CMMC 2.0 Compliance: What Defense Contractors Must Do Now

If your organization handles Controlled Unclassified Information (CUI) as part of a Department of Defense contract, CMMC 2.0 compliance is not optional. The final rule went into effect in late 2024, and contract clauses requiring certification are appearing in new solicitations. The time to prepare is now.

Understanding the CMMC 2.0 Framework

CMMC 2.0 streamlined the original five-level model into three tiers:

• Level 1 (Foundational): 15 basic safeguarding practices aligned with FAR 52.204-21. Self-assessment is sufficient. Applies to contractors handling Federal Contract Information (FCI) only.
• Level 2 (Advanced): 110 practices mapped directly to NIST SP 800-171 Rev 2. Most contractors handling CUI will need a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO).
• Level 3 (Expert): Based on a subset of NIST SP 800-172 controls, assessed by the government. Reserved for contractors supporting the most sensitive programs.

Where Most Organizations Struggle

After conducting dozens of CMMC readiness assessments, we consistently see the same gaps:

• CUI scoping: Organizations underestimate where CUI lives, flows, and is processed. Without an accurate scope, you cannot protect what you do not know about.
• Access control: Least-privilege principles are defined in policy but not enforced in practice. Shared accounts, excessive admin rights, and stale access persist.
• Audit and accountability: Log collection exists, but log review and alerting often do not. NIST 800-171 requires that audit records are reviewed and analyzed for indications of inappropriate or unusual activity.
• Incident response: Plans exist on paper but have never been tested. Tabletop exercises are essential to validate that your team knows what to do when an incident occurs.
• System Security Plan (SSP) quality: The SSP is the single most important artifact in your assessment. Vague or incomplete SSPs are the leading cause of assessment delays.

A Practical Preparation Roadmap

If you have not started, focus on these steps in order:

1. Define your CUI boundary. Map every system, application, and data flow that touches CUI. Document it in a network diagram and data flow diagram.
2. Conduct a gap assessment against all 110 NIST 800-171 controls. Be honest about what is partially implemented versus fully in place.
3. Build a Plan of Action and Milestones (POA&M). CMMC 2.0 allows limited use of POA&Ms, but only for non-critical controls and with strict timelines (typically 180 days).
4. Invest in your SSP. This document should clearly describe how each control is implemented in your specific environment, not regurgitate NIST language.
5. Engage a C3PAO early. Assessment capacity is limited, and scheduling lead times are growing. Book your assessment well in advance of contract deadlines.

Common Misconceptions

Using a FedRAMP-authorized cloud provider does not automatically make you compliant. You are still responsible for configuring services correctly and managing your end of the shared responsibility model. Similarly, purchasing a GCC High Microsoft 365 tenant is a good start, but it is not a substitute for implementing the full control set.

CMMC 2.0 is a significant undertaking, but it is also achievable with the right planning and support. The contractors who start now will be positioned to win work while competitors scramble to catch up.