The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Independent Research · Updated

CMMC 2.0 Compliance: Levels, SPRS & What Changed in 2026

Your level, self vs C3PAO, what must actually be posted in SPRS, the 2026 clause changes, real cost drivers, and the right provider category to talk to first — every claim sourced to the primary rule.

Free · 2-minute assessment · No obligation · Educational triage only · Do not submit CUI, drawings, or sensitive contract details.

Nov 10, 2026

Phase 2: Level 2 (C3PAO) required in applicable DoD solicitations

110 reqs

NIST SP 800-171 Rev. 2 requirements at Level 2 — assessed by self or C3PAO per your contract

15 reqs

FAR 52.204-21(b)(1) basic safeguards at Level 1 — annual self-assessment, no POA&Ms

Editorial note. The Defense Compliance Report is an independent trade publication. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. Provider-matching forms may generate referral compensation. Disclosures appear at the point of recommendation. See our Methodology and Editorial & Advertising Policy.

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research
Published: Last reviewed:
Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

Provider-matching forms on this site may generate referral or lead-routing compensation. This page does not currently contain named provider rankings, endorsements, or "best provider" awards. If named provider reviews are published later, sponsored, affiliate, partner, or referral relationships will be labeled on the relevant provider card or review. See our Methodology and Editorial & Advertising Policy for details.

This article is educational and is not legal, contractual, or compliance advice. CMMC requirements vary by contract, scope, and CUI handling specifics. Consult a CMMC Registered Practitioner (RP/RPO) or qualified attorney before making compliance decisions.

Research approach documented at Methodology. This guide is editorial research not formally reviewed by a Subject Matter Advisor — Editorial Review Process.

Start Here

Find your CMMC 2.0 compliance path.

If you read nothing else, read this. The table below maps your data-handling situation to the likely CMMC path, last verified June 30, 2026.

Your situationLikely CMMC pathYour first move
You handle FCI only (no CUI)Level 1 (Self)Confirm the clause, run the annual self-assessment, post result + affirmation in SPRS
You handle CUI; clause says Level 2 (Self)Level 2 (Self)Scope your systems, meet the 110 Rev. 2 requirements, post score + annual affirmation
You handle CUI; clause says Level 2 (C3PAO)Level 2 (C3PAO)Get readiness done first, then book an authorized C3PAO when assessment-ready
You support the most sensitive programsLevel 3 (DIBCAC)Reach Final Level 2 (C3PAO) first, then the DIBCAC path
Unsure — or a prime just said "get Level 2"Unknown — confirm itUse Find My CMMC Path; ask your prime the right questions; do not upload CUI

Map your path before you request a single quote.

Tell the Find My CMMC Path tool your required level, FCI/CUI scope, assessment type, cloud environment, and timeline. It maps your situation to the right provider category — C3PAO, RPO/RP, MSSP, GRC platform, or CUI enclave. No CUI required.

Find My CMMC Path →
What It Means

What does CMMC 2.0 compliance actually mean in 2026?

CMMC 2.0 compliance means holding the Cybersecurity Maturity Model Certification status that a DoD solicitation, contract, subcontract, or prime flow-down requires for the systems that process, store, or transmit FCI or CUI. The program is established by 32 CFR Part 170 (effective December 16, 2024) and brought into contracts by the DFARS rule (effective November 10, 2025). When the clause applies, it is a condition of award eligibility — not a voluntary standard.

Let's define the moving parts once, plainly, then use them freely.

The reframe that saves people anxiety: CMMC didn't invent new security rules. It put teeth on old ones. The safeguards trace back to FAR 52.204-21 for FCI and to NIST SP 800-171 via DFARS 252.204-7012 for CUI — both contractual obligations for years. Under 32 CFR § 170.5, the CMMC Program does not alter existing FCI/CUI protection requirements — it provides a way to verifyimplementation. The shift is from “trust me” to “show me.”

What CMMC 2.0 compliance is not

This is where money gets wasted. CMMC 2.0 compliance is not:

What changed when the Final Rule landed

A note on names: The DoD now uses “Department of War” as a secondary title under Executive Order 14347 (signed Sept. 5, 2025), and you'll see “war.gov” and “DoW CIO” on official sites. The statutory entity — and the agency named in 32 CFR Part 170 and the DFARS — is still the Department of Defense. Same rules, same clauses.
Who Needs It

Who needs CMMC 2.0 compliance?

