CMMC 2.0 Readiness: Levels, Timelines, and What Contractors Need Now

The Cybersecurity Maturity Model Certification (CMMC) 2.0 rule is now in effect for Department of Defense contracts. If you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), CMMC will eventually be a contract requirement. The rule simplifies the earlier five-level model to three levels and ties Level 2 closely to NIST SP 800-171. Here’s a detailed overview of the levels, timelines, and what to do next.

The Three CMMC 2.0 Levels

Level 1 (Foundational) applies to contractors that only handle FCI. It focuses on basic cyber hygiene—about 17 practices derived from FAR 52.204-21—and requires an annual self-assessment. If your contracts don’t involve CUI and you only process or store FCI, Level 1 is your target. The bar is lower but still requires documented policies and consistent implementation.

Level 2 (Advanced) applies when CUI is involved. It’s aligned with NIST SP 800-171 Revision 2 and includes 110+ practices across 14 domains. Most defense contractors will need Level 2. Depending on the type of CUI (e.g., critical national security information vs other CUI), you’ll need either an annual self-assessment or a triennial third-party assessment by a C3PAO (Certified Third-Party Assessment Organization). Planning for a third-party assessment means building evidence over time and potentially addressing POA&M items before the formal assessment.

Level 3 (Expert) is for the most sensitive CUI and involves a subset of NIST SP 800-172-style controls. Assessment is triennial and government-led through DIBCAC (Defense Industrial Base Cybersecurity Assessment Center). Fewer organizations need Level 3, but if your contracts require it, start early—government assessments have longer lead times.

Timelines and Rollout

The Department of Defense is phasing CMMC into contracts over several years via contract clauses and flow-down. The exact date you need certification depends on your contract types, whether you’re in the critical national security supply chain, and when your contracts are renewed or new solicitations are released. Starting readiness now gives you time to close gaps, build a Plan of Action & Milestones (POA&M) where allowed, and pass your first assessment when it’s required. Rushing at the last minute leads to failed assessments and contract risk.

Practical Next Steps

First, determine which level your current and pipeline contracts will require—and whether you handle FCI only or CUI. If CUI is involved, map which systems and data are in scope. Then run a gap assessment against the right set of practices (e.g., NIST 800-171 for Level 2). Remediate gaps, document policies and procedures, and maintain evidence. If you’re pursuing Level 2 with a third-party assessment, identify a C3PAO early, understand their process, and allow time for any POA&M items. Many organizations engage a vCISO or consultant to run the gap assessment and guide remediation so internal teams can focus on execution.

US CIBER helps defense contractors with CMMC 2.0 readiness: gap assessments, NIST SP 800-171 alignment, POA&M development, and pre-assessment support. Contact us to discuss your situation.