CMMC 2.0 Compliance: The Complete Guide for Defense Contractors

Defense contractors working with the Department of Defense faced a firm deadline: CMMC 2.0 requirements began appearing in DoD contracts in 2025, with mandatory third-party assessments for Level 2 contracts phasing in through 2026. If your organization handles Controlled Unclassified Information (CUI) and you bid on DoD work, CMMC compliance is no longer optional — it is a contract condition. This complete CMMC 2.0 compliance guide explains the three certification levels, the 110 NIST SP 800-171 controls at the core of Level 2, the assessment process, timelines, and how to build an audit-ready compliance program without losing months to spreadsheet chaos.

What Is CMMC 2.0? The Framework Explained

The Cybersecurity Maturity Model Certification (CMMC) is the DoD's framework for ensuring defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Version 2.0, finalized in late 2021 and now being implemented through the Defense Federal Acquisition Regulation Supplement (DFARS), streamlined the original five-level model into three levels:

• Level 1 (Foundational): 17 practices from FAR 52.204-21, covering basic cybersecurity hygiene. Annual self-assessment. Applies to contractors handling FCI only.
• Level 2 (Advanced): 110 practices aligned to NIST SP 800-171 Rev. 2. Triennial third-party assessment (C3PAO) for contracts involving prioritized CUI; annual self-assessment for non-prioritized CUI. This is where most defense prime subcontractors operate.
• Level 3 (Expert): 134+ practices including NIST SP 800-172 requirements. Government-led assessment. Applies to contracts involving the most sensitive CUI supporting critical programs.

For the vast majority of defense contractors — particularly small and mid-market firms — CMMC Level 2 is the target. You can review the official framework at the DoD CMMC Office.

CMMC 2.0 Compliance Requirements: The 14 Domains

CMMC Level 2 is built on the 110 security requirements in NIST SP 800-171 Rev. 2, organized into 14 domains (called "families"). Here is what each domain requires at a compliance-ready level:

1. Access Control (AC) — 22 practices

Limit system access to authorized users, processes, and devices. Enforce least privilege and separation of duties. Control remote access using session locking, VPN, and multi-factor authentication.

2. Awareness and Training (AT) — 3 practices

Ensure all personnel are aware of security risks and trained to carry out their security responsibilities. Document training records.

3. Audit and Accountability (AU) — 9 practices

Create and retain system audit logs to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized activity. Protect audit logs from unauthorized access and modification.

4. Configuration Management (CM) — 9 practices

Establish and maintain baseline configurations for all systems. Control and document changes to configurations. Restrict, disable, and prevent the use of nonessential programs, functions, ports, and protocols.

5. Identification and Authentication (IA) — 11 practices

Identify all system users, processes, and devices. Authenticate identities before allowing access. Enforce multi-factor authentication for privileged accounts and network access.

6. Incident Response (IR) — 3 practices

Establish an operational incident-handling capability that includes preparation, detection, analysis, containment, recovery, and user response activities. Track, document, and report incidents.

7. Maintenance (MA) — 6 practices

Perform maintenance on organizational systems, including controls on tools, techniques, mechanisms, and personnel for maintenance. Ensure remote maintenance is controlled and monitored.

8. Media Protection (MP) — 9 practices

Protect system media containing CUI. Sanitize or destroy media before disposal or reuse. Control the use of removable media.

9. Personnel Security (PS) — 2 practices

Screen individuals prior to authorizing access to CUI. Ensure CUI is protected during and after personnel actions such as terminations and transfers.

10. Physical Protection (PE) — 6 practices

Limit physical access to systems, equipment, and operating environments to authorized individuals. Escort visitors and monitor physical access to facilities.

11. Risk Assessment (RA) — 3 practices

Conduct risk assessments periodically and whenever major changes occur. Scan for vulnerabilities in systems and applications. Remediate vulnerabilities in accordance with risk assessments.

12. Security Assessment (CA) — 4 practices

Periodically assess security controls. Develop and implement Plans of Action and Milestones (POA&Ms) to correct deficiencies. Monitor security controls on an ongoing basis.

13. System and Communications Protection (SC) — 16 practices

Monitor and control communications at external boundaries and key internal boundaries. Implement subnetworks for publicly accessible system components. Use architectural designs, software development techniques, and systems engineering principles to promote security.

14. System and Information Integrity (SI) — 7 practices

Identify and manage information system flaws. Provide protection from malicious code. Monitor system security alerts and advisories.

CMMC 2.0 Compliance Timeline: What to Expect in 2026

CMMC requirements are being phased into DoD contracts through the rulemaking process. Key milestones:

• Phase 1 (Started 2025): Level 1 and Level 2 self-assessments required in SPRS (Supplier Performance Risk System) for applicable contracts. Contractors must affirm compliance or self-assess and upload scores.
• Phase 2 (November 2026): Third-party assessments by C3PAOs become required for Level 2 contracts involving prioritized CUI. Organizations without a satisfactory C3PAO assessment in SPRS cannot be awarded these contracts.
• Phase 3 and 4: Expansion across all applicable contract types, including subcontractor flow-down requirements tightened.