You need CMMC 2.0 compliance when a DoD solicitation, contract, subcontract, or flow-down requires a CMMC status for systems that process, store, or transmit FCI or CUI. The requirement is contract-driven: the DoD program manager selects the CMMC level for each acquisition based on the FCI/CUI involved, and it shows up in the solicitation (32 CFR § 170.3).

Three audiences, three slightly different jobs

Primes. Read the solicitation. The required CMMC level and assessment type are identified in the contract, and your eligibility is tied to your CMMC status in SPRS before award (DFARS 252.204-7021).

Subcontractors and flow-down. Flow-down bites when you will process, store, or transmit FCI or CUI on the prime's behalf. A prime saying “be Level 2 by [date]” should trigger questions about scope and the specific requirement — not a panicked purchase. The fix starts with scope, not spend.

COTS-only and no-FCI/no-CUI work. CMMC requirements do not apply to acquisitions solely for COTS items, and they don't attach to systems that don't process, store, or transmit FCI or CUI. Important caveat: confirm it against your actual solicitation language and document whya given system is out of scope. “We think we're COTS-only” is not a position you want to discover was wrong at award.

Ask these before you spend a dollar

Ask your contracting officer or primeWhy it matters
Which clause or flow-down requires CMMC?The clause sets the requirement — confirm it exists.
Which CMMC level and assessment type?Level 2 (Self) and Level 2 (C3PAO) are not the same project.
Will we process, store, or transmit FCI or CUI?Data type drives your level and your scope.
Which of our systems are in scope?Scope drives cost, timeline, and tooling.
Is it required at bid, at award, at an option year, or via subcontract flow-down?Timing controls urgency — and your runway.
The Three Levels

Which CMMC level applies: Level 1, Level 2, or Level 3?

Level 1 covers FCI and maps to the 15 basic safeguarding requirements in FAR 52.204-21(b)(1). Level 2 covers CUI and is identical to the 110 requirements in NIST SP 800-171 Revision 2 across 14 families. Level 3 adds 24 selected requirements from NIST SP 800-172 and requires a Final Level 2 (C3PAO) status first. These counts and mappings are fixed in 32 CFR § 170.14.
CMMC levelData triggerWhat it requiresHow it's verifiedWhat goes to SPRS
Level 1 (Self)FCI onlyThe 15 FAR 52.204-21(b)(1) safeguardsAnnual self-assessment; no POA&Ms allowedSelf-assessment result + affirmation
Level 2 (Self)CUIAll 110 NIST SP 800-171 Rev. 2 requirements (14 families)Self-assessment every 3 yearsScore, scope, CAGE codes, POA&M status; annual affirmation
Level 2 (C3PAO)CUI requiring third-party assessmentAll 110 NIST SP 800-171 Rev. 2 requirementsAuthorized C3PAO assessment every 3 yearsC3PAO submits via eMASS → SPRS; annual affirmation
Level 3 (DIBCAC)Most sensitive CUI / highest-risk programsLevel 2 plus 24 selected NIST SP 800-172 requirementsGovernment (DCMA DIBCAC) assessmentDIBCAC results → SPRS; annual affirmation

Sources: § 170.15, § 170.16, § 170.17, § 170.18.

Level 1: “FCI only” doesn't mean “no work”

Level 1 is still a real obligation when a contract requires it. Under § 170.15, you must achieve a MET result on all 15 requirements, run the self-assessment annually, and submit both the result and an affirmation of compliance in SPRS before award. No POA&Ms are permitted at Level 1.

Primary-source clarity (because the internet can't agree): Some pages say Level 1 has “17 practices.” The CMMC Program Rule says 15— “the 15 Level 1 requirements listed in the 48 CFR 52.204-21(b)(1)” (§ 170.4). The “17” figure comes from NIST assessment objectives — NIST splits one requirement into three, so 15 requirements correspond to 17 objectives. The requirement count is 15.

If you only handle FCI and never touch CUI, you almost certainly need Level 1 — and you do not need a C3PAO. Start with our CMMC Level 1 walkthrough instead.

Level 2: where most searchers get stuck

Level 2 is the decision point, because it comes in two flavors — Level 2 (Self) and Level 2 (C3PAO) — and the wrong assumption sends you to the wrong provider category and the wrong budget. The 110 requirements are identical either way; what differs is who verifies them. We give this its own section below.

