Guides
/
Security & Compliance
In this article

What is CMMC 2.0 and who needs it?

A plain-language guide to the Department of Defense's cybersecurity certification program, who it applies to, and what compliance actually looks like at each level.

Explore with AI
Open in ChatGPT
Open in Claude
Open in Perplexity

If your company does any work in the U.S. defense supply chain, you've probably heard the term CMMC come up in contract conversations, RFP requirements, or emails from your prime contractor's supply chain team. Maybe you've been told you need it. Maybe you're not sure whether it applies to you. Either way, the time to figure it out is now.

CMMC stands for Cybersecurity Maturity Model Certification, and it is the Department of Defense's framework for verifying that contractors and subcontractors actually meet the cybersecurity standards they've been contractually required to follow for years. The key word there is verifying. The security requirements themselves aren't new. What's new is that the DoD is done taking your word for it.

Why CMMC exists

For over a decade, defense contractors handling sensitive government data have been required to implement cybersecurity controls under DFARS 252.204-7012, which points to NIST SP 800-171. The problem was enforcement. Compliance was largely self-attested, and many contractors either didn't fully implement the controls or didn't implement them at all. Meanwhile, adversaries were actively exploiting these gaps. Breaches across the Defense Industrial Base (DIB) exposed technical drawings, weapons system data, and other controlled information that had real national security consequences.

The DoD's response was CMMC: a program that replaces the honor system with verified assessments. The original version, CMMC 1.0, launched in 2020 with five certification levels and a plan for mandatory third-party assessments across the board. Industry pushed back hard. The framework was too complex, too expensive, and too burdensome for small businesses that make up the vast majority of the defense supply chain.

In November 2021, the DoD announced CMMC 2.0, a significantly simplified version. It reduced the levels from five to three, aligned them directly with existing NIST standards, and reintroduced self-assessments for lower-risk contracts. The final rule was published in October 2024, took effect in December 2024, and enforcement began rolling into contracts starting November 10, 2025.

The three levels

CMMC 2.0 organizes cybersecurity requirements into three tiers based on the sensitivity of the information a contractor handles. Each level builds on the one below it.

Level 1: Foundational

Level 1 applies to contractors whose systems process, store, or transmit Federal Contract Information (FCI). FCI is basic contract-related data that isn't intended for public release but isn't classified or particularly sensitive. Think administrative details, logistics data, and routine project information.

The requirements at this level are straightforward: 15 basic security practices drawn from FAR 52.204-21. These cover fundamentals like limiting system access to authorized users, sanitizing media before disposal, and identifying and authenticating users. If you've done any baseline IT hygiene work, many of these controls are probably already in place.

Assessment at Level 1 is a self-assessment, conducted annually by the contractor and recorded in the Supplier Performance Risk System (SPRS). There is no third-party audit. An affirming official within the organization must also submit an annual affirmation of continued compliance.

Level 2: Advanced

Level 2 is where most defense contractors will land, and it's the level that represents the biggest shift from the old self-attestation model. It applies to contractors handling Controlled Unclassified Information (CUI), which is a broad category of sensitive but unclassified data that includes engineering drawings, technical specifications, research data, procurement details, and personally identifiable information of government personnel.

The requirements map directly to NIST SP 800-171 Revision 2: 110 security controls organized across 14 families, covering access control, audit and accountability, configuration management, incident response, system integrity, and more. These are the same controls contractors have been contractually required to implement under DFARS 252.204-7012, but CMMC adds the verification mechanism.

Assessment at Level 2 comes in two forms depending on the sensitivity of the CUI involved. For less critical CUI, an annual self-assessment (recorded in SPRS) may suffice. For most contracts involving CUI, however, a triennial assessment by a Certified Third-Party Assessment Organization (C3PAO) is required. This is the real teeth of the program. A C3PAO assessment is a formal audit of your security posture, your documentation, and your implementation of each control.

Plans of Action and Milestones (POA&Ms) are permitted at Level 2, which means you can receive a conditional certification if you have non-critical deficiencies. But those gaps must be closed within 180 days. You cannot leave them open indefinitely.