For contractors currently at Tier 1 or early Tier 2 maturity, achieving audit-ready Level 2 status before November 2026 requires starting the assessment and remediation process now. C3PAO assessment slots are limited and the demand is significant.

Plans of Action and Milestones (POA&M): The CMMC Compliance Anchor

A POA&M is a formal document that identifies security weaknesses, describes how they will be remediated, and sets milestones and resource assignments for each action item. Under CMMC 2.0, a POA&M is not a sign of failure — it is evidence of a functioning compliance program. The key requirements:

• POA&M items must have specific remediation milestones (not open-ended)
• High-value items (practices with scores of -5 or lower in SPRS) may be unacceptable at time of contract award depending on contracting officer discretion
• POA&Ms must be closed within 180 days of contract award for Level 2 self-assessment contracts
• C3PAO assessors will review your POA&M as part of the formal assessment process

The organizations that struggle with POA&Ms are those tracking them in spreadsheets. When a remediating control is linked to multiple 800-171 requirements, a spreadsheet quickly becomes a liability — changes are missed, milestones slip, and the documentation becomes inconsistent.

How Glance Handles POA&M Tracking

Z Cyber's Glance platform treats POA&M tracking as a first-class function. Every gap identified in the Current State Assessment generates a tracked action item with an assigned owner, milestone date, and framework control mapping. Because Glance maps controls to both NIST SP 800-171 and CMMC simultaneously, a single remediation item closes gaps across both frameworks. Your advisory team at Z Cyber monitors POA&M progress continuously — so when a C3PAO assessment arrives, your documentation reflects your actual current state, not a snapshot from six months ago.

This approach also applies to flow-down compliance: when a prime contractor requires their subcontractors to demonstrate CMMC compliance, the Framework Scorecards in Glance provide the kind of always-current evidence packages that satisfy both the prime's requirements and eventual C3PAO scrutiny.

CMMC 2.0 Compliance: Building Your Audit-Ready Program

A CMMC compliance program is not a one-time project. It is an ongoing security program that happens to be measured against a framework. Here is how Z Cyber's advisory team approaches it:

1. Current State Assessment: Map your existing controls against all 110 NIST SP 800-171 practices. Produce a scored SPRS value and identify all gaps.
2. System Security Plan (SSP): Document your CUI environment, system boundaries, and how each 800-171 practice is implemented or planned. The SSP is the primary artifact a C3PAO assessor reviews.
3. POA&M Development: Assign owners, resources, and milestones to every gap. Prioritize by SPRS impact and contract risk.
4. Cyber Blueprint Remediation: Execute the prioritized roadmap. Z Cyber advisors work alongside your team to implement controls, test them, and document evidence.
5. Continuous Monitoring: Maintain your CMMC posture between assessments. Technology changes, personnel changes, and new threat indicators all affect your compliance status.
6. C3PAO Assessment Preparation: Organize evidence packages by domain. Conduct a pre-assessment review to identify any remaining gaps before the formal C3PAO engagement.

CMMC 2.0 Scope Definition: The Most Underestimated Step

Before any organization begins implementing CMMC Level 2 controls, it must define its assessment scope — specifically, what systems, networks, and personnel are part of the CUI environment. This step has more impact on your compliance cost and timeline than any other single decision, yet it is frequently rushed or skipped.

The CUI boundary determines which assets fall under every CMMC requirement: which systems need audit logs, which endpoints need endpoint detection, which personnel need security training records, and which networks need segmentation. An organization that fails to define its CUI boundary clearly will either over-scope (applying CMMC requirements to systems that do not process CUI, driving up cost unnecessarily) or under-scope (missing systems that do handle CUI, creating compliance gaps that will surface during C3PAO assessment).

Effective scope definition requires a data flow analysis: trace exactly how CUI enters your organization, which systems it touches during processing, where it is stored, and how it exits (to primes, to government, or to other subcontractors). The resulting CUI data flow map becomes the foundation for your System Security Plan's system boundary description. Organizations that invest two to four weeks in thorough scope definition consistently achieve compliance faster and at lower total cost than those that rush to implementation without a clear boundary.

Network segmentation — isolating CUI systems from general corporate IT — is the most powerful scope-reduction strategy available. If your CUI environment is a clearly bounded segment of your network, non-CUI systems fall outside CMMC scope entirely. For small and mid-market contractors, this can reduce the number of systems in scope by 50% or more.

CMMC 2.0 Compliance Costs: What to Budget

Cost varies significantly based on organization size, existing security posture, and whether you require a formal C3PAO assessment. Rough benchmarks for mid-market defense contractors:

• Assessment and gap analysis: $15,000–$50,000 depending on scope and environment complexity
• Remediation (technology): Highly variable; common investments include endpoint detection, MFA, log management, and encrypted email
• C3PAO assessment fee: $20,000–$100,000+ for a Level 2 assessment, depending on organization size
• Ongoing compliance management: Depends on advisory model; Z Cyber's managed advisory approach bundles assessment, remediation guidance, platform access, and continuous monitoring into a single engagement

For small defense contractors, the advisory model is often more cost-effective than hiring full-time compliance staff or engaging a large consulting firm for a point-in-time engagement. See our CMMC Level 2 guide for small businesses for specific guidance on affordable compliance paths.