Level 3: don't skip the prerequisite

Level 3 is not simply “Level 2 plus more controls.” Under § 170.18, you need a Final Level 2 (C3PAO) status for the Level 3 scope before the government (DCMA DIBCAC) conducts the Level 3 assessment. It applies to a narrow set of contractors on the most sensitive programs.

Not sure if your contract requires self-assessment or a C3PAO?

Tell the path tool your level, FCI/CUI handling, assessment type, and timeline — it maps you to the right category before you spend anything.

Check my assessment path →
Contract-Eligibility Matrix

The CMMC 2.0 Contract-Eligibility & Provider-Category Matrix

The full version of the quick table above — maps your data and contract situation to the CMMC path, assessment and reporting mechanics, and the category of help to consider first. Last verified June 30, 2026.

Your situationLikely CMMC pathAssessment & reportingFirst provider category to considerCategory to avoid firstPrimary source
You don't process, store, or transmit FCI/CUI — or the award is COTS-onlyCMMC may not applyConfirm solicitation/flow-down language; document why the system is out of scopeContracts attorney or RP/RPO for scope confirmationA C3PAODFARS rule COTS exclusion; § 170.3
You handle FCI onlyLevel 1 (Self)Annual self-assessment; result + affirmation in SPRS; no POA&MsRP/RPO if unsure; light internal readinessA C3PAO§ 170.15
You handle CUI; the clause requires Level 2 (Self)Level 2 (Self)Self-assessment every 3 yrs; score, scope, CAGE codes in SPRS; annual affirmation; 180-day closeout if ConditionalRP/RPO + MSSP / GRC / enclave, depending on your environmentA C3PAO as your first call§ 170.16
You handle CUI; the clause requires Level 2 (C3PAO)Level 2 (C3PAO)Authorized C3PAO every 3 yrs; C3PAO submits via eMASS → SPRS; annual affirmationReadiness first (RP/RPO, MSSP, GRC, enclave); then an independent C3PAO when assessment-readyOne firm that both remediates and certifies the same engagement§ 170.17
You support a Level 3 programLevel 3 (DIBCAC)Final Level 2 (C3PAO) first; DCMA DIBCAC performs Level 3; eMASS → SPRSSpecialized Level 3 readiness, architecture, and evidence supportA generic Level 2-only provider§ 170.18
You use a cloud service provider for CUI in a Level 2 (C3PAO) scopeStill Level 2 — cloud architecture becomes assessment-criticalCSP must meet FedRAMP Moderate (or equivalent); on-prem connections and the responsibility matrix are in scopeCUI enclave / GCC High / GovCloud implementer + SSP/CRM supportBuying cloud licenses without a scoped SSP/CRM§ 170.19
You use an external service provider (ESP) that handles CUIThe ESP relationship must be documented and assessed in scopeDocument the ESP, its service description, the responsibility matrix, and the SSP relationshipMSSP / managed compliance / evidence supportTreating the ESP as automatically out of scope§ 170.19

CMMC 2.0 Contract-Eligibility & Provider-Category Matrix — last verified June 30, 2026. Provider-category guidance is our editorial judgment based on the cited rules; it is not a legal requirement or a Cyber AB endorsement.

Self vs C3PAO

Do you need a Level 2 self-assessment or a C3PAO assessment?

Level 2 has two paths: Level 2 (Self) and Level 2 (C3PAO). The contract requirement, the sensitivity of the CUI, and the flow-down language determine which one applies — “Level 2” alone does not automatically mean hiring a C3PAO. Self-assessment is governed by § 170.16; certification by an authorized C3PAO by § 170.17.

Level 2 (Self)

You assess your own environment against all 110 requirements every three years, post the score in SPRS, and submit an annual affirmation. If you qualify for a Conditionalstatus using an allowed POA&M, you have 180 days to close it out and reach Final. Keep your assessment artifacts — the rule requires retention for six years from the CMMC Status Date.

Level 2 (C3PAO)

A Certified Third-Party Assessment Organization (C3PAO) — a firm authorized by the Cyber AB to conduct official CMMC Level 2 assessments — performs the assessment, submits results through eMASS, and those results flow to SPRS. Same 110 requirements, same 180-day Conditional-to-Final window, same annual affirmation. The difference is independence: a third party signs off, not you.

