CMMC 2.0 is a streamlined and simplified version of the original CMMC framework, designed by the U.S. Department of Defense to protect sensitive information within the defense industrial base (DIB). Its primary purpose is to ensure that contractors and suppliers handling federal contract information (FCI) and controlled unclassified information (CUI) meet specific cybersecurity standards. CMMC 2.0 simplifies the previous version by reducing the certification levels and aligning more closely with existing cybersecurity standards like NIST SP 800-171 and NIST SP 800-172.
Here’s an overview of the updated CMMC Model 2.0 and how to comply:
Updated CMMC Model (Source)
Scope Your Environment
After determining the required CMMC 2.0 certification level for your organization, start by assessing and configuring your existing security environment. A comprehensive risk assessment is a critical first step. During this phase, your security team should focus on the following:
- Clearly define the controlled unclassified information or federal contract information your organization handles. Identify where it’s stored, processed, and how it’s transmitted.
- For Level 2 (Advanced), ensure that your organization is aligned with the 110 security controls specified by NIST SP 800-171. For Level 3 (Expert), consider the additional controls required by NIST SP 800-172.
- Review and update your existing policies to ensure they meet CMMC 2.0 cybersecurity compliance standards.
- Thoroughly document how your organization handles CUI/FCI and outline the current security measures in place.
Develop a Plan of Action & Milestones (POA&M) for CMMC 2.0
With a total of up to 134 controls (depending on the certification level), achieving CMMC 2.0 compliance requires a phased implementation and strong project management. A Plan of Action & Milestones (POA&M) outlines your organization’s current security posture and identifies any gaps or vulnerabilities that need to be addressed. It also lays out a clear path to bring your systems and infrastructure into full compliance with CMMC 2.0 requirements. The guidelines provided by frameworks such as FedRAMP can be helpful in developing a POA&M and preparing for a CMMC 2.0 assessment.
Engage a Certified Third-Party Assessor
While previous cybersecurity requirements were primarily self-assessed, CMMC 2.0 introduces mandatory third-party accreditation for organizations seeking certification at higher levels. For Level 2 (Advanced) and Level 3 (Expert), your organization must undergo an assessment conducted by an accredited third-party assessor, unless they are seeking a Level 2 Self-Assessment.
It’s beneficial to engage with a Certified Third Party Assessment Organization (C3PAO) early in your preparation process to help identify any gaps in compliance and ensure you are on track for a successful audit. Only assessments performed by assessors accredited by the CMMC Accreditation Board (CMMC-AB) will be valid for certification. Collaborating with a C3PAO will provide valuable guidance as you prepare for your formal CMMC assessment and certification.
According to the Department of Defense, there are four eligible CMMC statuses that an organization can obtain when seeking CMMC certification:
CMMC 2.0 Level 1 (Self) Requirements
This is a self-assessment focused on securing FCI that is processed, stored, or transmitted during contract fulfillment. Organizations must meet all 15 security requirements outlined in FAR clause 52.204-21 without exception.
CMMC 2.0 Level 2 (Self) Requirements
Also a self-assessment, this level ensures that CUI is protected in compliance with the 110 security requirements from NIST SP 800-171 Revision 2.
CMMC 2.0 Level 2 (C3PAO) Requirements
Unlike the self-assessment, this level requires organizations to hire a C3PAO to evaluate their adherence to the same 110 security requirements from NIST SP 800-171 R2. Certified assessors can be found on the CMMC Accreditation Body Marketplace.
CMMC 2.0 Level 3 (DIBCAC) Requirements
This is a government-led assessment that evaluates an additional 24 requirements derived from NIST SP 800-172, which supplements NIST SP 800-171. Organizations must first achieve Level 2 (C3PAO) certification before requesting a Level 3 assessment from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) through the Defense Contract Management Agency (DCMA).
Here’s a full breakdown of the new CMMC 2.0 level, assessment, POA&M, and affirmation requirements:
CMMC status | Source & number of security requirements | Assessment requirements | Plan of action & milestones (POA&M) requirements | Affirmation requirements |
Level 1 (Self) | 15 required by FAR clause 52.204-21. | Conducted by Organization Seeking Assessment (OSA) annually. | Not permitted. | After each assessment. |
Level 2 (Self) | 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012. | Conducted by OSA every 3 years and CMMC Status will be valid for three years from the CMMC Status Date. | Permitted and must be closed out within 180 days.
Final CMMC Status will be valid for three years from the Conditional CMMC Status Date. |
After each assessment and annually thereafter. The Assessment will lapse upon failure to annually affirm.
|
Level 2 (C3PAO) | 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012. | Conducted by C3PAO every 3 years.
