CMMC 2.0 Compliance: Levels, SPRS & What Changed in 2026
Your level, self vs C3PAO, what must actually be posted in SPRS, the 2026 clause changes, real cost drivers, and the right provider category to talk to first — every claim sourced to the primary rule.
Editorial note. The Defense Compliance Report is an independent trade publication. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. Provider-matching forms may generate referral compensation. Disclosures appear at the point of recommendation. See our Methodology and Editorial & Advertising Policy.
Find your CMMC 2.0 compliance path.
If you read nothing else, read this. The table below maps your data-handling situation to the likely CMMC path, last verified June 30, 2026.
| Your situation | Likely CMMC path | Your first move |
|---|---|---|
| You handle FCI only (no CUI) | Level 1 (Self) | Confirm the clause, run the annual self-assessment, post result + affirmation in SPRS |
| You handle CUI; clause says Level 2 (Self) | Level 2 (Self) | Scope your systems, meet the 110 Rev. 2 requirements, post score + annual affirmation |
| You handle CUI; clause says Level 2 (C3PAO) | Level 2 (C3PAO) | Get readiness done first, then book an authorized C3PAO when assessment-ready |
| You support the most sensitive programs | Level 3 (DIBCAC) | Reach Final Level 2 (C3PAO) first, then the DIBCAC path |
| Unsure — or a prime just said "get Level 2" | Unknown — confirm it | Use Find My CMMC Path; ask your prime the right questions; do not upload CUI |
Map your path before you request a single quote.
Tell the Find My CMMC Path tool your required level, FCI/CUI scope, assessment type, cloud environment, and timeline. It maps your situation to the right provider category — C3PAO, RPO/RP, MSSP, GRC platform, or CUI enclave. No CUI required.
Find My CMMC Path →What does CMMC 2.0 compliance actually mean in 2026?
Let's define the moving parts once, plainly, then use them freely.
- CMMC (Cybersecurity Maturity Model Certification) is the DoD's program for verifying — through self-assessment or third-party assessment — that defense contractors actually meet the cybersecurity requirements they already agreed to.
- FCI(Federal Contract Information) is non-public information received or generated under a federal contract that isn't intended for public release.
- CUI (Controlled Unclassified Information) is more sensitive unclassified information the government requires you to safeguard.
- DIB is the Defense Industrial Base — the contractors and subcontractors that supply the DoD.
The reframe that saves people anxiety: CMMC didn't invent new security rules. It put teeth on old ones. The safeguards trace back to FAR 52.204-21 for FCI and to NIST SP 800-171 via DFARS 252.204-7012 for CUI — both contractual obligations for years. Under 32 CFR § 170.5, the CMMC Program does not alter existing FCI/CUI protection requirements — it provides a way to verifyimplementation. The shift is from “trust me” to “show me.”
What CMMC 2.0 compliance is not
This is where money gets wasted. CMMC 2.0 compliance is not:
- Buying a tool. Software helps manage evidence. It does not, by itself, satisfy CMMC.
- “Getting GCC High.” A government cloud can be part of your scope strategy. It is not a certification.
- “Having an SSP.” A System Security Plan is required, but a document describing intent is not the same as controls that survive an assessment.
- Always a C3PAO certification. Many contractors can self-assess. This is the single most expensive misunderstanding on the topic.
What changed when the Final Rule landed
- December 16, 2024 — 32 CFR Part 170, the CMMC Program Rule, takes effect. This rule defines the levels, assessment types, scoping, scoring, and affirmations.
- November 10, 2025 — the DFARS acquisition rule takes effect, letting contracting officers put CMMC requirements into solicitations and contracts.
- Phase 1: Nov. 10, 2025 – Nov. 9, 2026 — DoD focuses primarily on Level 1 and Level 2 self-assessments in applicable solicitations, with discretion to require Level 2 (C3PAO) on select contracts. DoD CIO CMMC.
Who needs CMMC 2.0 compliance?
Three audiences, three slightly different jobs
Primes. Read the solicitation. The required CMMC level and assessment type are identified in the contract, and your eligibility is tied to your CMMC status in SPRS before award (DFARS 252.204-7021).