The independence rule buyers miss

A Registered Practitioner or Registered Provider Organization (RP/RPO) — the Cyber AB's category for consultants who help you prepare — provides readiness and advisory services, and RPs cannot serve on the assessment team that certifies you (Cyber AB terminology). Under 32 CFR Part 170, C3PAOs must follow the Cyber AB's conflict-of-interest and Code of Professional Conduct policies (§ 170.9), and under those policies a C3PAO generally cannot assess an organization it provided CMMC consulting to within the previous three years. Keep readiness help and formal assessment separate. If a single vendor offers to “prepare you and certify you,” ask exactly how they handle the conflict-of-interest boundary — and get the answer in writing.

A verification point worth knowing as a buyer

In 2025, the DoD OIG reviewed how C3PAOs get authorized and found the process wasn't being implemented effectively — in a review of 11 C3PAOs, the OIG found authorized firms without required agreements, certifications, or quality-control leads on file (DODIG-2025-056). Always verify current authorization status directly in the Cyber AB Marketplace before contracting.

Level 2 is not the same as “hire a C3PAO.” Many contractors qualify for Level 2 (Self). Confirm the assessment type from your contract clause before selecting any provider.
SPRS

What must you actually post in SPRS — and what counts as a CMMC status?

SPRS (the Supplier Performance Risk System) is where your CMMC status and affirmations live, and it's tied to contract eligibility. Level 1 (Self) and Level 2 (Self) records are entered by you; Level 2 (C3PAO) and Level 3 results flow in through eMASS; and the applicable annual affirmation must stay current. A posted NIST score is not, by itself, a CMMC status. See SPRS – CMMC and SPRS – NIST SP 800-171.

Three things people blur together — and the distinction matters at award:

CMMC recordWho enters the resultHow it reaches SPRSFrequencySource
Level 1 (Self) result + affirmationYou (your organization)Entered directly in SPRSSelf-assess annually; affirm each time§ 170.15
Level 2 (Self) score + affirmationYou (your organization)Entered directly in SPRSSelf-assess every 3 years; affirm annually§ 170.16
Level 2 (C3PAO) result + affirmationAuthorized C3PAO (result); you (affirmation)C3PAO → eMASS → SPRSAssess every 3 years; affirm annually§ 170.17
Level 3 (DIBCAC) result + affirmationDCMA DIBCAC (result); you (affirmation)DIBCAC → eMASS → SPRSPer the rule; affirm annually§ 170.18

What “current” means under DFARS 252.204-7021

Eligibility depends on your status being current: Level 1 (Self): not older than 1 year, with a current affirmation. Level 2 (Self) and Level 2 (C3PAO): not older than 3 years, with an annual affirmation in between. Conditionalstatuses carry the 180-day POA&M closeout window.

“But we posted a score” may not be enough. If your team posted a NIST score years ago and assumed CMMC was handled, that assumption is exactly where eligibility quietly breaks. The DoD's own CMMC page reminds contractors to submit affirmations along with their CMMC assessments in SPRS (DoD CIO CMMC). Check the record, confirm the status type, and confirm the affirmation is current.
2026 Clause Changes

What changed in 2026: the FAR/DFARS overhaul and your clause numbers

On February 1, 2026, a DoD class deviation under the Revolutionary FAR Overhaul changed which FAR/DFARS cybersecurity clauses contracting officers are directed to use in new DoD solicitations: DFARS 252.204-7019 is no longer prescribed, 252.204-7020 appears as 252.240-7997 under a new DFARS Part 240, and FAR 52.204-21 is relocated to FAR 52.240-93 — while 252.204-7012 and the CMMC clause 252.204-7021 are unchanged. It's a renumbering and consolidation, not a rollback. Because it's a class deviation ahead of formal rulemaking, the codified DFARS still lists the legacy clauses, so both old and new numbers can appear depending on your contract (DoD FAR/DFARS overhaul deviations).

