What is CMMC 2.0 compliance?

CMMC 2.0 compliance is a cybersecurity certification framework created by the U.S. Department of Defense to ensure defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Organizations must meet specific security requirements and pass an assessment to demonstrate compliance before qualifying for certain DoD contracts.

Who needs to comply with CMMC 2.0?

Companies that contract with the U.S. Department of Defense and handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must comply with CMMC 2.0. The required certification level depends on the sensitivity of the information handled and the specific contract requirements.

What are the three CMMC 2.0 levels?

CMMC 2.0 includes three certification levels. Level 1 focuses on basic cyber hygiene for protecting Federal Contract Information. Level 2 requires implementation of the 110 security controls from NIST SP 800-171 to protect Controlled Unclassified Information. Level 3 includes enhanced security requirements aligned with NIST SP 800-172 for organizations supporting high-priority defense programs.

How do organizations prepare for CMMC 2.0 compliance?

Organizations typically prepare by identifying their required CMMC level, performing a cybersecurity gap analysis, implementing required controls, developing documentation such as a System Security Plan (SSP) and Plan of Action and Milestones (POA&M), and conducting mock assessments before scheduling a formal evaluation.

What happens during a CMMC assessment?

During a CMMC assessment, assessors review an organization’s security documentation, interview personnel, and verify that required cybersecurity controls are implemented and operating effectively. Depending on the level required, the assessment may be a self-assessment, a third-party evaluation by a C3PAO, or a government-led review.

What Is The CMMC & How Should I Prepare For It

RSI Security

2 weeks ago

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is now an enforceable part of Department of Defense (DoD) contracting requirements, fundamentally changing how defense contractors demonstrate cybersecurity readiness. As of November 10, 2025, CMMC requirements can be included in applicable DoD contracts, making demonstrated compliance a condition of contract award rather than a post‑award obligation.

For organizations handling sensitive DoD data, especially Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) — understanding what CMMC is and how to prepare for it is essential. This blog breaks down the program, explains why it matters at the executive and operational level, and provides a practical roadmap to help your organization prepare with clarity and confidence.

What Is the Cybersecurity Maturity Model Certification (CMMC)?

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity compliance framework developed by the U.S. Department of Defense to protect sensitive defense information across the defense industrial base (DIB). It consolidates cybersecurity requirements from multiple regulatory sources, including FAR 52.204‑21, NIST SP 800‑171, and DFARS, into a single, verifiable certification program.

Unlike earlier versions, CMMC 2.0 simplifies the model to three maturity levels and aligns more directly with existing federal cybersecurity standards.

Why CMMC Matters for Your Business

CMMC is no longer just guidance, it is now implemented through DFARS clauses (including 252.204-7021 and 252.204-7025), making certification enforceable within applicable DoD contracts.

Here’s why that’s a big deal:

Contract Eligibility: Contractors must demonstrate compliance at the required CMMC level before receiving certain contract awards.
Business Risk: Without certification (or appropriate attestations), organizations risk losing opportunities, delaying contracts, or failing eligibility.
Security Mandate: CMMC establishes a standardized cybersecurity baseline across companies that handle sensitive DoD data, reducing systemic risk within the defense industrial base.

Despite years of awareness, readiness gaps persist across the DIB, with many contractors still struggling to implement even basic documentation like System Security Plans (SSPs).

CMMC 2.0: Certification Levels Explained

CMMC 2.0 has three levels of compliance, each with different requirements and assessment methods:

Level	Focus	Assessment Type	Data Type
Level 1 – Foundational	Basic cyber hygiene	Annual self‑assessment	Federal Contract Information (FCI)
Level 2 – Advanced	Implementation of 110 NIST SP 800‑171 controls	Triennial third‑party assessment (C3PAO) or limited self‑assessment in rare cases	Controlled Unclassified Information (CUI)
Level 3 – Expert	Enhanced cybersecurity protections aligned to NIST SP 800-172 requirements	Government‑led assessment	High‑priority CUI programs

Level 1 applies to contractors handling only FCI and is verified through an annual self‑assessment.
Level 2 is the most common for organizations handling CUI and generally requires independent assessment by a Certified Third‑Party Assessment Organization (C3PAO).
Level 3 is more stringent and applies to the most sensitive defense programs with

How to Prepare for CMMC Compliance

Step 1: Determine Your Required Level

Consult your current and pending DoD contracts to identify whether you are required to achieve Level 1, Level 2, or Level 3 compliance. Evaluate whether your organization handles FCI, CUI, or high‑value defense information.