Subcontractors and flow-down. Flow-down bites when you will process, store, or transmit FCI or CUI on the prime's behalf. A prime saying “be Level 2 by [date]” should trigger questions about scope and the specific requirement — not a panicked purchase. The fix starts with scope, not spend.
COTS-only and no-FCI/no-CUI work. CMMC requirements do not apply to acquisitions solely for COTS items, and they don't attach to systems that don't process, store, or transmit FCI or CUI. Important caveat: confirm it against your actual solicitation language and document whya given system is out of scope. “We think we're COTS-only” is not a position you want to discover was wrong at award.
Ask these before you spend a dollar
| Ask your contracting officer or prime | Why it matters |
|---|---|
| Which clause or flow-down requires CMMC? | The clause sets the requirement — confirm it exists. |
| Which CMMC level and assessment type? | Level 2 (Self) and Level 2 (C3PAO) are not the same project. |
| Will we process, store, or transmit FCI or CUI? | Data type drives your level and your scope. |
| Which of our systems are in scope? | Scope drives cost, timeline, and tooling. |
| Is it required at bid, at award, at an option year, or via subcontract flow-down? | Timing controls urgency — and your runway. |
Which CMMC level applies: Level 1, Level 2, or Level 3?
| CMMC level | Data trigger | What it requires | How it's verified | What goes to SPRS |
|---|---|---|---|---|
| Level 1 (Self) | FCI only | The 15 FAR 52.204-21(b)(1) safeguards | Annual self-assessment; no POA&Ms allowed | Self-assessment result + affirmation |
| Level 2 (Self) | CUI | All 110 NIST SP 800-171 Rev. 2 requirements (14 families) | Self-assessment every 3 years | Score, scope, CAGE codes, POA&M status; annual affirmation |
| Level 2 (C3PAO) | CUI requiring third-party assessment | All 110 NIST SP 800-171 Rev. 2 requirements | Authorized C3PAO assessment every 3 years | C3PAO submits via eMASS → SPRS; annual affirmation |
| Level 3 (DIBCAC) | Most sensitive CUI / highest-risk programs | Level 2 plus 24 selected NIST SP 800-172 requirements | Government (DCMA DIBCAC) assessment | DIBCAC results → SPRS; annual affirmation |
Level 1: “FCI only” doesn't mean “no work”
Level 1 is still a real obligation when a contract requires it. Under § 170.15, you must achieve a MET result on all 15 requirements, run the self-assessment annually, and submit both the result and an affirmation of compliance in SPRS before award. No POA&Ms are permitted at Level 1.
If you only handle FCI and never touch CUI, you almost certainly need Level 1 — and you do not need a C3PAO. Start with our CMMC Level 1 walkthrough instead.
Level 2: where most searchers get stuck
Level 2 is the decision point, because it comes in two flavors — Level 2 (Self) and Level 2 (C3PAO) — and the wrong assumption sends you to the wrong provider category and the wrong budget. The 110 requirements are identical either way; what differs is who verifies them. We give this its own section below.
Level 3: don't skip the prerequisite
Level 3 is not simply “Level 2 plus more controls.” Under § 170.18, you need a Final Level 2 (C3PAO) status for the Level 3 scope before the government (DCMA DIBCAC) conducts the Level 3 assessment. It applies to a narrow set of contractors on the most sensitive programs.
Not sure if your contract requires self-assessment or a C3PAO?
Tell the path tool your level, FCI/CUI handling, assessment type, and timeline — it maps you to the right category before you spend anything.
Check my assessment path →The CMMC 2.0 Contract-Eligibility & Provider-Category Matrix
The full version of the quick table above — maps your data and contract situation to the CMMC path, assessment and reporting mechanics, and the category of help to consider first. Last verified June 30, 2026.
