requiring Level 2 certification will mandate C3PAO assessments
• Level 3 requirements begin appearing in select contracts
• The Cyber AB ecosystem of assessors is fully operational

Your action:

If you handle CUI, engage a C3PAO or compliance partner now. Assessment scheduling lead times can stretch 3 to 6 months or longer.

Phase 3 (Starting Q1 2027)

What happens:

• CMMC requirements expand to all applicable DoD contracts, including exercised option periods.
• Broader inclusion of CMMC clauses across the acquisition portfolio
• Existing contracts with option periods may incorporate CMMC requirements

Your action:

No contract is “safe” from CMMC at this stage. Full compliance must be in place.

Phase 4 (Starting Q1 2028)

What happens:

• Full inclusion of CMMC in all DoD contracts involving FCI or CUI.
• CMMC is a standard requirement across the defense acquisition lifecycle
• Non-compliant contractors are effectively locked out of DoD work

Your action:

This is the finish line. If you are not certified by this point, you cannot compete for DoD contracts requiring CMMC.

Timeline at a Glance

CMMC Readiness Self-Assessment Checklist

This is the section that can save you thousands in consulting fees. Work through each control family honestly. For every question, mark Yes, No, or Partial. A “Partial” means you have something in place but it is incomplete or inconsistent.

Scoring guidance:

• Mostly Yes (80%+): You are in strong shape. Focus on closing remaining gaps.
• Mixed (50–79%): Significant work remains. Prioritize the families with the most “No” answers.
• Mostly No (<50%): You need a structured remediation plan and likely a compliance partner.

1. Access Control (AC)

• Do you enforce least-privilege access, ensuring users only have permissions required for their role?
• Is remote access to CUI environments secured with multi-factor authentication (MFA)?
• Do you control and monitor access to CUI from mobile devices and external connections?
• Are user accounts reviewed and recertified on a regular basis (quarterly or more frequently)?
• Do you separate duties for critical functions to prevent any single individual from having excessive access?

2. Awareness and Training (AT)

• Do all employees with system access receive cybersecurity awareness training at least annually?
• Are personnel with security-relevant roles (system admins, incident responders) given specialized training?
• Do you maintain records of all training completions and update training content based on emerging threats?
• Does your training program cover recognizing social engineering, phishing, and insider threats?

3. Audit and Accountability (AU)

• Do you log and review security-relevant events (logins, failed access attempts, privilege changes)?
• Are audit logs protected from unauthorized modification or deletion?
• Do you retain audit logs for a sufficient period (minimum 90 days readily accessible, one year archived)?
• Is there an automated alerting mechanism for audit log anomalies or suspicious activity?
• Can you correlate logs across systems to reconstruct security events?

4. Configuration Management (CM)

• Do you maintain documented baseline configurations for all systems in the CUI environment?
• Is there a formal change management process for system and software modifications?
• Do you restrict the use of nonessential programs, functions, ports, protocols, and services?
• Are software installation policies enforced to prevent unauthorized applications?
• Do you track and manage hardware and software inventories?

5. Identification and Authentication (IA)

• Are all users uniquely identified and authenticated before accessing CUI systems?
• Is multi-factor authentication enforced for all network access to privileged and non-privileged accounts?
• Do you enforce minimum password complexity and rotation requirements?
• Are default passwords and accounts disabled or changed on all systems and devices?
• Do you use cryptographic mechanisms to protect authentication data in transit and at rest?

6. Incident Response (IR)

• Do you have a documented incident response plan that covers detection, reporting, and recovery?
• Is the incident response plan tested at least annually through tabletop exercises or simulations?
• Do you have a defined process for reporting cyber incidents to the DoD within 72 hours?
• Are incident response roles and responsibilities clearly assigned?
• Do you track and document lessons learned after each incident?

7. Maintenance (MA)

• Do you perform regular maintenance on all systems and document maintenance activities?
• Is remote maintenance performed through encrypted, authenticated channels?
• Are maintenance personnel vetted and supervised when performing work on CUI systems?
• Do you sanitize equipment before sending it offsite for maintenance?

8. Media Protection (MP)

• Do you control and track removable media (USB drives, external hard drives) in CUI environments?
• Is CUI on portable storage encrypted using FIPS 140-2 validated cryptography?
• Do you have procedures for sanitizing or destroying media before disposal or reuse?
• Are media transport protections in place for physical movement of CUI?

9. Personnel Security (PS)

• Do you screen personnel before granting access to CUI systems?
• Are access permissions revoked promptly when employees leave or change roles?
• Do you have a formal offboarding process that includes return of equipment and credential revocation?
• Is CUI access limited to personnel with a legitimate business need?

