CMMC 2.0: What Defense Contractors Need to Know in 2026

If you’re a defense contractor — or a subcontractor in the defense supply chain — CMMC 2.0 is no longer a future concern. The Cybersecurity Maturity Model Certification program is live, and it’s changing how the Department of Defense evaluates contractor cybersecurity.

Here’s what you need to know, without the jargon.

What CMMC actually is

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the DoD’s framework for verifying that defense contractors protect sensitive information — specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Before CMMC, contractors self-attested to their cybersecurity posture. The DoD took you at your word. The problem: audits revealed widespread gaps between what contractors claimed and what they actually implemented. CMMC replaces the honor system with verification.

The three levels

CMMC 2.0 simplified the original five-level model down to three:

Level 1 — Foundational

• Who it applies to: Contractors handling FCI (Federal Contract Information) only
• Requirements: 15 security practices from FAR 52.204-21 — basic cyber hygiene like access control, identification and authentication, and physical protection
• Assessment: Annual self-assessment with affirmation by a senior company official
• What this means practically: Antivirus, access controls, physical security for systems, and basic policies. Most small contractors handling only FCI will land here.

Level 2 — Advanced

• Who it applies to: Contractors handling CUI (Controlled Unclassified Information)
• Requirements: 110 security practices aligned with NIST SP 800-171 Rev 2
• Assessment: Either self-assessment (for select programs) or third-party assessment by a C3PAO (Certified Third-Party Assessment Organization)
• What this means practically: This is a significant step up. You’ll need a System Security Plan (SSP), a Plan of Action and Milestones (POA&M) for any gaps, incident response procedures, continuous monitoring, encryption, audit logging, and much more.

Level 3 — Expert

• Who it applies to: Contractors handling the most sensitive CUI on critical defense programs
• Requirements: 110+ practices from NIST SP 800-171 plus additional controls from NIST SP 800-172
• Assessment: Government-led assessment by DIBCAC (Defense Industrial Base Cybersecurity Assessment Center)
• What this means practically: If you’re at Level 3, you already have a dedicated security team. This article focuses on Levels 1 and 2, where most small contractors operate.

Self-assessment vs. C3PAO: which applies to you?

This is the question most contractors get wrong.

Level 1 is always self-assessment. You evaluate your own compliance against the 15 FAR practices, document the results, and a senior official affirms accuracy. The results go into the Supplier Performance Risk System (SPRS).

Level 2 is split. Some contracts will accept self-assessment; others will require a third-party C3PAO assessment. The specific solicitation dictates which path applies. However, the trend is clear — the DoD is increasingly requiring C3PAO assessments for any contract involving CUI.

A C3PAO assessment involves an accredited third-party organization reviewing your security implementation against all 110 NIST SP 800-171 controls. They examine documentation, interview staff, and test technical controls. The assessment results in a certification valid for three years.

The practical implication: Even if your current contracts allow self-assessment at Level 2, prepare as if a C3PAO will assess you. Future contracts — and future recompetes of your existing work — will likely require it.

The timeline is now

CMMC 2.0 requirements are being phased into DoD contracts through 2026:

• Phase 1 (started late 2025): Level 1 self-assessment and Level 2 self-assessment requirements appear in new solicitations
• Phase 2 (2026): Level 2 C3PAO assessments required for applicable contracts
• Phase 3 (2027): Level 3 requirements for critical programs
• Phase 4 (2028): Full implementation across all applicable DoD contracts

If you’re responding to DoD solicitations today, you should assume CMMC requirements will appear. Waiting until you see the clause in an RFP means you’re already behind — C3PAO assessment scheduling has lead times measured in months, not weeks.

What small contractors get wrong

Working with defense contractors on CMMC readiness, we see the same mistakes repeatedly:

1. Underestimating scope

CMMC doesn’t just apply to the systems where you store CUI. It applies to every system, network, and person that touches, processes, transmits, or protects CUI. That includes your email system if CUI passes through it, your VPN if remote workers access CUI, and your backup systems if they contain copies.

2. Treating it as an IT project

CMMC compliance requires policies, procedures, training records, incident response plans, and ongoing documentation — not just technology. A firewall and antivirus alone won’t get you to Level 2. You need written evidence that you’ve implemented, documented, and are maintaining each control.

3. Ignoring the POA&M constraints

CMMC 2.0 allows Plans of Action and Milestones (POA&Ms) for some controls that aren’t fully implemented at the time of assessment. But there are limits — certain controls cannot be on a POA&M, and all POA&M items must be closed within 180 days. You can’t POA&M your way to certification.

4. Assuming their MSP handles it

Your managed service provider keeps your systems running. That’s not the same as implementing 110 NIST 800-171 controls with documentation, evidence, and continuous monitoring. Most MSPs are not equipped to deliver CMMC readiness without a security-focused partner.

Practical steps to prepare

Whether you need Level 1 or Level 2, here’s the sequence that works:

For Level 1

1. Map your FCI flow — Identify exactly where Federal Contract Information enters, lives, and exits your environment
2. Gap assessment — Evaluate your current state against the 15 FAR 52.204-21 practices
3. Remediate — Address any gaps (typically access controls, patching, and physical security)
4. Document — Create or update your policies and evidence
5. Self-assess and submit — Complete the assessment, have a senior official affirm, enter your score in SPRS

For Level 2

1. Define your CUI boundary — Determine every system, network segment, and user that touches CUI. Consider scoping strategies to minimize this boundary
2. Conduct a NIST SP 800-171 gap assessment — Score yourself honestly against all 110 controls. Your SPRS score reflects this
3. Create your System Security Plan (SSP) — Document how each control is implemented in your specific environment
4. Build your POA&M — For any controls not yet met, document what you’ll do and when — keeping the 180-day closure requirement in mind
5. Implement technical controls — MFA, encryption, SIEM/log management, endpoint detection, access controls, network segmentation
6. Implement administrative controls — Policies, procedures, training, incident response plans, regular reviews
7. Collect evidence continuously — Screenshots, configurations, training records, audit logs — a C3PAO will want to see proof
8. Engage a C3PAO — Schedule your assessment well in advance; availability is limited

The cost of non-compliance

The math is straightforward: if your competitors achieve CMMC certification and you don’t, you lose access to DoD contracts. Full stop.

Beyond contract eligibility, the False Claims Act applies to CMMC self-assessments. If a senior official affirms a score that doesn’t reflect reality, the company — and potentially the individual — faces legal liability. The DoD has signaled that enforcement will be aggressive.

Where managed security fits

Most small defense contractors don’t have the in-house expertise to implement and maintain 110 NIST 800-171 controls, produce the documentation a C3PAO expects, and operate continuous monitoring — all while doing their actual contract work.

A managed security provider that understands CMMC can fill that gap: implementing the technical controls, maintaining the documentation, providing 24/7 monitoring, and helping you prepare for assessment. The goal isn’t to hand off compliance entirely — your leadership still owns it — but to have the expertise and infrastructure that makes compliance achievable and sustainable.

Not sure where you stand on CMMC readiness? Book a discovery call to walk through your current posture and identify your gaps before an assessor does.