top of page
Search

Achieving CMMC 2.0 Compliance ...

  • Jan 21
  • 5 min read

Updated: Jan 23

Cybersecurity Maturity Model Certification 2.0 (CMMC) is new cybersecurity framework by the US Department of Defense (DoD) for the DoD supply chain and its contractors. The goal of the new CMMC compliance requirement is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).


In alignment with section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.


CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits a company to handle utilizing prescribed controls. The CUI Registry identifies approved CUI categories and subcategories.


CMMC program enhances cyber protection standards for companies in the Defense Industry Base (DIB). It is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department with increased assurance that contractors and subcontractors are meeting these requirements.


Acronyms

The cybersecurity and compliance requirements associated with the Department of Defense rely on numerous acronyms that may not be familiar to all readers. The explanations below are provided to help clarify key terms referenced throughout this guide.


CMMC (Cybersecurity Maturity Model Certification)

A Department of Defense cybersecurity framework designed to ensure contractors and subcontractors adequately protect sensitive unclassified information.


DoD (Department of Defense)

The U.S. federal department responsible for national defense and oversight of defense contracting requirements.


FCI (Federal Contract Information)

Information provided by or generated for the government under a federal contract that is not intended for public release.


CUI (Controlled Unclassified Information)

Government data that is not classified but still requires safeguarding or dissemination controls under federal law, regulation, or policy.


DIB (Defense Industrial Base)

The network of private-sector companies and suppliers that provide products or services in support of U.S. defense and national security.


NIST (National Institute of Standards and Technology)

A federal agency that develops cybersecurity standards and guidelines used by government agencies and contractors.


NIST SP 800-171

A NIST publication defining 110 cybersecurity requirements for protecting Controlled Unclassified Information in non-federal systems.


NIST SP 800-172

A supplemental set of enhanced cybersecurity requirements designed to protect highly sensitive programs and defend against advanced persistent threats.


FAR (Federal Acquisition Regulation)

The primary rule set governing how the U.S. government acquires goods and services.


DFARS (Defense Federal Acquisition Regulation Supplement)

A Department of Defense supplement to the FAR that includes mandatory cybersecurity and compliance requirements for defense contractors.


C3PAO (CMMC Third-Party Assessment Organization)

An independent organization authorized to conduct official CMMC Level 2 certification assessments.


SPRS (Supplier Performance Risk System)

A Department of Defense system used to record contractor cybersecurity self-assessments, scores, and CMMC status.


DIBNet

A legacy Department of Defense platform historically used for cyber incident reporting within the Defense Industrial Base.


POA&M (Plan of Action and Milestones)

A documented remediation plan that outlines how identified cybersecurity gaps will be resolved within an approved timeframe.


CMMC Framework

The framework has three key features:

  1. Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.

  2. Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.

  3. Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.


Most DoD contracts will require either CMMC Level 1 or CMMC Level 2 Compliance Practice Levels.


CMMC Level 3: The DoD is still determining the specific security requirements for Level 3 (Expert) but has indicated that its requirements (est. 130 Practice Controls) will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls.


Generally:

If a company will receive exclusively FCI under the contract, CMMC Level 1 implementation (Required Compliance of 17 Individual Practice Controls) will be required.


However, if an organization receives CUI in addition to FCI then, at a minimum, CMMC Level 2 will be required (Required Compliance of 110 Individual Practice Controls).


Each company’s actual scope of work required to achieve CMMC Practice Compliance will be different based on their existing IT infrastructure, Level of compliance required, and more. To obtain CMMC compliance a 4-phase approach is required.


To achieve CMMC Level 2 compliance, third-party validation is required to ensure compliance with required policies, procedures, and safeguards.


CMMC Compliance Guide: Achieving CMMC Compliance

Updates as of 2025


  • CMMC 2.0 rule finalized September 10, 2025; effective November 10, 2025. Phased rollout.

  • Phase 1 (Nov 2025–Nov 2026): Self-assessments accepted for Levels 1 & 2; 

  • Phase 2 (Nov 2026–Nov 2027): Level 2 requires C3PAO third-party certification;

  • Phase 3 (Nov 2027 – Nov 2028): All Level 2 contracts require third-party certification; Level 3 government-led assessments start for select programs.

  • Phase 4 (Nov 2028+): All DoD contracts mandate the required CMMC level.

  • DFARS clauses now include 252.204-7021 and 252.204-7025 for CMMC requirements.

  • Plans of Action and Milestones (POA&Ms) are allowed only for certain Level 2 controls, capped at 180 days.

  • Continuous compliance requirements added: SPRS (Supplier Performance Risk System) reporting, DIBNet (Defense Industrial BaseNet) incident response, and ongoing monitoring between assessments.

  • Level structure remains: Level 1 (~17 practices), Level 2 (~110 practices), Level 3 (~130 practices including NIST SP 800-172 subset).


CMMC Compliance Checklist

  • Level 1: Confirm 17 basic cyber hygiene practices implemented; complete annual self-assessment.

  • Level 2: Implement 110 NIST SP 800-171 controls; prepare for C3PAO third-party assessment; maintain SPRS score.

  • Level 3: Implement Level 2 controls plus ~24 NIST SP 800-172 controls; prepare for government-led assessment; ensure continuous monitoring and incident reporting.


Is Your Organization Positioned to Secure Future DoD Contract Sales Revenues?


CMMC compliance is no longer theoretical— it’s a requirement!

Don’t wait until deadlines put your contracts and future opportunities at risk. Partner with experts who understand the process and can guide you every step of the way.


Schedule your CMMC Readiness Consultation with DMC Service Solutions today!


✅ Stay prepared. ✅ Stay compliant. ✅ Stay competitive.  ✅ Stay informed.



References



© Copyright 2026 DMC Service Solutions, LLC / All Rights Reserved

Comments

bottom of page