| Your situation | Likely CMMC path | Assessment & reporting | First provider category to consider | Category to avoid first | Primary source |
|---|---|---|---|---|---|
| You don't process, store, or transmit FCI/CUI — or the award is COTS-only | CMMC may not apply | Confirm solicitation/flow-down language; document why the system is out of scope | Contracts attorney or RP/RPO for scope confirmation | A C3PAO | DFARS rule COTS exclusion; § 170.3 |
| You handle FCI only | Level 1 (Self) | Annual self-assessment; result + affirmation in SPRS; no POA&Ms | RP/RPO if unsure; light internal readiness | A C3PAO | § 170.15 |
| You handle CUI; the clause requires Level 2 (Self) | Level 2 (Self) | Self-assessment every 3 yrs; score, scope, CAGE codes in SPRS; annual affirmation; 180-day closeout if Conditional | RP/RPO + MSSP / GRC / enclave, depending on your environment | A C3PAO as your first call | § 170.16 |
| You handle CUI; the clause requires Level 2 (C3PAO) | Level 2 (C3PAO) | Authorized C3PAO every 3 yrs; C3PAO submits via eMASS → SPRS; annual affirmation | Readiness first (RP/RPO, MSSP, GRC, enclave); then an independent C3PAO when assessment-ready | One firm that both remediates and certifies the same engagement | § 170.17 |
| You support a Level 3 program | Level 3 (DIBCAC) | Final Level 2 (C3PAO) first; DCMA DIBCAC performs Level 3; eMASS → SPRS | Specialized Level 3 readiness, architecture, and evidence support | A generic Level 2-only provider | § 170.18 |
| You use a cloud service provider for CUI in a Level 2 (C3PAO) scope | Still Level 2 — cloud architecture becomes assessment-critical | CSP must meet FedRAMP Moderate (or equivalent); on-prem connections and the responsibility matrix are in scope | CUI enclave / GCC High / GovCloud implementer + SSP/CRM support | Buying cloud licenses without a scoped SSP/CRM | § 170.19 |
| You use an external service provider (ESP) that handles CUI | The ESP relationship must be documented and assessed in scope | Document the ESP, its service description, the responsibility matrix, and the SSP relationship | MSSP / managed compliance / evidence support | Treating the ESP as automatically out of scope | § 170.19 |
Do you need a Level 2 self-assessment or a C3PAO assessment?
Level 2 (Self)
You assess your own environment against all 110 requirements every three years, post the score in SPRS, and submit an annual affirmation. If you qualify for a Conditionalstatus using an allowed POA&M, you have 180 days to close it out and reach Final. Keep your assessment artifacts — the rule requires retention for six years from the CMMC Status Date.
Level 2 (C3PAO)
A Certified Third-Party Assessment Organization (C3PAO) — a firm authorized by the Cyber AB to conduct official CMMC Level 2 assessments — performs the assessment, submits results through eMASS, and those results flow to SPRS. Same 110 requirements, same 180-day Conditional-to-Final window, same annual affirmation. The difference is independence: a third party signs off, not you.
The independence rule buyers miss
A Registered Practitioner or Registered Provider Organization (RP/RPO) — the Cyber AB's category for consultants who help you prepare — provides readiness and advisory services, and RPs cannot serve on the assessment team that certifies you (Cyber AB terminology). Under 32 CFR Part 170, C3PAOs must follow the Cyber AB's conflict-of-interest and Code of Professional Conduct policies (§ 170.9), and under those policies a C3PAO generally cannot assess an organization it provided CMMC consulting to within the previous three years. Keep readiness help and formal assessment separate. If a single vendor offers to “prepare you and certify you,” ask exactly how they handle the conflict-of-interest boundary — and get the answer in writing.
A verification point worth knowing as a buyer
In 2025, the DoD OIG reviewed how C3PAOs get authorized and found the process wasn't being implemented effectively — in a review of 11 C3PAOs, the OIG found authorized firms without required agreements, certifications, or quality-control leads on file (DODIG-2025-056). Always verify current authorization status directly in the Cyber AB Marketplace before contracting.
Level 2 is not the same as “hire a C3PAO.” Many contractors qualify for Level 2 (Self). Confirm the assessment type from your contract clause before selecting any provider.
What must you actually post in SPRS — and what counts as a CMMC status?
Three things people blur together — and the distinction matters at award:
- A NIST SP 800-171 self-assessment scoreis the number you've been posting under DFARS 7012-era requirements. SPRS stores that scoring information.
- A CMMC status is the formal result of a CMMC assessment — Final Level 1 (Self), Conditional/Final Level 2 (Self), Conditional/Final Level 2 (C3PAO), or the Level 3 equivalents — stored in SPRS, and presented on a Certificate of CMMC Status when a C3PAO or DIBCAC performs the assessment.