10. Physical Protection (PE)

• Are physical access controls in place for facilities and areas where CUI is processed or stored?
• Do you maintain visitor logs and escort visitors in controlled areas?
• Are server rooms, wiring closets, and network equipment physically secured?
• Do you protect CUI during transport outside of controlled areas?

11. Risk Assessment (RA)

• Do you conduct risk assessments at least annually and when significant changes occur?
• Are vulnerability scans performed regularly (at least quarterly) on CUI systems?
• Do you remediate vulnerabilities based on a risk-prioritized approach?
• Is there a process for identifying and evaluating new threats relevant to your environment?

12. Security Assessment (CA)

• Do you periodically assess your security controls to confirm they are effective?
• Is there a Plan of Action and Milestones (POA&M) for tracking and remediating deficiencies?
• Do you have a current, comprehensive System Security Plan (SSP) for your CUI environment?
• Are corrective actions from assessments tracked to completion?

13. System and Communications Protection (SC)

• Do you monitor and control communications at system boundaries (firewalls, proxies)?
• Is CUI encrypted in transit using FIPS-validated cryptographic mechanisms (TLS 1.2+)?
• Is CUI encrypted at rest on all systems, including laptops and mobile devices?
• Do you separate user functionality from system management functionality?
• Are collaborative computing devices (webcams, microphones) controlled when not in use?

14. System and Information Integrity (SI)

• Do you identify, report, and remediate system flaws in a timely manner (patch management)?
• Is malicious code protection (antivirus/EDR) deployed and kept current across all endpoints?
• Do you monitor system security alerts and advisories from vendors and government sources?
• Are inbound and outbound communications monitored for indicators of compromise?
• Do you perform periodic integrity scans of your systems?

The 10 Most Common Compliance Gaps

After conducting hundreds of assessments across the DIB, these are the gaps we see again and again. If any of these sound familiar, you are not alone, and they are all fixable.

Gap 1: No Multi-Factor Authentication (MFA)

What it is: Users access CUI systems with only a username and password.

Why it matters: MFA is required for all accounts accessing CUI systems. Passwords alone are trivially compromised through phishing, credential stuffing, and brute force attacks. This is one of the first things assessors check.

How to fix it: Deploy MFA across all user accounts, starting with privileged accounts and remote access. Use phishing-resistant methods (hardware tokens or authenticator apps) rather than SMS-based codes. Most identity providers (Azure AD/Entra ID, Okta, Duo) support rapid MFA rollout.

Gap 2: No Encryption at Rest

What it is: CUI stored on laptops, servers, or cloud platforms is not encrypted.

Why it matters: If a device is lost, stolen, or improperly decommissioned, unencrypted CUI is immediately exposed. NIST 800-171 requires FIPS 140-2 validated encryption for CUI at rest.

How to fix it: Enable BitLocker (Windows) or FileVault (Mac) on all endpoints. For servers and cloud storage, use platform-native encryption with FIPS-validated modules. Verify that encryption keys are managed securely and separately from the data they protect.

Gap 3: Missing or Incomplete System Security Plan (SSP)

What it is: The organization lacks a documented SSP, or the one they have is a boilerplate template that does not reflect their actual environment.

Why it matters: The SSP is the foundational document for your CMMC assessment. It describes your CUI boundary, the systems in scope, and how each of the 110 controls is implemented. Without an accurate SSP, you cannot pass an assessment.

How to fix it: Build your SSP from the ground up based on your actual environment. Document each control with specifics: what tool, what configuration, what process, and who is responsible. Review and update it quarterly.

Gap 4: Using Commercial Microsoft 365 Instead of GCC High

What it is: The organization processes CUI in standard commercial Microsoft 365 (or Google Workspace) instead of a FedRAMP Moderate-authorized environment.

Why it matters: Commercial cloud services do not meet the FedRAMP Moderate baseline required for processing, storing, or transmitting CUI. This is a systemic gap that affects email, file storage, collaboration, and more.

How to fix it: Migrate to Microsoft 365 GCC High (or another FedRAMP Moderate-authorized platform). Plan for a 60 to 90 day migration timeline, including license procurement, tenant configuration, data migration, and user training.

Gap 5: No Formal Incident Response Plan

What it is: The organization has no documented process for detecting, responding to, and recovering from cyber incidents.

Why it matters: Without a plan, incidents escalate, evidence is lost, and required reporting timelines are missed. DoD contracts require incident reporting to DC3 within 72 hours.

How to fix it: Develop a written incident response plan covering roles, procedures, communication chains, and recovery steps. Test it at least annually through a tabletop exercise. Assign a specific individual as the incident response lead.

Gap 6: Inadequate Access Controls

What it is: Users have more access than their roles require. Administrator privileges are widespread. Shared accounts are common.

