If your organization holds, or wants to hold, a contract anywhere in the Department of Defense supply chain, CMMC 2.0 is not optional reading — it is a certification you will eventually need to demonstrate, whether you are the prime contractor or a subcontractor three tiers removed from the government. This article covers what CMMC 2.0 actually is, its three levels, and why it is best understood as a certification layer on top of an existing control set rather than a new one.
What CMMC 2.0 is
The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense requirement for contractors and subcontractors in the Defense Industrial Base (DIB). It exists to verify — rather than simply take on trust — that organizations handling federal contract information and Controlled Unclassified Information (CUI) actually have the cybersecurity controls they have claimed to have. CMMC 2.0, the current version, streamlined an earlier and more complex model into three levels, with assessment rigor scaled to the sensitivity of the information involved.
CMMC applies beyond prime contractors
CMMC obligations flow down the supply chain. A small manufacturer or IT services firm with no direct DoD contract can still be required to achieve CMMC certification because a prime contractor's contract obligates its subcontractors to the same standard. Many organizations first encounter CMMC not from a government solicitation, but from a flow-down clause in a commercial contract with a defense prime.
The three levels
| Level | Practices | Assessment | Applies To |
|---|---|---|---|
| Level 1 — Foundational | 15 basic safeguarding practices | Annual self-assessment | Contractors handling only Federal Contract Information (FCI), not CUI |
| Level 2 — Advanced | 110 practices, directly aligned to NIST SP 800-171 | Third-party assessment by a certified C3PAO for most CUI-handling contractors; self-assessment permitted for a defined subset | Contractors handling Controlled Unclassified Information (CUI) |
| Level 3 — Expert | Level 2 practices plus a selected set of NIST SP 800-172 enhanced practices | Government-led assessment | Contractors supporting the DoD's highest-priority programs |
Level 1 is deliberately lightweight. Fifteen basic safeguarding practices — things like limiting system access to authorized users, sanitizing media before disposal, and controlling physical access to systems — cover organizations that handle Federal Contract Information but never touch CUI. Self-assessment, submitted annually, is sufficient.
Level 2 is where most CUI-handling contractors land, and where the certification burden increases substantially. Its 110 practices are not a DoD invention — they are, practice for practice, NIST SP 800-171 (covered in detail in NIST SP 800-171 Explained). Most organizations at this level require a third-party assessment performed by a Certified Third-Party Assessment Organization (C3PAO), though CMMC 2.0 does permit self-assessment for a narrower subset of Level 2 programs designated as lower-priority by the DoD.
Level 3 adds a selected set of practices from NIST SP 800-172, which was written specifically to defend against advanced persistent threats, and applies only to contractors supporting the DoD's highest-priority programs. Assessment at this level is government-led rather than delegated to a C3PAO.
CMMC builds on NIST SP 800-171 — it does not replace it
The single most important structural fact about CMMC 2.0 is one that trips up organizations preparing for it: Level 2, the level that applies to the large majority of CUI-handling contractors, is not a separate control catalog that happens to resemble NIST SP 800-171. It is a certification and assessment mechanism layered directly on top of it. The 110 practices at Level 2 map one-to-one with the 110 security requirements across the 14 control families in NIST SP 800-171. An organization that has genuinely implemented NIST SP 800-171 already has the technical and administrative substance of CMMC Level 2 in place — what CMMC adds is a formal, independently verified assessment process, a scored self-assessment methodology (SPRS), and a certification artifact that a contracting officer can rely on instead of taking a contractor's word for it.
This relationship matters practically: organizations that treat CMMC preparation as a project separate from NIST SP 800-171 implementation tend to duplicate work, misallocate budget toward "CMMC-specific" activities that don't exist, and lose sight of the fact that the underlying control implementation is identical. The right sequence is to implement and document NIST SP 800-171 conformance first, then treat CMMC certification as the assessment and attestation layer on top of that work.
Preparing for a Level 2 assessment
Organizations preparing for Level 2 certification typically start with a gap assessment against the 110 practices, document a System Security Plan (SSP) describing how each practice is implemented, and build a Plan of Action and Milestones (POA&M) for any practices not yet fully in place. Because a C3PAO assessment is a point-in-time formal evaluation, evidence — configuration exports, policy documents, training records, log samples — needs to already exist and be organized before the assessment window opens, not assembled reactively during it.
Common mistakes
- Assuming CMMC is a new, DoD-specific control set rather than a certification layer on NIST SP 800-171. This misunderstanding leads organizations to build a parallel compliance program instead of implementing NIST SP 800-171 once and certifying against it.
- Waiting until a contract requires certification to begin preparation. A Level 2 gap assessment, remediation, and C3PAO assessment cycle routinely takes many months; starting after a contract deadline is set is a common and expensive scramble.
- Treating self-assessment scoring (SPRS) as informal. Scores submitted to the Supplier Performance Risk System are a federal submission with real consequences for misrepresentation, not an internal checklist.
- Ignoring flow-down obligations from prime contractors. Subcontractors frequently assume CMMC only applies to organizations with direct DoD contracts, missing contractual language that obligates them to the same standard.
FAQ
Do we need CMMC if we don't have a direct contract with the DoD? Possibly yes. CMMC obligations commonly flow down through prime contractors to subcontractors at any tier, driven by contract language rather than by whether your organization deals with the government directly.
How long does CMMC Level 2 certification typically take? It varies significantly with starting maturity, but organizations beginning from a limited security program should expect a multi-month process covering gap assessment, remediation, documentation, and the formal C3PAO assessment itself.
Is CMMC the same thing as NIST SP 800-171 compliance? Not exactly — they are closely related but distinct. NIST SP 800-171 is the underlying control catalog; CMMC Level 2 is the DoD's certification and assessment mechanism built on those same 110 practices. Implementing NIST SP 800-171 well is the foundation of CMMC Level 2 readiness, but certification requires the formal assessment process on top of it.