- An affirmationis a senior official's attestation of ongoing compliance, submitted in SPRS at the time of assessment and annually thereafter (§ 170.22). Miss the affirmation and your status can lapse even if your controls are solid.
| CMMC record | Who enters the result | How it reaches SPRS | Frequency | Source |
|---|---|---|---|---|
| Level 1 (Self) result + affirmation | You (your organization) | Entered directly in SPRS | Self-assess annually; affirm each time | § 170.15 |
| Level 2 (Self) score + affirmation | You (your organization) | Entered directly in SPRS | Self-assess every 3 years; affirm annually | § 170.16 |
| Level 2 (C3PAO) result + affirmation | Authorized C3PAO (result); you (affirmation) | C3PAO → eMASS → SPRS | Assess every 3 years; affirm annually | § 170.17 |
| Level 3 (DIBCAC) result + affirmation | DCMA DIBCAC (result); you (affirmation) | DIBCAC → eMASS → SPRS | Per the rule; affirm annually | § 170.18 |
What “current” means under DFARS 252.204-7021
Eligibility depends on your status being current: Level 1 (Self): not older than 1 year, with a current affirmation. Level 2 (Self) and Level 2 (C3PAO): not older than 3 years, with an annual affirmation in between. Conditionalstatuses carry the 180-day POA&M closeout window.
What changed in 2026: the FAR/DFARS overhaul and your clause numbers
The 2026 CMMC clause crosswalk
| Old citation | Post-deviation citation | Status under the Feb. 2026 deviation | What it means for you |
|---|---|---|---|
| DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements | (not prescribed) | Not used in new DoD deviation solicitations; still visible in the codified DFARS during the transition | The old standalone self-assessment / SPRS-upload provision isn't cited in new deviation solicitations. Read CMMC notice and status mechanics through 252.204-7021 and 252.204-7025. |
| DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements | DFARS 252.240-7997 | Renumbered + revised in new DFARS Part 240; legacy 7020 still in the codified DFARS | Moved to Part 240; "Basic" references removed. The clause now defines only Medium and High assessments, both performed by the government (DIBCAC). |
| DFARS 252.204-7012 — Safeguarding CDI & Cyber Incident Reporting | 252.204-7012 (unchanged) | Unchanged | Still requires NIST 800-171 implementation, 72-hour incident reporting, and flow-down. The foundation did not move. |
| DFARS 252.204-7021 — CMMC Requirements | 252.204-7021 (unchanged) | Unchanged | The CMMC clause. Eligibility is tied to your CMMC status; you flow CMMC requirements down to subs. |
| DFARS 252.204-7025 — CMMC notice provision | 252.204-7025 (unchanged) | Unchanged | The CMMC notice provision is not changed by the deviation. |
| FAR 52.204-21 — Basic safeguarding (Level 1) | FAR 52.240-93 | Relocated under the deviation; numbering not yet final (see below) | The 15 Level 1 safeguards moved under the overhauled FAR. CMMC Level 1 still references these safeguards. |
Don't treat this crosswalk as permanent. On June 23, 2026, the FAR Council moved the Revolutionary FAR Overhaul from class deviations into formal notice-and-comment rulemaking (FAR Case 2026-001, published in the Federal Register, comments due July 23, 2026). That process could change clause numbers again before anything is final. Use the numbers above for the deviation in force today, and verify the exact clause text against your actual solicitation.
The numbering is in flux; your obligation isn't.
If you're reviewing a solicitation or flow-down, map your specific situation to the right provider category. No CUI required.
Map my CMMC path →The CMMC Final Rule establishes the three-level certification program, the assessment regime, and the implementation phases. Published in the Federal Register on October 15, 2024; effective December 16, 2024.
View at Federal RegisterWhat does NIST SP 800-171 Rev. 2 have to do with CMMC 2.0 compliance?
Here's the costly trap: NIST released SP 800-171 Revision 3 in May 2024, and in NIST's own catalog, Revision 3 supersedes Revision 2. A reasonable person reads “Rev. 3 is current” and starts building to it. For CMMC, that's the wrong target right now.
