Book a free readiness call
U.S. Defense Compliance

CMMC 2.0 applies to your DoD contracts. Here is what certification actually requires.

If your company holds or is pursuing DoD contracts, CMMC sets the security requirements your program must meet. Which level applies depends on the type of information your contracts involve. Use Carbide's free assessment to see exactly where your program stands today.

Take the free CMMC 2.0 Level 1 Assessment Also need CPCSC? Take the free Level 1 Assessment
Practices
110 practices
CMMC Level 2 assesses all 110 NIST 800-171 Rev 2 requirements
Enforcement
DFARS clause
252.204-7012 has required CUI protection since 2017. CMMC adds third-party verification.
Assessment
C3PAO audit
Level 2 requires a certified C3PAO assessor. Self-assessment applies only at Level 1 and a narrow set of contracts.
Free assessment tools

Know your gaps before you engage anyone

Both tools are free and take 5 minutes each. Complete one and you will have a gap report you can act on before any other conversation.

Free tool 5 min
CMMC 2.0 Level 1 Readiness Assessment
Maps your posture against the 17 CMMC Level 1 practices and flags exactly where the gaps are. Results delivered on-screen the moment you complete it.
Start the CMMC Assessment →
Free tool 5 min · if Canadian DND contracts also apply
CPCSC Level 1 Readiness Assessment
Maps your posture against the 13 CPCSC Level 1 controls. Use this alongside the CMMC assessment if your contracts touch both DoD and DND.
Start the CPCSC Assessment →
Note CMMC and CPCSC are separate programs with no mutual recognition. CMMC certification does not satisfy CPCSC, and vice versa. If your contracts touch both DoD and DND, both programs apply independently. The assessments above map the full picture for each.
What CMMC requires

CMMC 2.0 and NIST 800-171 Rev 2 — what the program actually covers

CMMC 2.0 is the certification program. NIST 800-171 Rev 2 is the control standard it is assessed against. Here is what each one means for your compliance program.

CMMC 2.0 Certification program
NIST 800-171 Rev 2 Underlying standard
Governing body
U.S. Department of Defense (DoD)
National Institute of Standards and Technology (NIST)
What it covers
A mandatory certification program for DoD contractors handling Controlled Unclassified Information (CUI)
110 security requirements across 14 families — the controls CMMC 2.0 Level 2 is assessed against
Who it applies to
Any contractor or subcontractor in the Defense Industrial Base handling CUI under a DoD contract
Required under DFARS 252.204-7012 since 2017. CMMC adds mandatory third-party verification on top of the existing requirement.
Levels
Level 1: 17 practices, annual self-assessment. Level 2: 110 practices, triennial C3PAO audit. Level 3: DoD-led.
The full 110 requirements apply at Level 2. Which level applies to a given contractor is determined by the type of information handled under the contract — FCI at Level 1, CUI at Level 2 — not by company size.
Assessment type
Level 2 requires a certified C3PAO assessor. Self-assessment is only valid for Level 1 and a narrow set of contracts.
A SPRS score submitted to DoD must reflect true compliance. Inaccurate scores carry liability under the False Claims Act.
Contract enforcement
DFARS 252.204-7021 is now appearing in DoD solicitations. No CMMC certification means no contract award.
DFARS 252.204-7012 is already in most DoD contracts. Many contractors are technically out of compliance today.
Carbide coverage
Full — advisors credentialed on CMMC. Platform handles evidence, gap tracking, and C3PAO prep end to end.
Full — Rev 2 control mapping, policy drafting, and advisor review before any evidence goes to an assessor.
Is this your situation?

Four scenarios where CMMC requirements are already in play

CMMC applies across the entire Defense Industrial Base. These are the situations where the compliance requirement is active and the timeline is shorter than most companies expect.

DIB contractor
CMMC clause appearing in new solicitations
You have seen DFARS 252.204-7021 in a recent DoD solicitation or been told by a prime that CMMC certification is required. You have a SPRS score on file but no formal gap assessment behind it, and you are not certain whether your current posture will survive a C3PAO audit.
A SPRS score is your own self-assessment — not a certification. A C3PAO auditor will review the same controls independently and frequently finds gaps the internal assessment missed.
Level 2 candidate
Preparing for a C3PAO audit without a clear plan
Your contract requires CMMC Level 2 certification and a C3PAO audit is approaching. You have evidence for some controls but not all, your policies have not been reviewed by anyone with assessor experience, and you are not confident the documentation you have will hold up under audit scrutiny.
A credentialed advisor review before a C3PAO audit catches gaps that would otherwise result in a finding. Every document that reaches an assessor should have been reviewed by someone who knows what assessors look for.
In-house compliance team
Managing CMMC manually with spreadsheets and consultants
Your team is tracking controls in spreadsheets, working with a consultant for periodic reviews, and manually assembling evidence packages. The process is time-consuming, gaps fall through between reviews, and there is no clear audit trail that maps evidence directly to each NIST 800-171 requirement.
The Carbide platform handles evidence collection, control mapping, and gap tracking in one place. Your advisor works inside the same system, so reviews happen continuously.
Canadian contractor
CMMC in place — now facing CPCSC for DND work
Your company is CMMC-certified or actively working toward it. You have just learned CPCSC applies to your Canadian DND contracts and that CMMC does not satisfy it. You need to understand what transfers between Rev 2 and Rev 3 and stand up a separate Canadian-hosted compliance environment.
CPCSC uses NIST 800-171 Rev 3, which has different control requirements than Rev 2. Some work transfers. Some does not. Carbide handles both programs in one engagement.