Why it matters: Excessive access increases the blast radius of any compromise. Shared accounts make it impossible to maintain accountability and audit trails.

How to fix it: Implement role-based access control (RBAC). Conduct a privilege audit, removing unnecessary admin rights. Eliminate all shared accounts. Review access permissions quarterly.

Gap 7: No Vulnerability Management Program

What it is: Systems are not regularly scanned for vulnerabilities, and patches are applied inconsistently or not at all.

Why it matters: Known vulnerabilities are the primary entry point for attackers. NIST 800-171 requires regular vulnerability scanning and timely remediation.

How to fix it: Deploy a vulnerability scanning tool (Nessus, Qualys, Rapid7) and scan at least quarterly. Establish a patching cadence: critical patches within 14 days, high within 30 days. Track remediation in your POA&M.

Gap 8: Insufficient Audit Logging

What it is: Security events are not logged, logs are not reviewed, or logs are not retained for the required period.

Why it matters: Without logs, you cannot detect intrusions, investigate incidents, or demonstrate compliance. Assessors will ask to see your logging infrastructure and review process.

How to fix it: Centralize logs using a SIEM (Security Information and Event Management) solution. Configure logging on all CUI systems for authentication events, access changes, and administrative actions. Establish a log review process (daily automated alerts, weekly manual reviews).

Gap 9: No Security Awareness Training Program

What it is: Employees do not receive regular cybersecurity training, or training is a one-time onboarding checkbox.

Why it matters: Humans are the most common attack vector. Phishing, social engineering, and accidental data exposure are preventable with consistent training.

How to fix it: Implement a security awareness program with monthly phishing simulations and at least annual comprehensive training. Track completion rates and follow up with individuals who fail simulations. Use a platform like KnowBe4, Proofpoint, or similar.

Gap 10: Incomplete or Nonexistent POA&M

What it is: The organization has no Plan of Action and Milestones document, or it exists but is not actively maintained.

Why it matters: A POA&M is required to track known deficiencies and your plan for remediating them. Assessors expect to see an active, maintained POA&M with realistic timelines and assigned owners.

How to fix it: Create a POA&M that lists every known gap, assigns an owner, sets a remediation deadline, and tracks progress. Review it monthly. A POA&M is not a sign of weakness; it is a sign of maturity and honest self-assessment.

Your CMMC Readiness Roadmap

Days 1 to 90: Assess and Plan

This phase is about understanding where you stand and building your plan.

Week 1 to 2: Scope Definition

• Identify all systems, networks, and locations where CUI is processed, stored, or transmitted
• Map your CUI data flows from receipt through storage to disposal
• Define your CUI boundary (the systems in scope for CMMC)

Week 3 to 4: Gap Assessment

• Complete the self-assessment checklist in Section 4 of this guide
• Score your current state against all 110 NIST 800-171 controls (for Level 2)
• Calculate your preliminary SPRS score
• Document all gaps in an initial POA&M

Week 5 to 8: Prioritize and Plan

• Rank gaps by risk and remediation effort
• Identify quick wins (items fixable in under 30 days with minimal investment)
• Develop a remediation budget and timeline
• Assign an internal CMMC lead or compliance point of contact

Week 9 to 12: Quick Wins

• Enable MFA on all accounts
• Activate encryption at rest on all endpoints
• Disable unnecessary services and ports
• Begin security awareness training
• Draft or update your System Security Plan

Milestone: By day 90, you should have a clear picture of your compliance posture, an accurate SPRS score, and a prioritized remediation roadmap.

Months 4 to 6: Remediate Core Gaps

This phase is about closing the gaps that matter most.

• Migrate to GCC High or another FedRAMP Moderate-authorized cloud environment (if applicable)
• Deploy centralized logging and a SIEM solution
• Implement a formal vulnerability management program with regular scanning
• Establish and document your incident response plan
• Conduct your first tabletop exercise
• Implement role-based access controls and eliminate shared accounts
• Complete your SSP with control-by-control implementation details
• Begin formal security awareness training with phishing simulations

Milestone: By month 6, your major technical and procedural gaps should be closed or actively in remediation with documented timelines.

Months 7 to 12: Validate and Certify

This phase is about proving your compliance and preparing for assessment.

• Conduct an internal assessment or hire a compliance partner for a pre-assessment review
• Remediate any findings from the pre-assessment
• Finalize and review your SSP, POA&M, and all supporting documentation
• Submit your SPRS score and annual affirmation
• Engage a C3PAO and schedule your formal assessment (if required)
• Conduct a final readiness review 30 days before your scheduled assessment
• Complete your C3PAO assessment

Milestone: By month 12, you should be assessment-ready or certified.