Step 2: Perform a Gap Analysis

Compare your current cybersecurity posture against the controls required at your target level:

Level 1: Basic cyber hygiene aligned with FAR 52.204‑21 (17 practices).
Level 2: Full implementation of 110 controls from NIST SP 800‑171 Rev 2.
Level 3: NIST SP 800‑172 and additional advanced practices.

Document where you are compliant and where gaps exist so you can prioritize remediation.

Step 3: Create Documentation and Policies

Compliance is built on documentation as much as technical controls. Essential documents include:

System Security Plan (SSP): Explains how your organization meets cybersecurity controls.
Plan of Action & Milestones (POA&M): Details how gaps will be remediated, who owns them, and by when.
Maintaining these documents not only supports readiness but is often required evidence for assessments.

Step 4: Implement Required Controls

Address the cybersecurity controls identified in your gap analysis. This includes technical measures (encryption, access controls, monitoring) and organizational measures (training, incident response). Develop repeatable, documented processes rather than ad‑hoc fixes.

Step 5: Conduct Mock Assessments

Perform internal or third‑party mock assessments to validate readiness and uncover issues prior to formal evaluation. Early mock audits reduce surprises and give teams experience with the assessment process.

Step 6: Engage with a C3PAO (if Required)

If your contract requires Level 2 certification, schedule your assessment with an authorized C3PAO early — availability can become limited as deadlines approach. Confirm your selected C3PAO is officially authorized by The Cyber AB and in good standing prior to scheduling your assessment.

What Happens During a Formal CMMC Assessment?

A formal CMMC assessment is not simply a checklist review. It is a structured evaluation designed to determine whether your organization can consistently protect Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in accordance with DoD requirements. Understanding what to expect helps reduce uncertainty, align internal teams, and ensure your organization is properly prepared before assessors arrive.

The depth and rigor of the assessment depend on the certification level required in your contract.

Level 1: Annual Self-Assessment and Executive Affirmation

For organizations required to meet Level 1, the process centers on an annual self-assessment against the 17 basic safeguarding requirements outlined in FAR 52.204-21. While this level does not require a third-party audit, it still demands accuracy and accountability.

Your organization must evaluate whether each required practice is fully implemented and functioning. Once completed, a senior company official must provide an executive affirmation confirming the accuracy of the assessment results. This attestation carries legal and contractual significance, meaning incomplete or inaccurate representations may expose the organization to contractual remedies, False Claims Act risk, or suspension from award eligibility.

Although Level 1 is considered foundational, it still requires documented evidence demonstrating that safeguards are in place and actively maintained—not just stated in policy.

Level 2: Third-Party Assessment by a C3PAO

Level 2 assessments are significantly more rigorous. These are conducted by a Certified Third-Party Assessment Organization (C3PAO) and focus on validating implementation of the 110 security requirements in NIST SP 800-171.

The assessment typically includes:

A review of your System Security Plan (SSP) to confirm that controls are properly documented.
Examination of your Plan of Action and Milestones (POA&M) to verify remediation efforts.
Direct interviews with personnel responsible for implementing and maintaining security controls.
Technical validation of implemented safeguards, such as access controls, multifactor authentication, logging mechanisms, encryption practices, and incident response procedures.

Assessors evaluate documentation, interviews, and objective technical evidence to validate that controls are implemented and operating as described.They will look for objective evidence that controls are operational, consistently applied, and producing measurable results. For example, if your policy states that access reviews are conducted quarterly, assessors may request records from previous review cycles to verify consistency.

Organizations that succeed at Level 2 assessments typically demonstrate maturity—not just technical capability. This includes clear ownership of controls, documented procedures, trained personnel, and an understanding of how security practices support operational resilience.

Level 3: Government-Led Assessment for High-Priority Programs

Level 3 assessments are conducted by the government and apply to organizations handling the most sensitive defense information. These evaluations build upon Level 2 requirements and include additional enhanced security practices aligned with advanced threat protection.

Expect a more detailed and methodical evaluation process, including deeper technical scrutiny, expanded evidence sampling, and validation of enhanced detection and response capabilities. The focus shifts from basic compliance to resilience against sophisticated adversaries.

Organizations preparing for Level 3 must demonstrate implementation of Level 2 requirements plus enhanced practices under NIST SP 800-172, including advanced threat detection, monitoring, and response capabilities.