Level 3: Expert

Level 3 is reserved for contractors working on the DoD's most sensitive programs and technologies, where the threat model includes Advanced Persistent Threats (APTs), typically state-sponsored actors. It builds on Level 2 by adding 24 additional security controls from NIST SP 800-172, which focus on capabilities like penetration-resistant architecture, redundancy, and proactive threat hunting.

Assessment at Level 3 requires both a C3PAO assessment (confirming Level 2 compliance) and a government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Very few organizations will need Level 3. If you're reading this guide to figure out whether CMMC applies to you, Level 3 almost certainly isn't your concern right now.

Who needs CMMC certification

The short answer: any organization in the defense supply chain that handles FCI or CUI on its own information systems as part of a DoD contract.

That definition is broader than many companies realize. It includes prime contractors, obviously. But it also includes subcontractors at every tier. If a prime contractor has a CMMC Level 2 requirement and they flow CUI down to you, you need Level 2 as well. This catches a surprisingly large number of small and mid-sized businesses that think of themselves as far removed from "defense work" but are in fact handling sensitive data through subcontract relationships.

Here's a practical way to think about who needs what:

  • You handle FCI but not CUI. Your systems touch basic contract information like delivery schedules, invoicing details, or project management data, but nothing that carries a CUI marking. You likely need Level 1. Self-assessment, 15 controls, annual affirmation.
  • You handle CUI. Your systems process, store, or transmit engineering data, technical specifications, test results, procurement-sensitive information, or any data marked as CUI. You need Level 2. The 110 controls from NIST 800-171, likely a C3PAO assessment, and a serious documentation effort.
  • You support the DoD's most critical programs. You work with information that the DoD has determined requires protection against advanced persistent threats. You need Level 3. This will be determined at the program level and explicitly communicated in your contract requirements.
  • You don't handle FCI or CUI at all. If your contract is solely for commercial off-the-shelf (COTS) products and your systems never touch government information, CMMC does not apply to you. But be careful with this assumption. Review your contracts and subcontracts carefully. The line between "we don't touch CUI" and "we actually do" is often blurrier than companies think, especially when it comes to email, file shares, and cloud storage where controlled data may flow without anyone explicitly intending it.

It's also worth noting that there is no small business exemption. The DoD has acknowledged that compliance costs disproportionately affect smaller contractors, and programs like APEX Accelerators and the Mentor-Protégé Program exist to help. But the requirements themselves apply equally regardless of company size.

The subcontractor reality

The flow-down dynamics of CMMC deserve special attention because they catch many organizations off guard. Prime contractors are contractually obligated to ensure their subcontractors meet the appropriate CMMC level. In practice, this means primes are increasingly requiring CMMC compliance from suppliers and subcontractors even before the DoD's phased rollout reaches their specific contracts.

Some primes are going further, requiring Level 2 certification from subcontractors who technically only handle FCI, not because the regulation demands it, but because it simplifies supply chain management and reduces risk. If you're a subcontractor and your prime is asking for CMMC compliance, treat that as a hard requirement for keeping the business relationship, regardless of what the regulation technically requires at your tier.

The rollout timeline

CMMC is being phased in over four years. Understanding the timeline matters because it determines when your certification needs to be in place to win or retain contracts.

  • Phase 1 began on November 10, 2025. New DoD solicitations and contracts started including CMMC Level 1 and Level 2 self-assessment requirements as a condition of award. Contracting officers also have discretion to include Level 2 C3PAO certification requirements during this phase.
  • Phase 2 begins November 10, 2026. This is when mandatory third-party C3PAO assessments for Level 2 start appearing broadly in applicable contracts. If your contracts involve CUI, this is the date to circle. You need to have either achieved certification or be well into the assessment process by then.
  • Phase 3 begins November 10, 2027. Level 3 government-led assessments (DIBCAC) start appearing in contracts for the most sensitive programs.
  • Phase 4 begins November 10, 2028. Full implementation. CMMC requirements become mandatory across all applicable DoD contracts, solicitations, option exercises, and renewals. No more grace periods.

A critical detail: CMMC certification must be valid at the time of contract award, not after. If you're negotiating contracts with award dates in 2026 or beyond, your compliance process should already be underway.

What "compliance" actually means in practice

It's tempting to think of CMMC as a checkbox exercise, but the program is designed to prevent exactly that mindset. Here's what real compliance involves at Level 2, which is where most contractors will need to operate.