- Build CMMC Level 2 to Revision 2. That's what gets assessed.
- Watch Revision 3 for planning. A future rulemaking could move CMMC to Rev. 3 — but until that rule changes, Rev. 2 governs.
- Don't let a vendor “future-proof” you onto Rev. 3 as if it's the current requirement. It isn't.
The 110 security requirements organized into 14 control families that constitute the substantive Level 2 control set referenced in the CMMC Final Rule. CMMC Level 2 is assessed against Rev. 2 — not Rev. 3 — under the current rule.
View at NISTWhat does CMMC 2.0 compliance cost, how long does it take, and who do you talk to first?
| Cost driver | Why it changes the number |
|---|---|
| CMMC level / assessment type | Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), and Level 3 (DIBCAC) are different work profiles entirely. |
| Scope | Fewer in-scope systems means less tooling, less evidence, and a smaller assessment. Scope is the lever. |
| CUI footprint | CUI scattered across email, file shares, ERP, CAD, ticketing, backups, and MSP tools expands the whole problem. |
| Starting maturity | Missing MFA, logging, asset inventory, an SSP, or incident response means real remediation, not paperwork. |
| Cloud / ESP use | A CSP handling CUI must meet FedRAMP Moderate (or equivalent); your ESPs and the responsibility split between you and them are in scope (§ 170.19). |
| Evidence readiness | Passing requires proof an assessor can examine, interview, and test — not just tools you bought. |
| Timeline | Emergency remediation costs more and produces worse decisions. Runway is money. |
A cost reality some readers need to hear
Not every small subcontractor should buy a full Level 2 program. If DoD work is a thin slice of your revenue, your margins are tight, and your CUI exposure can be contained, the smarter first move may be to reduce scope, ask your prime sharper flow-down questions, or — sometimes — walk away from low-margin CUI workrather than spending six figures into the wrong path. If that's you, start with the CMMC Level 1 path and scope reduction first.
For the rest: hold one principle — separate readiness from assessment. Get your environment right with a readiness partner (RPO/MSSP), manage evidence with a GRC platform if it helps, contain CUI in an enclave if that shrinks your scope — then engage an independent C3PAO when you're assessment-ready. For dollar-level detail by level and company size, see our CMMC Level 2 cost guide.
Before you price vendors, make sure you're not pricing the wrong scope.
The most expensive CMMC mistake is buying a platform, an enclave, or a C3PAO slot before confirming scope. Run your situation through the path tool — level, FCI/CUI handling, environment, assessment type, deadline — and it'll point you to the category to compare first. No CUI required.
Which CMMC provider category should you talk to first?
The right first provider is usually nota C3PAO. Most contractors need scoping, readiness, architecture, documentation, managed security, evidence workflow, or enclave decisions before a formal assessment. A C3PAO belongs when you're assessment-ready or the contract specifically requires Level 2 (C3PAO).
| Provider category | Use when… | Don't treat it as… | What to verify before you hire |
|---|---|---|---|
| RP / RPO (Registered Practitioner / Registered Provider Organization) | You need scoping, readiness planning, SSP/POA&M help, or rule interpretation | A certifying assessor | Cyber AB status, role, deliverables, and conflict-of-interest boundaries |
| MSP / MSSP / vCISO | You need implementation, monitoring, identity, logging, endpoint, incident response | A substitute for your own compliance accountability | CMMC experience, CUI handling, SSP/CRM support, and the evidence they produce |
| GRC platform | You need workflow, evidence management, SSP/POA&M tracking, control mapping | Proof that controls are actually implemented | Exportable, assessor-ready evidence and accurate Rev. 2 mapping |
| CUI enclave | You want to contain CUI in a smaller, controlled environment to shrink scope | A magic shortcut that erases all scope | CSP/ESP responsibilities, the responsibility matrix, and CUI entry/exit points |
| C3PAO (Certified Third-Party Assessment Organization) | You're ready for a Level 2 (C3PAO) assessment, or the contract requires it | A readiness implementer for the same engagement | Current authorized status in the Cyber AB Marketplace, scope, availability, COI rules |
| DIBCAC path | You have a Level 3 requirement | General Level 2 readiness | Final Level 2 (C3PAO) prerequisite, Level 3 scope, DIBCAC expectations |
Get matched to the right category — before you talk to vendors.