The Role of External Service Providers in CMMC Compliance

Many defense contractors rely on managed service providers (MSPs), cloud platforms, or other external service providers as part of their technology environment. Under CMMC 2.0, the use of External Service Providers (ESPs) for CUI handling or security functions does not transfer CMMC compliance responsibility. The contractor remains responsible for ensuring that all applicable CMMC practices are met, including practices implemented by or through the ESP.

Cloud Service Providers (CSPs) that process, store, or transmit CUI on behalf of a CMMC contractor must meet FedRAMP Moderate authorization or equivalent. This is a common gap for mid-market contractors who use commercial cloud platforms without verifying their federal data handling authorization status. Confirming and documenting the authorization status of every service provider that touches your CUI environment is a required element of your System Security Plan and is reviewed during C3PAO assessments.

If your organization relies heavily on an MSP for IT management, ensure your MSP relationship includes a clear delineation of which CMMC practices they implement and maintain on your behalf, documented in your SSP. Your C3PAO assessor will verify that documented controls actually operate as described — which means verifying ESP-managed controls with the same rigor as internally managed ones.

CMMC 2.0 and NIST 800-171: Understanding the Relationship

CMMC Level 2 is built directly on NIST SP 800-171 Rev. 2. Every CMMC Level 2 practice maps to a corresponding 800-171 requirement. If you have already conducted an 800-171 self-assessment and uploaded a score to SPRS, you have completed a significant portion of your CMMC Level 2 groundwork. The key difference: CMMC 2.0 adds a third-party verification requirement that 800-171 does not. You can read a detailed comparison in our NIST 800-171 vs. CMMC guide.

For defense contractors with existing 800-171 documentation, Z Cyber's advisory team can overlay your current SSP and SPRS score against CMMC requirements and identify the specific gaps that exist for formal certification — without starting from scratch.

Conclusion

CMMC 2.0 compliance is a multi-step program that demands both technical control implementation and disciplined documentation. Defense contractors that start early, build a live POA&M, and maintain continuous monitoring of their CUI environment will reach audit readiness faster and with less disruption to their contracts. Z Cyber's advisory team works with defense contractors to assess, remediate, and document every step of the CMMC journey — with Glance providing the always-current framework scorecards and POA&M tracking that auditors expect.

Ready to map your CMMC readiness? Z Cyber's advisors can conduct your Current State Assessment, calculate your current SPRS score, and build your remediation roadmap in a single engagement.

Frequently Asked Questions: CMMC 2.0 Compliance

When do CMMC 2.0 requirements take effect for my contracts?

CMMC requirements have been phasing into DoD contracts since 2025. Level 1 and Level 2 self-assessments are currently required for applicable DFARS contracts. Mandatory third-party (C3PAO) assessments for Level 2 contracts involving prioritized CUI are expected to phase in beginning November 2026. However, your prime contractor may impose earlier flow-down requirements. Check your specific contract language and consult with your contracting officer if uncertain.

What is SPRS and how does my CMMC score relate to it?

SPRS (Supplier Performance Risk System) is the DoD portal where contractors submit their NIST SP 800-171 self-assessment scores. A perfect score is 110. Deductions are assigned to each unimplemented practice based on the NIST SP 800-171 DoD Assessment Methodology. Contracting officers can view your SPRS score when evaluating bids. A negative score or no score is a red flag. For Level 2 C3PAO assessments, your C3PAO submits the assessment results directly to SPRS on your behalf.

Does CMMC apply to subcontractors?

Yes. CMMC requirements flow down to subcontractors who handle FCI or CUI as part of a covered contract. Prime contractors are required to include CMMC clauses in their subcontracts when CUI will be shared. Subcontractors must meet the same CMMC level required by the prime for the relevant work. This means many small businesses in the defense industrial base are subject to Level 2 requirements even if they have not directly contracted with the DoD.

What happens if my organization does not achieve CMMC compliance?

Without the required CMMC certification or self-assessment on file, your organization will be ineligible to bid on or be awarded DoD contracts that include CMMC requirements. Existing contracts may include cure notice provisions if compliance is not achieved within the required timeframe. For organizations whose revenue is substantially dependent on DoD contracting, non-compliance is a significant business risk — not just a regulatory one.

How is CMMC Level 2 different from CMMC Level 1?

CMMC Level 1 covers 17 basic cyber hygiene practices from FAR 52.204-21 and applies to contractors handling FCI (Federal Contract Information). It requires only an annual self-assessment. CMMC Level 2 covers all 110 practices from NIST SP 800-171 and applies to contractors handling CUI. For prioritized CUI contracts, Level 2 requires a triennial third-party assessment by an accredited C3PAO. The documentation, controls, and verification requirements are substantially more demanding at Level 2.