The 2026 CMMC clause crosswalk

Old citationPost-deviation citationStatus under the Feb. 2026 deviationWhat it means for you
DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements(not prescribed)Not used in new DoD deviation solicitations; still visible in the codified DFARS during the transitionThe old standalone self-assessment / SPRS-upload provision isn't cited in new deviation solicitations. Read CMMC notice and status mechanics through 252.204-7021 and 252.204-7025.
DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment RequirementsDFARS 252.240-7997Renumbered + revised in new DFARS Part 240; legacy 7020 still in the codified DFARSMoved to Part 240; "Basic" references removed. The clause now defines only Medium and High assessments, both performed by the government (DIBCAC).
DFARS 252.204-7012 — Safeguarding CDI & Cyber Incident Reporting252.204-7012 (unchanged)UnchangedStill requires NIST 800-171 implementation, 72-hour incident reporting, and flow-down. The foundation did not move.
DFARS 252.204-7021 — CMMC Requirements252.204-7021 (unchanged)UnchangedThe CMMC clause. Eligibility is tied to your CMMC status; you flow CMMC requirements down to subs.
DFARS 252.204-7025 — CMMC notice provision252.204-7025 (unchanged)UnchangedThe CMMC notice provision is not changed by the deviation.
FAR 52.204-21 — Basic safeguarding (Level 1)FAR 52.240-93Relocated under the deviation; numbering not yet final (see below)The 15 Level 1 safeguards moved under the overhauled FAR. CMMC Level 1 still references these safeguards.

Sources: DoD Class Deviation 2026-O0025 and the FAR Overhaul Part 40 deviation guide, Defense Acquisition Regulations System. Last verified June 30, 2026.

Don't treat this crosswalk as permanent. On June 23, 2026, the FAR Council moved the Revolutionary FAR Overhaul from class deviations into formal notice-and-comment rulemaking (FAR Case 2026-001, published in the Federal Register, comments due July 23, 2026). That process could change clause numbers again before anything is final. Use the numbers above for the deviation in force today, and verify the exact clause text against your actual solicitation.

Ecosystem change you'll feel, too: As of April 2026, ISACA serves as the CMMC Assessor and Instructor Certification Organization (CAICO), administering the CCP, CCA, and Lead CCA credentials your assessors hold. The Cyber AB continues to run the Marketplace and authorize C3PAOs. If you're vetting an assessor, that's where the credentials now come from.

The numbering is in flux; your obligation isn't.

If you're reviewing a solicitation or flow-down, map your specific situation to the right provider category. No CUI required.

Map my CMMC path →
32 CFR Part 170 — CMMC Program Rule

The CMMC Final Rule establishes the three-level certification program, the assessment regime, and the implementation phases. Published in the Federal Register on October 15, 2024; effective December 16, 2024.

View at Federal Register
NIST SP 800-171 Rev. 2

What does NIST SP 800-171 Rev. 2 have to do with CMMC 2.0 compliance?

Under the current CMMC rule, Level 2 security requirements are identical to NIST SP 800-171 Revision 2 — 110 requirements across 14 families. NIST has since published Revision 3 and lists Revision 2 as superseded in its catalog, but CMMC remains tied to Revision 2 until DoD amends the rule. This is fixed at § 170.14, which incorporates “NIST SP 800-171 R2” by reference.

Here's the costly trap: NIST released SP 800-171 Revision 3 in May 2024, and in NIST's own catalog, Revision 3 supersedes Revision 2. A reasonable person reads “Rev. 3 is current” and starts building to it. For CMMC, that's the wrong target right now.

Level 3 and NIST SP 800-172: Level 3 draws 24 selected requirements from NIST SP 800-172 (February 2021), with DoD-approved parameters, as identified in § 170.14(c)(4). The same care applies: NIST's catalog status for SP 800-172 is a separate question from the specific requirements CMMC incorporates.
NIST SP 800-171 Revision 2 — Protecting CUI in Nonfederal Systems

The 110 security requirements organized into 14 control families that constitute the substantive Level 2 control set referenced in the CMMC Final Rule. CMMC Level 2 is assessed against Rev. 2 — not Rev. 3 — under the current rule.

View at NIST
Cost & Timeline

What does CMMC 2.0 compliance cost, how long does it take, and who do you talk to first?

There is no trustworthy flat price for CMMC 2.0 compliance. Cost and timeline are driven by your level, scope, CUI footprint, starting maturity, cloud architecture, and how much evidence you can actually produce. Industry timelines for Level 2 readiness commonly run 6–18 months, and readiness and the formal C3PAO assessment are separate expenses. The single biggest money-saver is usually scope clarity, not vendor selection.
Cost driverWhy it changes the number
CMMC level / assessment typeLevel 1 (Self), Level 2 (Self), Level 2 (C3PAO), and Level 3 (DIBCAC) are different work profiles entirely.
ScopeFewer in-scope systems means less tooling, less evidence, and a smaller assessment. Scope is the lever.
CUI footprintCUI scattered across email, file shares, ERP, CAD, ticketing, backups, and MSP tools expands the whole problem.
Starting maturityMissing MFA, logging, asset inventory, an SSP, or incident response means real remediation, not paperwork.
Cloud / ESP useA CSP handling CUI must meet FedRAMP Moderate (or equivalent); your ESPs and the responsibility split between you and them are in scope (§ 170.19).
Evidence readinessPassing requires proof an assessor can examine, interview, and test — not just tools you bought.
TimelineEmergency remediation costs more and produces worse decisions. Runway is money.