Once you know whether you need readiness, software, an enclave, or an assessor, the conversations get cheaper and faster. Tell us your level, scope, environment, assessment type, and timeline, and we'll help you compare source-checked provider options in the categories that fit your situation.
Get matched with source-checked provider options →The most expensive CMMC 2.0 compliance mistakes — and how to avoid them
- “We have CUI, so we need a C3PAO immediately.” Maybe. Not always. Level 2 can be self-assessed or C3PAO-assessed depending on the contract (§ 170.16, § 170.17). Confirm the requirement before you book an assessor.
- “We posted our NIST score, so CMMC is handled.” A stored NIST score isn't a CMMC status, and it isn't an affirmation. SPRS has CMMC-specific entry and affirmation steps (SPRS – CMMC). Check the record type.
- “Rev. 3 superseded Rev. 2, so Rev. 3 is the CMMC requirement.” NIST's catalog status and CMMC's incorporated text are two different questions. CMMC Level 2 is tied to Revision 2 under the current rule (§ 170.14).
- “A POA&M buys us unlimited time.” It buys a narrow, rule-bound window. Under 32 CFR § 170.21: Level 1 allows no POA&Ms at all; a Conditional Level 2 requires your score to be at least 88 of 110; only 1-point requirements are POA&M-eligible — every 3-point and 5-point requirement must be MET at assessment; six specific 1-point requirements are excluded by name (including your System Security Plan); there is one narrow exception for CUI-encryption (SC.L2-3.13.11) if encryption is present but not FIPS-validated; and everything on the POA&M must be closed within 180 days or the Conditional status expires.
- “The provider will tell us what level we need.” The contract clause, flow-down, and your FCI/CUI handling set the path. Providers interpret and implement; they don't set your legal requirement. The DoD reserves the right to run its own DIBCAC assessment, and those results take precedence over a pre-existing status. “Marked implemented” has to mean “demonstrable.”
What if you're not ready when the CMMC clause appears?
You have more options than “panic” or “miss the bid” — but they all start with confirming scope.
| Option | When it fits | The catch |
|---|---|---|
| Scope reduction | You can keep CUI out of certain systems or workflows | Requires prime/contract clarity on what's truly in scope |
| Level 1 / no-CUI path | You only handle FCI | A prime may still ask for proof of your Level 1 status |
| Readiness sprint | You have a real deadline and a definable scope | Rushed remediation is expensive and fragile |
| Enclave strategy | CUI is limited and can be contained | A poorly designed enclave can fail the assessment |
| C3PAO scheduling | You're close to assessment-ready and the contract requires it | A booked slot is not the same as being ready — and slots are scarce |
| Decline low-margin CUI work | DoD revenue can't justify the spend | A business tradeoff, not a compliance failure |
What we actually verified for this guide
We don't ask you to take our word for any of it. Here's what we read and cross-checked on June 30, 2026, and what each source supports.
| Source we checked | What it supports |
|---|---|
| 32 CFR Part 170 / eCFR (§§ 170.14–170.24) | The three levels, the 15/110/24 counts, assessment paths, POA&M and affirmation rules, scoping, scoring, Rev. 2 mapping, Level 3 prerequisite |
| Federal Register — CMMC Program Rule | Effective date (Dec. 16, 2024), purpose, "15 Level 1 requirements" |
| Federal Register — DFARS rule | Effective date (Nov. 10, 2025), phased implementation, COTS-only exclusion |
| Acquisition.gov — DFARS 252.204-7021 | "Current" status definitions, annual affirmation, eligibility tie-in |
| Defense Acquisition Regulations System — FAR/DFARS overhaul deviations | The Feb. 1, 2026 class-deviation clause changes (7019 not prescribed; 7020→252.240-7997; FAR 52.204-21→52.240-93) |
| Federal Register — RFO proposed rule, FAR Case 2026-001 | June 23, 2026 formal rulemaking — clause numbering is not yet final |
| 32 CFR § 170.21 | POA&M rules: 0.8 threshold (88 of 110), 1-point-only eligibility, the encryption exception, six excluded requirements, 180-day closeout |
| NIST CSRC — SP 800-171 Rev. 3 and SP 800-172 | Revision 3 / 800-172 publication status vs. CMMC's incorporated Rev. 2 |
| SPRS — CMMC and NIST SP 800-171 | NIST score storage vs. CMMC record entry and affirmation |
| Cyber AB — Terminology | C3PAO, RP/RPO definitions and the assessment-team independence rule |
| DoD CIO — CMMC | Phase 1 dates and the SPRS affirmation reminder |
| DoD OIG — DODIG-2025-056 | C3PAO authorization-process findings → "verify current authorization status" |
Get matched with CMMC solution providers.
