CMMC 2.0 Compliance: The Complete Defense Contractor Guide

CG

Chad Griffith, Founder & CEO

FileFlo — AI compliance document intelligence for DOT, OSHA, and EPA regulated businesses. LinkedIn · About

Last reviewed · By Chad Griffith

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense framework verifying that defense contractors and subcontractors implement adequate cybersecurity controls when handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC 2.0 is codified at 32 CFR Part 170 (final rule effective December 16, 2024) and enforced through DFARS clause 252.204-7012. Phased rollout in DoD contracts began in 2025 — every new defense contract eventually requires CMMC certification at the level appropriate to the contract's data sensitivity. This guide covers all three certification levels, the 110 NIST SP 800-171 controls, the assessment ecosystem (C3PAO and DIBCAC), required artifacts (SSP and POAM), and operational compliance for defense contractors.

📥 Free: CMMC Level 1 vs Level 2 Self-Assessment Workbook

17 Level 1 practices with self-rating, 110 NIST 800-171 controls quick-rate, SSP template, POAM template, evidence library structure.

28-page PDF · Plus 7-email cmmc compliance refresher series · Unsubscribe anytime

CMMC 2.0 At a Glance

Level Data type Controls Assessment Validity
Level 1 FoundationalFCI17 practices (FAR 52.204-21)Annual self-assessment1 year
Level 2 AdvancedCUI110 NIST SP 800-171 r2 controlsC3PAO or self-assessment3 years
Level 3 ExpertHighest-priority CUI110 + NIST 800-172 enhancedDIBCAC government3 years

CMMC Topics

The CMMC Compliance Stack

A defense contractor pursuing CMMC certification must address the following functional areas. Each is a primary scope item during C3PAO or DIBCAC assessment.

  1. Data classification. Identify FCI vs CUI in your environment. Mark CUI per NARA CUI Marking Handbook.
  2. System boundary. Define which systems process, store, or transmit FCI/CUI. Document in the SSP.
  3. System Security Plan. Comprehensive document addressing each control's implementation. Updated annually.
  4. Plan of Action & Milestones. Track partially-implemented controls with target completion dates.
  5. Evidence library. Documentation, screenshots, configurations proving each control is operating as described.
  6. Cyber incident response. 72-hour reporting under DFARS 252.204-7012, 90-day system image preservation.
  7. Cloud service provider verification. FedRAMP Moderate or equivalent for any cloud handling CUI.
  8. Subcontractor flow-down. CMMC requirements flow to subcontractors handling FCI/CUI.

Frequently Asked Questions

What is CMMC 2.0?

The Cybersecurity Maturity Model Certification 2.0 is the Department of Defense framework verifying that defense contractors implement adequate cybersecurity controls when handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC 2.0 is codified at 32 CFR Part 170 with the final rule effective December 16, 2024. Three certification levels apply based on the type and sensitivity of data handled.

Who must comply with CMMC?

All Department of Defense contractors and subcontractors who process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The phased rollout in DoD contracts began in 2025 — every new defense contract eventually requires CMMC certification at the level appropriate to the contract's data sensitivity.

What are the three CMMC levels?

Level 1 Foundational — 17 cybersecurity practices for FCI handlers, annual self-assessment with senior official affirmation. Level 2 Advanced — 110 NIST SP 800-171 r2 controls for CUI handlers, C3PAO assessment for prioritized CUI or self-assessment for non-prioritized CUI. Level 3 Expert — 110 NIST 800-171 controls plus NIST 800-172 enhanced controls, DIBCAC government assessment.

How long is CMMC certification valid?

Final CMMC Level 2 and Level 3 certifications are valid for three years, with annual senior official affirmations. Level 1 self-assessment is valid for one year and must be renewed annually. Conditional CMMC Status (when controls remain in POAM) is valid for only 180 days.

What does CMMC Level 2 assessment cost?

Typical C3PAO assessment for Level 2 ranges $50,000-$250,000 for mid-market contractors, with larger or more complex enterprise environments running higher. Costs include planning, on-site assessment, reporting, and Cyber AB review fees. Initial certification typically costs more than re-certification at year three.

What is the difference between FCI and CUI?

Federal Contract Information (FCI) is information not intended for public release that is provided by or generated for the Government under contract. Controlled Unclassified Information (CUI) is information requiring safeguarding per laws, regulations, or government policies — defined and registered through NARA's CUI Registry. FCI handlers face Level 1 (17 practices); CUI handlers face Level 2 (110 controls) or Level 3.

What is DFARS 252.204-7012?

DFARS 252.204-7012 ('Safeguarding Covered Defense Information and Cyber Incident Reporting') is the contract clause requiring defense contractors handling Covered Defense Information to implement NIST SP 800-171 controls and report cyber incidents within 72 hours. The clause predates CMMC; CMMC formalizes verification of 252.204-7012 compliance.

What software supports CMMC compliance?

CMMC tooling typically includes: GRC platforms (Vanta, Drata, Apptega), evidence collection and management systems (FileFlo, Hyperproof), SIEM and security monitoring (Splunk, Microsoft Sentinel), endpoint protection (CrowdStrike, SentinelOne), identity and access management (Okta, Microsoft Entra), and configuration management (Chef, Puppet, Ansible). Most contractors use multiple specialized tools rather than a single platform.

Authoritative sources