A cost reality some readers need to hear

Not every small subcontractor should buy a full Level 2 program. If DoD work is a thin slice of your revenue, your margins are tight, and your CUI exposure can be contained, the smarter first move may be to reduce scope, ask your prime sharper flow-down questions, or — sometimes — walk away from low-margin CUI workrather than spending six figures into the wrong path. If that's you, start with the CMMC Level 1 path and scope reduction first.

For the rest: hold one principle — separate readiness from assessment. Get your environment right with a readiness partner (RPO/MSSP), manage evidence with a GRC platform if it helps, contain CUI in an enclave if that shrinks your scope — then engage an independent C3PAO when you're assessment-ready. For dollar-level detail by level and company size, see our CMMC Level 2 cost guide.

Before you price vendors, make sure you're not pricing the wrong scope.

The most expensive CMMC mistake is buying a platform, an enclave, or a C3PAO slot before confirming scope. Run your situation through the path tool — level, FCI/CUI handling, environment, assessment type, deadline — and it'll point you to the category to compare first. No CUI required.

Provider Categories

Which CMMC provider category should you talk to first?

The right first provider is usually nota C3PAO. Most contractors need scoping, readiness, architecture, documentation, managed security, evidence workflow, or enclave decisions before a formal assessment. A C3PAO belongs when you're assessment-ready or the contract specifically requires Level 2 (C3PAO).

Provider categoryUse when…Don't treat it as… What to verify before you hire
RP / RPO (Registered Practitioner / Registered Provider Organization)You need scoping, readiness planning, SSP/POA&M help, or rule interpretationA certifying assessorCyber AB status, role, deliverables, and conflict-of-interest boundaries
MSP / MSSP / vCISOYou need implementation, monitoring, identity, logging, endpoint, incident responseA substitute for your own compliance accountabilityCMMC experience, CUI handling, SSP/CRM support, and the evidence they produce
GRC platformYou need workflow, evidence management, SSP/POA&M tracking, control mappingProof that controls are actually implementedExportable, assessor-ready evidence and accurate Rev. 2 mapping
CUI enclaveYou want to contain CUI in a smaller, controlled environment to shrink scopeA magic shortcut that erases all scopeCSP/ESP responsibilities, the responsibility matrix, and CUI entry/exit points
C3PAO (Certified Third-Party Assessment Organization)You're ready for a Level 2 (C3PAO) assessment, or the contract requires itA readiness implementer for the same engagementCurrent authorized status in the Cyber AB Marketplace, scope, availability, COI rules
DIBCAC pathYou have a Level 3 requirementGeneral Level 2 readinessFinal Level 2 (C3PAO) prerequisite, Level 3 scope, DIBCAC expectations

Get matched to the right category — before you talk to vendors.

Once you know whether you need readiness, software, an enclave, or an assessor, the conversations get cheaper and faster. Tell us your level, scope, environment, assessment type, and timeline, and we'll help you compare source-checked provider options in the categories that fit your situation.

Get matched with source-checked provider options →

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis or provider-category recommendations. Do not submit CUI, drawings, or sensitive contract details — this intake is for provider-category routing only.