Tell us your situation. We'll connect you with matched providers that fit your level, scope, and timeline. Free. No obligation.
Frequently asked questions about CMMC 2.0 compliance.
CMMC 2.0 is the Department of Defense's program for verifying that defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) on the systems they use to perform DoD work. The program defines three certification levels and an assessment regime, codified at 32 CFR Part 170 (the CMMC Program Rule, published in the Federal Register on October 15, 2024, and effective December 16, 2024) and flowed into contracts through DFARS 252.204-7021. The exact controls and assessment scope you face are driven by your contract clause and the sensitivity of the CUI you handle. Consult a CMMC Registered Practitioner (RP/RPO) or qualified attorney before making compliance decisions for your contracts.
The 32 CFR Part 170 CMMC Program Rule became effective on December 16, 2024. The DFARS implementation rule (DFARS 252.204-7021) became effective on November 10, 2025. DoD describes Phase 1 as running from November 10, 2025 through November 9, 2026, and that phase focuses primarily on Level 1 and Level 2 self-assessment requirements. During the phased rollout, CMMC requirements appear in a covered contract when the DoD program office or requiring activity applies a CMMC requirement to that solicitation or contract. The binding requirement for any specific contract is the solicitation language, contract clause, or flow-down — including the specified Level, assessment type, timeline, and scope. Confirm the requirement that applies to each contract with the contracting officer and legal counsel.
Level 1 (Foundational) covers contractors who handle FCI only and consists of 15 basic safeguarding practices aligned to FAR 52.204-21; it is satisfied by an annual self-assessment. Level 2 (Advanced) covers contractors who handle CUI and maps to the 110 NIST SP 800-171 Revision 2 security requirements; depending on the contract clause and CUI sensitivity, Level 2 is satisfied by a triennial self-assessment or a triennial C3PAO assessment, each with annual affirmation. Level 3 (Expert) adds a subset of enhanced controls from NIST SP 800-172 and is assessed by the DoD's DIBCAC for the most sensitive CUI. Your Level is set by the contract clause, not by self-selection.
Federal Contract Information (FCI) is non-public information provided by or generated for the government under a contract to develop or deliver a product or service, excluding information the government provides to the public. Controlled Unclassified Information (CUI) is information the government creates or possesses that requires safeguarding or dissemination controls under law, regulation, or government-wide policy; CUI categories are defined by the National Archives CUI Registry and CUI handling is governed by 32 CFR Part 2002. CMMC Level 1 covers FCI; Levels 2 and 3 cover CUI at increasing sensitivity. The distinction drives both the controls required and the assessment type.
Whether you self-assess or undergo a C3PAO assessment is determined by your contract clause and your CMMC Level. Level 1 is self-assessment annually. Level 2 is split: some Level 2 contracts require a triennial self-assessment and others require a triennial C3PAO assessment; both require annual affirmation. The split is based on contract type and CUI sensitivity. Level 3 requires a DIBCAC assessment. Confirm with the contracting officer which path applies to a specific contract — do not infer it from your Level alone. The Cyber AB Marketplace is the authoritative source for current C3PAO authorization status.
NIST SP 800-171 has been the substantive security requirement for protecting CUI on contractor systems for years, flowed into DoD contracts via DFARS 252.204-7012. CMMC Level 2 maps directly to the 110 NIST SP 800-171 Revision 2 security requirements and adds an assessment regime — meaning third-party verification through an authorized C3PAO where the contract requires it, rather than self-attestation alone. CMMC does not invent a new control set at Level 2; it adds verification rigor on top of NIST SP 800-171 Revision 2.
