Organizations supporting the U.S. Department of Defense (DoD) must demonstrate the ability to protect sensitive information as a condition of contract eligibility. The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is the DoD’s mechanism for enforcing these requirements across the Defense Industrial Base (DIB).
With phased enforcement now underway in 2026, contractors must align to CMMC requirements not only to win new contracts, but to maintain eligibility for renewals and option periods. This guide outlines what has changed, what is required today, and how to prepare in a way that is defensible, auditable, and aligned to current DoD expectations.
What’s Changed in 2026: From Preparation to Enforcement
CMMC 2.0 is no longer theoretical. The rulemaking process has progressed into active contract inclusion, meaning:
- CMMC requirements are now appearing in DoD solicitations
- Level 2 third-party (C3PAO) assessments are being phased in
- Affirmation requirements are being enforced at executive levels
- False Claims Act (FCA) risk is increasing for inaccurate attestations
Organizations should shift from “readiness planning” to evidence-backed compliance and audit readiness.
Implementation: What Controls Do You Need?
CMMC 2.0 is not a checklist-based framework — it is a cybersecurity maturity model that requires controls to be implemented, operational, and supported by evidence. Each Level reflects the depth and consistency of an organization’s cybersecurity practices as they relate to protecting DoD information.
The controls required at each Level are aligned to established NIST standards:
CMMC Level 1: Foundational Security
- Focus: Federal Contract Information (FCI)
- Requirement: 15 practices derived from FAR 52.204-21
- Expectation: Basic cybersecurity hygiene (e.g., access control, authentication, system protection)
CMMC Level 2: Advanced Security (Primary focus for most contractors in 2026)
- Focus: Controlled Unclassified Information (CUI)
- Requirement: 110 controls from NIST Special Publications 800-171 Rev. 2
- Expectation: Fully implemented and documented security program, including logging, incident response, configuration management, and risk assessment
CMMC Level 3: Expert Security
- Focus: High-value CUI and advanced threat environments
- Requirement: NIST SP 800-171 plus a subset of NIST SP 800-172 enhanced controls
- Expectation: Advanced threat detection, response, and resilience capabilities (guidance continues to evolve)
2026 Consideration:
Assessors are increasingly focused on evidence quality, process consistency, and operational maturity — not just whether a control exists on paper.
The specific Level required is defined in DoD contracts. However, organizations preparing proactively should determine scope based on whether they process, store, or transmit FCI or CUI, and align controls accordingly.
Assessment: How to Verify Security Maturity
Verification is a required component of CMMC compliance. The Department of Defense mandates different assessment methods depending on the Level, with increasing rigor as data sensitivity increases.
Assessments are designed to validate that controls are not only implemented, but also functioning as intended and supported by objective evidence.
CMMC Level 1: Self-Assessment
- Frequency: Annually
- Requirement: Internal self-assessment with executive affirmation
- Submission: Results entered into SPRS (Supplier Performance Risk System)
CMMC Level 2: Third-Party or Self-Assessment (Conditional)
- Frequency: Every three years
- Requirement:
- Most contractors must undergo a C3PAO-led third-party assessment
- Select low-risk programs may be eligible for self-assessment, as defined by contract requirements
- Expectation: Organizations should be fully assessment-ready prior to scheduling, including validated evidence and documentation
CMMC Level 3: Government-Led Assessment
- Frequency: Every three years
- Requirement: Assessment conducted by the DoD (DIBCAC)
- Status: Expanded rollout expected as Level 3 requirements are finalized
2026 Considerations:
- Pre-assessment readiness is now expected — not optional
- Evidence must align directly to control implementation
- Plans of Action & Milestones (POA&Ms) are limited and subject to strict conditions
To support the assessment ecosystem, the Cyber AB oversees the training, certification, and authorization of Certified Third-Party Assessment Organizations (C3PAOs) and assessors for Level 2 evaluations.
Determining Your Implementation Scope
The CMMC Level your organization must achieve is defined by the specific DoD contract or solicitation. However, organizations preparing in advance should determine scope based on the type of information they process, store, or transmit — particularly Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Scoping is one of the most critical components of CMMC compliance. Incorrect or incomplete scoping can lead to failed assessments, invalid results, or gaps in required controls.
Here’s how data type maps to CMMC Levels:
- CMMC Level 1: Federal Contract Information (FCI)
Applies to organizations that handle FCI — information provided by or generated for the government under contract that is not intended for public release. - CMMC Level 2: Controlled Unclassified Information (CUI) + FCI
Applies to organizations that process, store, or transmit CUI. This includes sensitive but unclassified information such as technical data, engineering drawings, or research. The Information Security Oversight Office (ISOO) maintains the official registry of CUI categories and associated requirements. - CMMC Level 3: Advanced Protection (Guidance Evolving)
Applies to organizations handling high-value or sensitive CUI in environments exposed to advanced threats. Requirements are expected to align with NIST SP 800-172 in addition to NIST SP 800-171.
2026 Consideration:
The Department of Defense has published scoping guidance for Levels 1 and 2, with increasing emphasis on clearly defined system boundaries, data flows, and asset categorization. Organizations are expected to document and justify scope decisions as part of assessment readiness.
CMMC Level 1 Scoping Guidance
At CMMC Level 1, assessment scope is limited to assets that process, store, or transmit Federal Contract Information (FCI).
These include any physical or virtual assets that:
- Process FCI: Enable access, input, modification, generation, or output of FCI
- Store FCI: Retain FCI in digital or physical form (“data at rest”)
- Transmit FCI: Transfer FCI between systems, users, or locations (“data in transit”)
Only assets that perform one or more of these functions are considered in scope for Level 1 assessments.