Results entered into CMMC Enterprise Mission Assurance Support Service (eMASS) (or its successor capability). CMMC Status will be valid for three years from the CMMC Status Date. |
Permitted and must be closed out within 180 days.
Final CMMC Status will be valid for three years from the Conditional CMMC Status Date. |
After each assessment and annually thereafter. The Assessment will lapse upon failure to annually affirm. |
Level 3 (DIBCAC) | 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012.
24 selected from NIST SP 800-172 Feb2021, as detailed in table 1 to § 170.14(c)(4). |
Pre-requisite CMMC Status of Level 2 (C3PAO) for the same CMMC Assessment Scope, for each Level 3 certification assessment.
Conducted by DCMA-DIBCAC every 3 years. Results entered into CMMC eMASS (or its successor capability). CMMC Status will be valid for three years from the CMMC Status Date. |
Permitted as defined and must be closed out within 180 days.
Final CMMC Status will be valid for three years from the Conditional CMMC Status Date. |
After each assessment and annually thereafter. The Assessment will lapse upon failure to annually affirm and Level 2 (C3PAO) affirmation must also continue to be completed annually. |
Source: The Department of Defense
Want to streamline your CMMC 2.o compliance? Access our on-demand webinar featuring Darren Gallop, CEO of Carbide and CMMC Certified Registered Practitioner (RP) with host Greg McHale, CEO of Datanomix.
If your organization (the prime contractor) also uses subcontractors to complete the DoD contract, those subcontractors must also meet the minimum CMMC level specified in the following table.
Prime contractor requirement | Minimum subcontractor requirement if the subcontractor will process, store, or transmit FCI | Minimum subcontractor requirement if the subcontractor will process, store, or transmit CUI |
Level 1 (Self) | Level 1 (Self) | N/A |
Level 2 (Self) | Level 1 (Self) | Level 2 (Self) |
Level 2 (C3PAO) | Level 1 (Self) | Level 2 (C3PAO) |
Level 3 (DIBCAC) | Level 1 (Self) | Level 2 (C3PAO) |
Source: The Department of Defense
What is the CMMC 2.0 Implementation Timeline?
CMMC 4 Phase Implementation Plan (Source)
Phase 1: Begins December 16, 2024 — Self-Assessments Required
This phase marks the start of CMMC 2.0 compliance enforcement. Contractors handling FCI or CUI at CMMC Level 1 (Foundational) or Level 2 (Advanced) will be required to perform and submit self-assessments. During this phase, contractors will need to demonstrate compliance with basic cyber hygiene practices (CMMC Level 1) or NIST SP 800-171 (Level 2) controls, depending on the type of information they handle.
Phase 2: Begins December 2025 — CMMC Certifications Required for Specific Contracts
One year after the start of Phase 1, certain contracts will start requiring CMMC certification beyond the self-assessment. Contractors handling CUI under Level 2 will need to obtain third-party certification through a C3PAO. This phase focuses on contracts that involve more sensitive information and critical defense operations.
Phase 3: Begins December 2026 — Full Certification for All Contracts Requiring CMMC 2.0 Compliance
One year after Phase 2, the requirement for third-party certification will extend to all contracts that involve FCI and CUI. This marks the point where self-assessments will no longer suffice for most contracts, and contractors will need to ensure they meet their required certification level through formal audits.
Phase 4: Full CMMC 2.0 Compliance Across the Defense Industrial Base
As the final stage of the rollout, all contracts requiring CMMC compliance will enforce certification, ensuring that contractors and subcontractors meet the appropriate CMMC levels. This final phase ensures full alignment across the defense industrial base, with consistent cybersecurity standards protecting sensitive information and systems.
This phased approach gives defense contractors time to understand their obligations and take the necessary steps to achieve and maintain compliance with CMMC 2.0.
How Carbide Gets Your Organization CMMC 2.0 Compliant Quickly
While Carbide’s platform streamlines many components of CMMC 2.0 compliance, there are critical aspects that require human expertise and insight. Compliance with frameworks like CMMC requires more than set-it-and-forget-it automation; it calls for a deep understanding of risks, embedding cybersecurity practices into the business process, and making security and privacy based decisions — all of which cannot be automated. That’s where our advisory team comes in. With our expert guidance, we ensure your organization is prepared to meet CMMC 2.0 requirements at any level — through risk assessments, policy development, audit preparation, and more. The combination of our platform and hands-on advisory services allows you to build a resilient, compliant security posture with confidence.
Let our experts guide you through CMMC 2.0 compliance. Book a personalized demo today to see how our platform and team can support your CMMC journey.