Common Mistakes

The most expensive CMMC 2.0 compliance mistakes — and how to avoid them

The costly CMMC mistakes are sequence mistakes: assuming the wrong level, treating Level 2 as always-C3PAO, buying tools before scope, mistaking NIST Rev. 3 for the current requirement, posting the wrong SPRS record, or treating a POA&M as an open-ended pass. Each one is avoidable with the right order of operations.
  1. “We have CUI, so we need a C3PAO immediately.” Maybe. Not always. Level 2 can be self-assessed or C3PAO-assessed depending on the contract (§ 170.16, § 170.17). Confirm the requirement before you book an assessor.
  2. “We posted our NIST score, so CMMC is handled.” A stored NIST score isn't a CMMC status, and it isn't an affirmation. SPRS has CMMC-specific entry and affirmation steps (SPRS – CMMC). Check the record type.
  3. “Rev. 3 superseded Rev. 2, so Rev. 3 is the CMMC requirement.” NIST's catalog status and CMMC's incorporated text are two different questions. CMMC Level 2 is tied to Revision 2 under the current rule (§ 170.14).
  4. “A POA&M buys us unlimited time.” It buys a narrow, rule-bound window. Under 32 CFR § 170.21: Level 1 allows no POA&Ms at all; a Conditional Level 2 requires your score to be at least 88 of 110; only 1-point requirements are POA&M-eligible — every 3-point and 5-point requirement must be MET at assessment; six specific 1-point requirements are excluded by name (including your System Security Plan); there is one narrow exception for CUI-encryption (SC.L2-3.13.11) if encryption is present but not FIPS-validated; and everything on the POA&M must be closed within 180 days or the Conditional status expires.
  5. “The provider will tell us what level we need.” The contract clause, flow-down, and your FCI/CUI handling set the path. Providers interpret and implement; they don't set your legal requirement. The DoD reserves the right to run its own DIBCAC assessment, and those results take precedence over a pre-existing status. “Marked implemented” has to mean “demonstrable.”
Not Ready Yet

What if you're not ready when the CMMC clause appears?

You have more options than “panic” or “miss the bid” — but they all start with confirming scope.

OptionWhen it fitsThe catch
Scope reductionYou can keep CUI out of certain systems or workflowsRequires prime/contract clarity on what's truly in scope
Level 1 / no-CUI pathYou only handle FCIA prime may still ask for proof of your Level 1 status
Readiness sprintYou have a real deadline and a definable scopeRushed remediation is expensive and fragile
Enclave strategyCUI is limited and can be containedA poorly designed enclave can fail the assessment
C3PAO schedulingYou're close to assessment-ready and the contract requires itA booked slot is not the same as being ready — and slots are scarce
Decline low-margin CUI workDoD revenue can't justify the spendA business tradeoff, not a compliance failure
On C3PAO scarcity — the honest version: In its own economic analysis of the program rule, DoD estimated that roughly 8,350 medium and large entities will need a Level 2 (C3PAO) certification as a condition of award (Federal Register). The pool of authorized C3PAOs is small — on the order of roughly 100 as of the March 2026 Cyber AB Town Hall — and independent guides report assessment lead times of several months to a year, with some C3PAOs booked into 2027. Check the live pool in the Cyber AB Marketplace before you plan around it, then work backward from the date your contract actually requires a status. That's not a sales tactic. It's arithmetic.
Sources Verified

What we actually verified for this guide

We don't ask you to take our word for any of it. Here's what we read and cross-checked on June 30, 2026, and what each source supports.

Source we checkedWhat it supports
32 CFR Part 170 / eCFR (§§ 170.14–170.24)The three levels, the 15/110/24 counts, assessment paths, POA&M and affirmation rules, scoping, scoring, Rev. 2 mapping, Level 3 prerequisite
Federal Register — CMMC Program RuleEffective date (Dec. 16, 2024), purpose, "15 Level 1 requirements"
Federal Register — DFARS ruleEffective date (Nov. 10, 2025), phased implementation, COTS-only exclusion
Acquisition.gov — DFARS 252.204-7021"Current" status definitions, annual affirmation, eligibility tie-in
Defense Acquisition Regulations System — FAR/DFARS overhaul deviationsThe Feb. 1, 2026 class-deviation clause changes (7019 not prescribed; 7020→252.240-7997; FAR 52.204-21→52.240-93)
Federal Register — RFO proposed rule, FAR Case 2026-001June 23, 2026 formal rulemaking — clause numbering is not yet final
32 CFR § 170.21POA&M rules: 0.8 threshold (88 of 110), 1-point-only eligibility, the encryption exception, six excluded requirements, 180-day closeout
NIST CSRC — SP 800-171 Rev. 3 and SP 800-172Revision 3 / 800-172 publication status vs. CMMC's incorporated Rev. 2
SPRS — CMMC and NIST SP 800-171NIST score storage vs. CMMC record entry and affirmation
Cyber AB — TerminologyC3PAO, RP/RPO definitions and the assessment-team independence rule
DoD CIO — CMMCPhase 1 dates and the SPRS affirmation reminder
DoD OIG — DODIG-2025-056C3PAO authorization-process findings → "verify current authorization status"
What's still moving, and how we handled it: Clause numbering is mid-transition — the February 2026 class deviation is in force now, but formal rulemaking (June 23, 2026) could change numbers again, so we dated the crosswalk and told you to verify against your solicitation. The live count of authorized C3PAOs changes continuously; we leaned on DoD's own demand estimate and pointed you to the live Cyber AB Marketplace. Cost and readiness-timeline ranges are industry-observed, not regulatory — treat them as planning figures. We re-verify this page quarterly and on any rulemaking change.
Get Matched

Get matched with CMMC solution providers.