What Assessors Are Really Looking For

Regardless of level, assessors are evaluating three fundamental things:

Documented Evidence – Your policies, procedures, and plans must accurately reflect your operational environment.
Repeatable Processes – Security controls must be institutionalized, not ad hoc or dependent on one individual.
Consistent Implementation – Practices must be applied uniformly across in-scope systems.

The most common readiness gaps occur when organizations have technical tools in place but lack supporting documentation or when policies exist but are not consistently followed.

Preparation, therefore, is about alignment—ensuring your documentation, technical safeguards, governance processes, and daily operational practices consistently support one defensible narrative.

By understanding what happens during a formal CMMC assessment, organizations can approach the process strategically rather than reactively. When preparation is thorough and documentation reflects actual operational practice, the assessment becomes a validation of maturity rather than a source of disruption.

Maintaining Compliance After Certification

Achieving CMMC certification is a major milestone, but it is not a one-time event. The Department of Defense designed CMMC to ensure continuous protection of sensitive information, not temporary alignment at the time of audit. Organizations that treat certification as a checkbox exercise often struggle to maintain compliance between assessment cycles.

Once certified, your responsibility shifts from preparation to operational discipline. Maintaining compliance requires structured oversight, ongoing validation of controls, and executive accountability.

Annual Self-Affirmations and Executive Accountability

Even after certification, organizations must conduct periodic self-evaluations and provide executive affirmations confirming continued compliance. This requirement reinforces accountability at the leadership level. Senior officials are expected to attest that required security controls remain implemented and effective—not just documented.

This means cybersecurity must remain visible at the executive level. Regular internal reviews, compliance reporting, and leadership oversight are critical to ensuring affirmations are accurate and defensible.

Updating the System Security Plan (SSP) and POA&M

Your System Security Plan (SSP) should be treated as a living document. As systems evolve, personnel change, new technologies are introduced, or network architecture is modified, the SSP must be updated to accurately reflect your operational environment.

Similarly, the Plan of Action and Milestones (POA&M) should be actively managed. Any newly identified weaknesses must be documented, assigned ownership, and tracked to resolution. An outdated SSP or stagnant POA&M is one of the most common red flags during reassessments.

Organizations that integrate SSP and POA&M reviews into their change management process tend to maintain compliance more efficiently and avoid last-minute remediation efforts before reassessment cycles.

Continuous Monitoring and Security Maturity

CMMC requires organizations to demonstrate ongoing monitoring and institutionalization of security controls between assessment cycles. This includes reviewing access privileges, analyzing audit logs, validating backup integrity, testing incident response plans, and reassessing risk on a recurring basis.

Cyber threats evolve constantly. New vulnerabilities, supply chain risks, and emerging attack techniques require organizations to remain proactive rather than reactive. Continuous monitoring ensures that controls are not only implemented but remain effective against changing threats.

For many organizations, this means transitioning from project-based compliance efforts to an operational security model where cybersecurity becomes embedded in daily business processes.

Preparing for Reassessment Cycles

For Level 2 organizations, third-party reassessments typically occur every three years. However, waiting until the final year to prepare creates unnecessary risk and operational disruption. The most mature organizations treat reassessment readiness as an ongoing objective.

Internal audits, periodic mock assessments, and quarterly control validation exercises help ensure the organization remains audit-ready at all times. This approach reduces stress, avoids emergency remediation spending, and strengthens long-term cybersecurity resilience.

Long-Term Strategic Value

Maintaining compliance does more than preserve contract eligibility. It strengthens your organization’s cybersecurity posture, builds trust with contracting officers, and enhances your competitive standing within the defense industrial base.

Organizations that embed CMMC into their governance structure often experience:

Improved operational resilience
Stronger risk management processes
Greater confidence during contract negotiations
Reduced likelihood of costly security incidents

Ultimately, sustained compliance positions your organization not just to meet current DoD requirements, but to adapt efficiently to future regulatory updates and evolving national security expectations.

Conclusion

CMMC 2.0 is now a critical requirement for defense contractors. By understanding your required level, performing a structured gap analysis, institutionalizing required controls, and preparing for assessment, your organization can pursue certification with reduced disruption and greater predictability.

Early preparation reduces risk, ensures contract eligibility, and strengthens cybersecurity across your systems. Start your with RSI Security for CMMC readiness journey now — not just to protect contract eligibility, but to strengthen long-term cybersecurity maturity across your organization.