Not sure which situation applies to you? The free assessment takes 5 minutes and tells you exactly where you stand.

Take the free CMMC 2.0 Level 1 Assessment → Talk to us
If you also have Canadian DND contracts

CMMC does not satisfy CPCSC. Both programs apply independently.

If your company holds contracts with both the U.S. DoD and Canada's DND, you need both CMMC and CPCSC certifications. There is no mutual recognition between the two programs. Here is where the work overlaps and where it does not.

CMMC 2.0 vs CPCSC
Where the work transfers — and where it does not

Where they align

Both built on NIST 800-171 — shared conceptual foundation and control families
Both require documented evidence per control, not just self-attestation
Both require third-party assessment at Level 2 — similar audit model, different assessors
Shared control families: access control, incident response, configuration management

Where they diverge

CMMC is assessed against NIST 800-171 Rev 2, which covers 110 requirements across 14 control families. CPCSC is assessed against ITSP.10.171 — Canada's version of Rev 3 — which covers 97 requirements across 17 control families. The families are not identical, requirements within them differ between revisions, and controls do not map 1-to-1. Evidence built for CMMC does not automatically satisfy your CPCSC obligations.
CMMC requires FedRAMP-authorized U.S. cloud. CPCSC requires Canadian data residency. The same infrastructure cannot satisfy both.
No mutual recognition. Holding CMMC does not satisfy CPCSC, and vice versa.
Governed by separate bodies — DoD (U.S.) for CMMC, PSPC (Canada) for CPCSC.
If your company holds both DoD and DND contracts: Carbide handles both programs in one engagement. The platform maps controls across CMMC and CPCSC simultaneously, so you remediate once where the standards align and only address framework-specific gaps separately. You do not need two vendors or two separate compliance programs.
How Carbide works

One engagement covers CMMC end to end

Carbide pairs a compliance platform with a credentialed advisory team. The platform handles evidence collection, control mapping, and gap tracking. Your advisor handles interpretation, assessment prep, and document review from gap assessment through C3PAO certification.

01
Gap assessment before remediation begins
A Carbide advisor maps your current posture against all 110 NIST 800-171 Rev 2 requirements. This tells you what is actually in place and what needs to be addressed before a C3PAO audit.
02
Remediation with clear priorities
The platform generates a remediation plan ranked by audit risk and time to close. Your advisor works through each gap with your team, identifies which controls require technical changes versus documentation, and flags anything that needs specialist input before it becomes an audit finding.
03
Evidence collection and organization
The Carbide platform collects and organizes evidence against each control in your CMMC program. Every policy, procedure, and attestation is reviewed by your advisor before it goes into the evidence package.
04
C3PAO audit preparation
Your advisor runs pre-assessment walkthroughs, identifies any remaining gaps, and prepares your team for what a C3PAO auditor will review. After certification, Carbide keeps your program current as CMMC requirements evolve.
1 engagement
Covers gap assessment, remediation, evidence, and C3PAO prep end to end
Rev 2 advisory
Advisors with deep NIST 800-171 Rev 2 expertise — the specific standard CMMC Level 2 is assessed against
Dual coverage
CPCSC support included if Canadian DND contracts apply — no second vendor required
Resources

Tools and reading on CMMC compliance

Start with the free assessment. It gives you a gap report before any conversation with Carbide. The articles below address the questions that come up most often.

Free tools — start here
Free assessment tool
CMMC 2.0 Level 1 Readiness Assessment
Map your posture against the 17 Level 1 practices and find out where the gaps are before you engage anyone.
Free assessment tool
CPCSC Level 1 Readiness Assessment
Maps your posture against the 13 CPCSC Level 1 controls if Canadian DND contracts apply.
Articles and guides
Article
CMMC 2.0 Final Rule: What You Need to Know
The October 2024 final rule, the three-level structure, phased implementation timeline, and what Level 1 and Level 2 compliance now require.
Article
What is CMMC 2.0 Level 1?
The 17 practices required for Level 1, how self-assessment and SPRS reporting work, and what Phase 1 enforcement means for contractors.
Article
CMMC 2.0: What Canadian Organizations Need to Know
How CMMC applies to Canadian defence contractors, how it relates to CPCSC, and the Protocase case study on preparing for both programs.
Article library
All CMMC articles and guides
Browse all CMMC content on carbidesecure.com — Level 1 and Level 2 requirements, NIST 800-171, C3PAO audit preparation, and compliance for Canadian organizations.
Get started

Start with the free assessment. Talk to an advisor when you're ready.

The free Level 1 assessment gives you a clear gap report in 5 minutes. When you book a readiness call, your advisor uses those results to build a realistic roadmap to certification — with Carbide's advisory team doing the heavy lifting from gap assessment through C3PAO audit.

Take the free CMMC 2.0 Level 1 Assessment → Talk to us