Out-of-scope assets must be clearly separated from FCI and have no logical or physical connection that would allow access or interaction.
Specialized Assets (Conditional):
Certain asset types may be excluded from assessment requirements if they are properly documented and do not process, store, or transmit FCI. These may include:
- Government-furnished equipment (GFE)
- Internet of Things (IoT) devices
- Test, laboratory, or evaluation equipment
2026 Considerations:
- Organizations are expected to maintain clear asset inventories and boundary definitions
- Scoping decisions must be documented and defensible during assessment
- Improper segmentation or undocumented connections may result in assets being pulled into scope
Accurate scoping at Level 1 ensures that security controls are applied to the correct systems while reducing unnecessary assessment overhead.
CMMC Level 2 Scoping Guidance
At CMMC Level 2, scoping expands beyond Federal Contract Information (FCI) to include all assets that process, store, or transmit Controlled Unclassified Information (CUI), as well as systems that provide security protections to those assets.
In addition to Level 1 scoping requirements, organizations must clearly define and document their CUI environment, including system boundaries, data flows, and asset relationships.
CUI Assets include any hardware or software that:
- Process CUI (create, modify, or access data)
- Store CUI (data at rest)
- Transmit CUI (data in transit across systems or networks)
Additional in-scope asset categories include:
- Security Protection Assets (SPA):
Systems that provide or enforce security controls for CUI (e.g., SIEM, EDR, firewalls, identity systems) - Contractor Risk-Managed Assets (CRMA):
Assets that may come into contact with CUI or could impact the security of the CUI environment - Specialized Assets:
Assets such as IoT devices, operational technology (OT), or test equipment — these are considered in scope at Level 2 if they interact with or impact CUI security
Out-of-scope assets must be physically or logically segmented from the CUI environment, with no direct or indirect path for access, communication, or data exchange.
2026 Assessment Expectations:
Organizations should be prepared to provide:
- Network diagrams showing system boundaries and trust zones
- Data flow diagrams illustrating how CUI moves through the environment
- Asset inventories mapped to CUI interaction
- Clear justification for any out-of-scope systems
Improper segmentation, undocumented connections, or unclear boundaries may result in additional systems being included in scope during assessment.
Accurate and well-documented scoping at Level 2 is essential to achieving a defensible assessment and demonstrating protection of Controlled Unclassified Information.
CMMC Level 3 Scoping Speculation
The Department of Defense has not yet released final scoping thresholds or detailed guidance for CMMC Level 3 assessments. However, it has confirmed that Level 3 will apply to organizations supporting programs that involve higher-risk environments and more sensitive categories of Controlled Unclassified Information (CUI).
Level 3 builds on Level 2 requirements and is expected to incorporate a subset of enhanced controls from NIST SP 800-172, focusing on advanced threat detection, response, and resilience.
What organizations should expect:
- Increased scrutiny of system boundaries and segmentation
- Expanded requirements for threat detection and monitoring capabilities
- Greater emphasis on protecting against advanced persistent threats (APTs)
- Government-led assessments conducted by the DoD (e.g., DIBCAC)
2026 Consideration:
While detailed scoping criteria are still evolving, organizations that support high-priority DoD programs or handle sensitive CUI should begin aligning with enhanced security practices and strengthening their existing Level 2 implementations.
Until formal guidance is finalized, Level 3 preparation should focus on maturing existing controls, improving visibility, and strengthening response capabilities rather than attempting to predict exact assessment requirements.
Implementing and Assessing Security Practices
Once scope is defined, organizations must implement security controls that are not only documented, but operational, repeatable, and supported by evidence.
CMMC 2.0 framework aligns directly to NIST standards:
- Level 1: Basic safeguards for Federal Contract Information (FCI)
- Level 2: Full implementation of 110 controls from NIST SP 800-171 (primary requirement for most contractors)
- Level 3: Enhanced protections aligned to NIST SP 800-172 for high-risk environments
2026 Reality:
Assessments focus less on whether controls exist — and more on whether they are:
- Consistently implemented
- Properly documented
- Supported by objective evidence
- Aligned with actual system behavior
Organizations should expect assessors to validate:
- System Security Plans (SSPs)
- Policies and procedures
- Technical configurations
- Audit logs and monitoring
- Incident response capabilities
Common Failure Points:
- Controls documented but not implemented
- Evidence that does not match real-world systems
- Inconsistent processes across teams
- Over-reliance on tools without defined procedures
For organizations targeting higher maturity (DoD compliance – Level 3), early alignment with enhanced NIST SP 800-172, utilizing a NIST advisor, practices can help strengthen detection, response, and resilience capabilities as guidance evolves.
Optimize Your CMMC Framework Implementation
Preparing for DoD compliance requires more than understanding the CMMC 2.0 framework — it requires a structured, evidence-based approach to scoping, implementation, and assessment readiness.
Organizations that succeed in 2026 and beyond focus on:
- Clearly defined system boundaries and data flows
- Controls that are operational — not just documented
- Evidence that aligns with real-world system behavior
- Ongoing processes that support continuous compliance
CMMC is not a one-time certification. It is an ongoing operational requirement tied directly to contract eligibility and organizational risk.
RSI Security supports contractors through each stage of this process — from scoping and gap assessments to remediation and audit preparation — with a focus on clarity, defensibility, and long-term maturity.
If your organization is preparing for CMMC Level 1, Level 2, or future Level 3 requirements, early alignment can help reduce assessment risk and avoid costly delays.
Download our CMMC 2.0 Readiness Checklist to benchmark your current state and identify next steps toward compliance.