CMMC Information
The whole CMMC 2.0 process can feel overwhelming. It’s best to view your compliance journey as a step-by-step process. We’re here to provide everything you need to get compliant quickly. Some advice before you begin this process:
- Before you begin, ensure you understand all of your security and privacy requirements. Understanding your requirements will make it easier to negotiate with a vendor and avoid unnecessary upsells.
- There is a wide range of options available at different price points. The best approach is the minimally viable one—meaning that for your initial engagement, you should focus solely on meeting your requirements. Quality isn’t always associated with price.
- When you receive pricing, ensure you understand the total cost of getting compliant. You should also understand the timeline. This will help you avoid unpleasant surprises later on down the line.
- Work with reputable vendors that have experience working with government entities. If you’re working with a vendor, you’ll want to ensure that they are an experienced RPO.
- There are federal and state programs designed to reduce the financial burden of CMMC 2.0 compliance. Do your research and incorporate these into your planning. Feel free to reach out to us, and we can discuss what may be available to you.
- Find a subject matter expert who can answer questions you may have as you go through the process. Having access to a second opinion from a trusted source is key. CMMC LaunchPad offers Q&A sessions where you can engage with an SME for free.
CMMC 2.0 topics covered on this page
An Overview of CMMC 2.0 and DFARS
CMMC 2.0 and DFARS together form the Department of Defense’s framework for protecting sensitive defense information across the Defense Industrial Base. DFARS clauses—particularly DFARS 252.204-7012—contractually require contractors and subcontractors to implement NIST SP 800-171 controls, report cyber incidents, and safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 reinforces these requirements by introducing a three-tiered model with assessment and accountability mechanisms to verify that cybersecurity controls are properly implemented, whether through self-assessments or third-party evaluations, thereby improving consistency, reducing risk, and strengthening national security.
What's required
To comply with CMMC 2.0 and DFARS, organizations in the Defense Industrial Base (DIB) must meet a combination of technical, procedural, and contractual requirements designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
First, companies must implement the required cybersecurity controls based on the level of data they handle. Most contractors handling CUI must comply with NIST SP 800-171, which includes 110 security controls across areas such as access control, incident response, configuration management, and system integrity. Organizations handling only FCI must meet more basic safeguarding requirements aligned with FAR 52.204-21. These controls must be fully implemented, documented, and operational—not just planned.
Second, organizations must document and assess their compliance posture. This includes maintaining a System Security Plan (SSP) that describes how each required control is implemented, along with a Plan of Action & Milestones POA&M
A Plan of Action and Milestones, or POA&M, is a document that outlines the action items needed to achieve compliance and the timeline for achieving it.
for any gaps. Under DFARS, companies must perform a NIST 800-171 self-assessment and submit a score to the Supplier Performance Risk System (SPRS). Under CMMC 2.0, organizations may be required to either self-assess annually or undergo a third-party CMMC assessment, depending on the contract requirements.
Finally, companies must meet ongoing contractual and operational obligations. This includes flowing down DFARS and CMMC requirements to subcontractors, reporting cyber incidents to the DoD within required timeframes, preserving evidence, and maintaining compliance over time. CMMC 2.0 makes compliance a condition of contract award, meaning organizations must be able to demonstrate compliance before and throughout contract performance, not just attest to it.
CMMC 2.0 Levels
| Level | Description | Practices | Assessment | Focus |
|---|---|---|---|---|
| Level 1 | Foundational | 15 practices based on FAR 52.204-21 | Annual Self-assessment | Safeguard FCI |
| Level 2 | Advanced | 110 practices aligned with NIST SP 800-171 Rev 2 | Triennial third-party or Annual self-assessment | Protection of CUI |
| Level 3 | Expert | 110+ practices (NIST 800-171 + subset of 800-172) | Triennial government-led assessments | Enhanced CUI Protection |
What’s the future of CMMC 2.0?
The final 48 CFR rule was issued on September 10, 2025, giving Defense Industrial Base (DIB) contractors sixty days to prepare for the launch of Phase 1 of CMMC 2.0. That window has now closed, and we are officially in the first phase of implementation.
Phase 1 (the current phase)
Phase 2 — Begins November 10, 2026
Phase 3 — Early/Mid 2027
Phase 4 — Q1/Q2 2028
Consequences of non-compliance
Non-compliance with CMMC 2.0 and DFARS can lead to loss of eligibility for DoD contracts, removal from subcontracting opportunities, and potential contract termination. Organizations may also face significant legal and financial consequences, including False Claims Act liability for inaccurate self-attestations, repayment of funds, and government enforcement actions. In addition, inadequate cybersecurity increases the likelihood of data breaches involving sensitive defense information, which can trigger mandatory reporting, audits, reputational damage, and long-term harm to a company’s standing within the Defense Industrial Base.
Getting Started
The first step in the process is getting a consultation. This service is free and requires no obligation.
Step 1: Determine Your CMMC Level
Step 2: Scope Your Environment & Assets
Step 3: Conduct a Gap Analysis
Step 4: Implement Controls & Document
Step 5: Engage Experts (MSP)
Step 6: Select Compliant Technology
Step 7: Select an Auditor (C3PAO)
Step 8: Complete the Assessment & Get Certified
Financial Assistance Resources
Federal & DoD Programs
Allowable Contract Costs
SBIR/STTR Grants
Project Spectrum
State & Local Initiatives
DCAP (Defense Cyber Crime Center)
Provides grants for gap analysis, technical assistance, and software/hardware for NIST 800-171 compliance.
Other State Programs
Many state/local agencies offer grants and educational resources for CMMC prep. Resources: A high level overview.
Additional Resources
Federal & DoD Programs