Tell us your situation. We'll connect you with matched providers that fit your level, scope, and timeline. Free. No obligation.

Do not submit CUI, drawings, export-controlled content, or sensitive contract details. This intake is for buyer-need routing only. Sensitive information should be shared only through appropriate secure channels after you have independently verified and engaged a provider.

By submitting this form, you authorize The Defense Compliance Report to share the information you provide with matched CMMC providers so they can respond to your request. We may receive referral or lead-routing compensation from providers that receive matched inquiries. We do not sell personal information to unrelated data brokers or advertising networks. Newsletter subscription is optional and requires a separate unchecked opt-in. See our Privacy Policy and Editorial & Advertising Policy.

Answers

Frequently asked questions about CMMC 2.0 compliance.

CMMC 2.0 is the Department of Defense's program for verifying that defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) on the systems they use to perform DoD work. The program defines three certification levels and an assessment regime, codified at 32 CFR Part 170 (the CMMC Program Rule, published in the Federal Register on October 15, 2024, and effective December 16, 2024) and flowed into contracts through DFARS 252.204-7021. The exact controls and assessment scope you face are driven by your contract clause and the sensitivity of the CUI you handle. Consult a CMMC Registered Practitioner (RP/RPO) or qualified attorney before making compliance decisions for your contracts.

These answers are educational. For binding answers to your contracts, consult a CMMC Registered Practitioner (RP/RPO) or qualified federal-contracts counsel.

Your Next Step

You don't need to memorize a 110-control list today.

You need to know your level, your assessment type, what's in scope, and the right kind of help — in that order.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options.

Already know what you need? Request a quote directly. Free, no obligation.

Do not submit CUI, drawings, export-controlled content, or sensitive contract details. This intake is for provider-category routing only. Provider matching may generate referral or lead-routing compensation, disclosed at the point of recommendation.

About The Defense Compliance Report Editorial Team

We are an independent editorial team covering CMMC 2.0 and DIB compliance. We do not accept editorial-approval rights from sponsors. Methodology, corrections, and editorial standards are published in full. More about the team →

This report was last reviewed on . CMMC regulatory developments are tracked continuously; material changes trigger a re-review. See our Corrections policy if you find an error.

Material updates in this review (June 30, 2026):
  • Added 2026 CMMC clause crosswalk for February 2026 class deviation (7019, 7020→252.240-7997, FAR 52.204-21→52.240-93).
  • Added FAR Case 2026-001 RFO formal rulemaking caveat (June 23, 2026 — clause numbering not final).
  • Confirmed 15 Level 1 requirements (FAR 52.204-21(b)(1)); added primary-source note on the "17 practices" confusion.
  • Added ISACA CAICO credential note (as of April 2026 — CCP, CCA, Lead CCA credentials).
  • Confirmed CMMC Level 2 maps to NIST SP 800-171 Revision 2; added DoW/EO 14347 terminology note.
Research Library

CMMC compliance guides for defense contractors.

Download

Get the CMMC Readiness Checklist.

Defense Compliance Report
CMMC Readiness Checklist
32 points · NIST SP 800-171 Revision 2 control families

A 32-point checklist mapped to NIST SP 800-171 Revision 2 control families. Use it to gauge where your organization stands before engaging a provider.

  • Scoping & CUI inventory
  • SSP and POA&M baseline
  • The 14 NIST 800-171 control families
  • SPRS posting checklist
  • Assessment type decision tree

We will email the checklist to the address you provide. Do not upload, enter, or send contracts, CUI, controlled technical data, export-controlled content, system diagrams, vulnerabilities, incident details, employee personal information, or other sensitive security information through this form.

Do not submit CUI, drawings, export-controlled content, or sensitive contract details. This intake is for buyer-need routing only. Sensitive information should be shared only through appropriate secure channels after you have independently verified and engaged a provider.

The checklist request does not require subscribing to the weekly briefing. You can unsubscribe from the weekly briefing at any time.