Overview
If you do business with the U.S. Department of Defense, CMMC 2.0 certification will soon determine whether you can bid on contracts. The Cybersecurity Maturity Model Certification requires defense contractors to demonstrate specific cybersecurity practices based on the sensitivity of the information they handle. This guide covers the three CMMC levels, the assessment process, and practical steps to prepare your organization for certification.
CMMC 2.0 Levels
| Level | Name | Requirements | Assessment |
|---|---|---|---|
| Level 1 | Foundational | 17 practices from FAR 52.204-21 focused on FCI protection | Annual self-assessment |
| Level 2 | Advanced | 110 practices aligned with NIST SP 800-171 Rev 2 for CUI protection | Triennial third-party assessment (C3PAO) for critical programs; self-assessment for select programs |
| Level 3 | Expert | 110+ practices from 800-171 plus additional controls from NIST SP 800-172 | Government-led assessment by DIBCAC |
Implementation Roadmap
- Determine which CMMC level your contracts require based on the type of data handled (FCI vs CUI)
- Scope your CUI environment and document data flows
- Conduct a gap assessment against the applicable NIST SP 800-171 requirements
- Develop a System Security Plan (SSP) and Plan of Action and Milestones (POA&M)
- Implement required controls and remediate identified gaps
- Conduct a mock assessment using NIST SP 800-171A assessment procedures
- Engage a C3PAO for the formal assessment (Level 2 third-party assessments)
- Submit results to the Supplier Performance Risk System (SPRS)
CUI Scoping and Data Flows
Proper scoping is critical to managing both cost and complexity. Identify exactly where CUI enters your organization, where it is stored and processed, and who has access. Many organizations reduce their CMMC scope by isolating CUI into a defined enclave rather than applying controls across the entire enterprise network. Document every CUI data flow with a diagram showing entry points, processing systems, storage locations, and transmission paths. Review contracts and data delivery tables to identify all CUI categories your organization handles.
Common Implementation Challenges
- CUI identification and marking are often inconsistent across the organization
- Legacy systems that cannot meet modern access control and encryption requirements
- Small and mid-size contractors lacking dedicated security staff and budgets
- Confusion about the SPRS scoring methodology and how POA&M items affect the score
- Subcontractor flow-down requirements creating cascading compliance obligations
- Unclear timelines for CMMC enforcement in contract language
Assessment Preparation
Before your formal C3PAO assessment, conduct at least one internal mock assessment using the NIST SP 800-171A procedures. Test every control for both implementation and effectiveness. Prepare evidence binders organized by practice area. Train your team on how to respond during assessor interviews. Common assessment failures include inability to demonstrate how controls operate in practice (not just that policies exist), missing evidence for controls marked as implemented, and incomplete POA&Ms that do not have realistic remediation plans.
Frequently Asked Questions
When does CMMC 2.0 become mandatory?
CMMC requirements are being phased into DoD contracts starting in 2025. The rulemaking process is ongoing, and contracts will progressively include CMMC requirements. Defense contractors should prepare now to avoid being locked out of future contract opportunities.
What is the difference between FCI and CUI?
Federal Contract Information (FCI) is information provided by or generated for the government under contract, not intended for public release. Controlled Unclassified Information (CUI) is a broader category of sensitive government information that requires safeguarding. CUI requires stronger protections (Level 2 or 3).
Can subcontractors be affected by CMMC?
Yes. Prime contractors must flow down CMMC requirements to subcontractors who handle FCI or CUI. Subcontractors need their own CMMC certification at the appropriate level.
How much does CMMC certification cost?
Costs vary widely. Level 1 self-assessment is minimal cost. Level 2 with third-party assessment typically costs $50,000 to $250,000 for the assessment itself, plus implementation costs that can range from $100,000 to $1 million depending on the size and current state of the organization.
Can we use a managed service provider to meet CMMC requirements?
Yes. Many contractors use Managed Security Service Providers (MSSPs) or cloud-based CUI enclaves to reduce the burden. However, the contractor retains ultimate responsibility for compliance, and the MSP itself may need CMMC certification.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.