When to Engage a Compliance Partner

Consider bringing in outside expertise if:

• You do not have dedicated cybersecurity staff
• Your SPRS score is below 70 (out of 110)
• You need to migrate to GCC High and have never done it before
• You are unsure how to scope your CUI boundary
• You want a pre-assessment review before engaging a C3PAO
• Your timeline is tight and you cannot afford trial and error

A good compliance partner does not just hand you a checklist. They work alongside your team to build sustainable security practices that survive the assessment and actually protect your business.

Key Terms Glossary

C3PAO (CMMC Third-Party Assessment Organization): An organization authorized by the Cyber AB to conduct CMMC Level 2 assessments.

CUI (Controlled Unclassified Information): Information that the government creates or possesses that requires safeguarding, as defined by the CUI Registry. Examples include technical drawings, export-controlled data, and personnel records.

Cyber AB (The Cyber AB, formerly CMMC Accreditation Body): The organization responsible for accrediting C3PAOs and certifying CMMC assessors.

DFARS (Defense Federal Acquisition Regulation Supplement): Regulatory clauses added to DoD contracts, including the clauses that mandate CMMC compliance.

DIB (Defense Industrial Base): The network of companies that provide products and services to the Department of Defense.

DIBCAC (Defense Industrial Base Cybersecurity Assessment Center): The government entity that conducts Level 3 (Expert) assessments.

FCI (Federal Contract Information): Information provided by or generated for the government under contract that is not intended for public release. FCI is less sensitive than CUI.

FedRAMP (Federal Risk and Authorization Management Program): The government program that provides a standardized approach to security assessment for cloud products and services. GCC High is FedRAMP High authorized.

FIPS 140-2 (Federal Information Processing Standard): The standard that defines the security requirements for cryptographic modules. Encryption used to protect CUI must be FIPS 140-2 validated.

GCC High (Government Community Cloud High): Microsoft’s cloud environment designed to meet FedRAMP High and DoD requirements for handling CUI.

NIST SP 800-171: The National Institute of Standards and Technology publication that defines the 110 security controls required to protect CUI in non-federal systems. This is the foundation of CMMC Level 2.

NIST SP 800-172: The enhanced security requirements beyond 800-171, used as the basis for CMMC Level 3.

POA&M (Plan of Action and Milestones): A document that identifies known security deficiencies and outlines the plan, resources, and timeline for remediating them.

SPRS (Supplier Performance Risk System): The DoD system where contractors submit their self-assessment scores. Your SPRS score (ranging from -203 to 110) reflects your current compliance with NIST 800-171.

SSP (System Security Plan): The document that describes your information system, the security controls in place, and how those controls are implemented. Required for all CMMC Level 2 assessments.

About Capital Cyber

Who We Are

Capital Cyber is a cybersecurity firm based in Northern Virginia, serving defense contractors and government-adjacent organizations across the DMV region and nationwide. We provide managed IT with a security-first approach, meaning cybersecurity is not an afterthought bolted on to IT services. It is the foundation everything else is built on.

How We Help with CMMC

Our team has guided dozens of DIB contractors through CMMC readiness, from initial gap assessments through successful certification. We know what assessors look for because we have been through the process alongside our clients.

Our CMMC-relevant services include:

• CMMC Readiness Assessments: A thorough evaluation of your current security posture against all 110 NIST 800-171 controls, complete with a gap analysis and prioritized remediation plan.
• NIST 800-171 Gap Assessments: Detailed control-by-control analysis with accurate SPRS scoring and documentation support.
• Virtual Chief Security Officer (vCSO): Ongoing strategic security leadership for organizations that need expert guidance without the cost of a full-time CISO.
• Managed IT (Security-First): Day-to-day IT management built on a foundation of security best practices, including endpoint protection, patch management, and secure configurations.
• Penetration Testing: Identify exploitable vulnerabilities before an attacker or assessor does.
• 24/7 Security Operations Center (SOC): Continuous monitoring, threat detection, and incident response for your CUI environment.
• GCC High Migration: End-to-end migration planning and execution for Microsoft 365 GCC High.
• SSP and POA&M Development: Expert documentation that reflects your actual environment and satisfies assessor expectations.

Ready to Get Started?

If you have read this far, you are serious about CMMC compliance. The next step is a conversation.

Book a free consultation with Rick: capital-cyber.com/rick

Call us directly: (571) 410-3066

Visit our website: capital-cyber.com

We will help you understand exactly where you stand, what it will take to get compliant, and how to build a security program that protects your business long after the assessment is over.

Copyright 2025 Capital Cyber. All rights reserved. This guide is provided for informational purposes and does not constitute legal or regulatory advice. CMMC requirements are subject to change. Consult with a qualified compliance professional for guidance specific to your organization.

Capital Cyber | Leesburg/Ashburn, VA | (571) 410-3066 | capital-cyber.com