  • Scoping your environment. Before you can implement controls, you need to know exactly where CUI lives in your environment. This means mapping data flows, identifying every system that processes, stores, or transmits CUI, and defining the boundary of your assessment scope. Many organizations discover that CUI has spread further through their environment than they expected, into email systems, collaboration tools, personal devices, and cloud storage that was never intended to hold sensitive data.
  • Implementing the 110 controls. Each of the 110 NIST 800-171 controls must be implemented, documented, and operational. This covers access control, multi-factor authentication, encryption of CUI at rest and in transit, audit logging, incident response procedures, configuration management, personnel security, and more. For organizations starting from scratch, this is typically a 6 to 18 month effort depending on the current state of their security program.
  • Documenting everything. A System Security Plan (SSP) is the backbone of your compliance documentation. It describes your system boundaries, how each control is implemented, and who is responsible. You'll also need supporting documentation like network diagrams, access control policies, incident response plans, and evidence of regular assessments. The C3PAO will want to see not just that controls exist, but that they're actively maintained and operationally effective.
  • Managing your cloud environment. If CUI lives in the cloud, that cloud environment must meet FedRAMP Moderate or FedRAMP Moderate equivalent requirements, per DFARS 252.204-7012. Standard commercial cloud services don't qualify. For Microsoft environments, this means GCC or GCC High, not the standard commercial tenant. This is a common and expensive surprise for smaller contractors.
  • Maintaining continuous compliance. Certification isn't a one-time event. Annual affirmations are required, C3PAO assessments recur on a triennial cycle, and any changes to your system that affect CUI handling must be managed, documented, and reported. The DoD expects a living, maintained security program, not a snapshot that decays the moment the assessor leaves.

The False Claims Act risk

One aspect of CMMC that doesn't get enough attention: the legal exposure. Submitting a false or inaccurate affirmation of compliance exposes a contractor to penalties under the federal False Claims Act. This isn't theoretical. The DoD has already pursued cases against organizations that misrepresented their cybersecurity posture. In one notable case, Georgia Tech faced a lawsuit for allegedly failing to meet requirements under DFARS 252.204-7012. Penn State University faced similar scrutiny.

The message from the DoD is clear: inaccurate self-assessments and hollow compliance claims carry real legal consequences. If your SPRS score doesn't reflect your actual security posture, that gap is a liability.

Getting started

If you're still figuring out where your organization stands, the practical first steps are the same regardless of your size or where you sit in the supply chain.

Review your contracts and subcontracts to determine whether you handle FCI, CUI, or both, and what CMMC level is required or likely to be required. Talk to your prime contractor if you're a subcontractor. They should be able to tell you what they expect and when.

Conduct a gap assessment against NIST 800-171. This gives you a clear picture of where you stand today and what work remains. Many organizations discover they've implemented some controls informally but lack the documentation and consistency to pass an assessment.

Scope your CUI environment tightly. The smaller you can make your assessment boundary (while still covering all CUI flows), the less expensive and complex your compliance effort will be. Some organizations create a dedicated CUI enclave, a segmented environment specifically designed to handle controlled data, to keep the scope manageable.

Build a realistic timeline. Most organizations need 6 to 12 months to prepare for a C3PAO assessment, and assessment scheduling itself can add lead time depending on C3PAO availability. Starting now is not early. For many contractors, it's already late.

CMMC 2.0 represents a fundamental shift from trust-based to verification-based cybersecurity compliance in the defense supply chain. Whether it affects your organization depends on a simple question: does your work for the DoD involve information that needs protecting? For most companies in the DIB, the answer is yes, and the time to act on that answer is now.

Further Reading:

A developer's guide to GDPR compliance

Security policy document examples for B2B SaaS apps

How to get SOC 2 compliance: A developer’s guide

A developer’s guide to startup security

Key differences between CCPA and GDPR: How location affects enterprise compliance

SOC 1 vs. SOC 2 vs. SOC 3: Why your company needs compliance to grow

Understanding CSRF attacks

The developer's guide to domain verification

OTP bots explained: What they are and how to stop them

Understanding cross-site scripting (XSS) attacks

Best practices for secrets management

What is device fingerprinting and how does it work?

What is ISO compliance?

What is a SIM swapping attack?

We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.