Navigating CMMC 2.0: A Practical Guide for Defense Contractors

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is now in effect, and defense contractors at every tier of the supply chain need to understand what it means for their business.

The Three Levels

• Level 1 — Foundational: 15 basic cyber hygiene practices based on FAR 52.204-21. Self-assessment is sufficient. Required for contracts handling Federal Contract Information (FCI).
• Level 2 — Advanced: 110 practices aligned with NIST SP 800-171. Requires third-party assessment (C3PAO) for contracts involving Controlled Unclassified Information (CUI). This is where most contractors need to be.
• Level 3 — Expert: 130+ practices based on NIST SP 800-172. Government-led assessments. Required for the most sensitive defense programs.

The Fastest Path to Level 2

1. Scope your CUI environment — Minimize the boundary. The fewer systems in scope, the fewer controls to implement.
2. Complete a gap assessment — Map your current state against all 110 NIST 800-171 controls. Identify POA&M items.
3. Prioritize high-impact controls — Focus on access control, audit logging, incident response, and configuration management first.
4. Implement an SSP — Your System Security Plan is the single most important document. It must be detailed and accurate.
5. Engage a C3PAO early — Assessment organizations are booking out months in advance. Schedule your assessment while you remediate.

Common Pitfalls

Underscoping CUI boundaries, treating CMMC as a checkbox exercise, and failing to maintain evidence of continuous compliance are the top reasons contractors fail assessments.