Costs vary materially by Level, scope, starting maturity, and CUI volume. For small-to-mid DIB companies, a Level 2 self-assessment readiness engagement commonly runs $50K to $150K; a Level 2 C3PAO assessment readiness program for a mid-size DIB commonly runs $150K to $500K or more, plus the C3PAO assessment fee (which is a separate engagement and must be performed by an organization that did not provide the readiness work). Beyond the readiness program, expect ongoing software, MSSP, and audit-cycle costs. Always get multiple quotes against the same defined scope — there is no published rate card across the market.
Typical engagement timelines run 6 to 18 months from kickoff to a defensible compliance posture, depending on starting maturity, CUI scope complexity, the cloud environment in use (Microsoft 365 GCC High and AWS GovCloud have distinct readiness curves), and the Level. Companies that approach CMMC as a multi-quarter program with executive sponsorship and dedicated budget consistently get certified faster and at lower cost than those that approach it as an emergency. Any provider promising guaranteed certification outcomes or a fixed 90-day timeline should be treated with skepticism.
The Cyber AB is the accreditation body designated by the DoD to authorize and oversee the CMMC ecosystem — including Certified Third-Party Assessment Organizations (C3PAOs), Registered Provider Organizations (RPOs), and the credentialing of individual Certified CMMC Professionals (CCP) and Certified CMMC Assessors (CCA). C3PAOs are the organizations authorized to conduct Level 2 C3PAO assessments. RPOs provide readiness consulting but do not conduct C3PAO assessments. The Cyber AB Marketplace is the authoritative source for current C3PAO authorization and RPO/CCP/CCA status — verify directly before engaging any provider. The Defense Compliance Report is not affiliated with the Cyber AB.
A Plan of Action and Milestones (POA&M) is a documented plan for closing identified gaps against a control set within a defined timeframe. Under the CMMC Final Rule, POA&Ms are permitted in narrow circumstances for a subset of Level 2 controls — not as a substitute for substantive control implementation, and not at all for the highest-weighted controls. The specific allowable POA&M conditions and closure timeframes are set in 32 CFR Part 170. Treat POA&M eligibility as a per-control determination, not a blanket allowance, and verify with the rule text and a Registered Practitioner.
ISO 27001 and SOC 2 indicate an established information security program, which materially shortens CMMC readiness work in practice — but neither substitutes for CMMC. The control sets only partially overlap with NIST SP 800-171 Revision 2, and the CMMC assessment regime is distinct from ISO and SOC audit regimes. Expect to map your existing controls to NIST SP 800-171 Revision 2 (the gap is real but typically narrower than starting cold), perform a gap remediation against the remainder, and then follow the assessment type required by your contract clause. Existing FedRAMP authorization at the relevant impact level can carry substantial weight for the cloud-platform portion of your inheritance, but does not extend automatically to your in-scope on-premises systems.
Once your contract incorporates the CMMC requirement at the applicable Level, certification at that Level is a condition of award and ongoing performance under the contract. The practical consequence of not being certified by the deadline is contract ineligibility — for award, for renewal, and in some cases for continued performance — at the discretion of the contracting officer and the relevant DoD program office. Specific contract remedies depend on the contract language and the contracting officer's determination. This is a question to escalate to your contracts manager and legal counsel as soon as a CMMC requirement appears in a contract or pre-solicitation.
You don't need to memorize a 110-control list today.
You need to know your level, your assessment type, what's in scope, and the right kind of help — in that order.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options.
About The Defense Compliance Report Editorial Team
We are an independent editorial team covering CMMC 2.0 and DIB compliance. We do not accept editorial-approval rights from sponsors. Methodology, corrections, and editorial standards are published in full. More about the team →
CMMC compliance guides for defense contractors.
Provider Guides
Compliance Decisions
Get the CMMC Readiness Checklist.
A 32-point checklist mapped to NIST SP 800-171 Revision 2 control families. Use it to gauge where your organization stands before engaging a provider.
- Scoping & CUI inventory
- SSP and POA&M baseline
- The 14 NIST 800-171 control families
- SPRS posting checklist
- Assessment type decision tree