The Complete Guide to CMMC 2.0 Compliance for Defense Contractors
The Complete Guide to CMMC 2.0 Compliance for Defense Contractors
The Cybersecurity Maturity Model Certification (CMMC) program is the Department of Defense's mechanism for verifying that defense contractors adequately protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). After years of development and revision, CMMC 2.0 is now embedded in the Defense Federal Acquisition Regulation Supplement (DFARS), and DoD is incorporating CMMC requirements into contracts at scale.
For defense contractors that handle CUI, CMMC compliance is not optional and not something to address when a specific contract requires it. The organizations that succeed are those that treat CMMC as an ongoing security program - not a certification event.
This guide explains what CMMC 2.0 requires, how the three levels work, what the relationship to NIST 800-171 means in practice, how assessments work, and how to build a compliance program that holds up to scrutiny.
CMMC 2.0 Overview
CMMC 2.0 was finalized in late 2021 as a streamlined version of the original CMMC 1.0 framework, which had five maturity levels. CMMC 2.0 reduced the model to three levels aligned directly to established NIST standards.
The core objective of CMMC is to verify that DoD contractors are actually implementing the security requirements they have been contractually obligated to meet under DFARS 252.204-7012 since 2017. Prior to CMMC, contractors self-attested to compliance with NIST 800-171. CMMC adds third-party verification for contractors handling sensitive CUI at Levels 2 and 3.
Why CMMC Exists
The DoD has identified the defense industrial base (DIB) as a significant attack surface. Nation-state adversaries have systematically targeted defense contractors to exfiltrate controlled technical data - designs, specifications, research - that provides strategic advantage without the cost of original development. Self-attestation frameworks were insufficient to drive actual security improvement across the DIB. CMMC creates accountability through third-party assessment.
The Three CMMC Maturity Levels
Level 1: Foundational
Scope: Companies that process, store, or transmit only FCI - Federal Contract Information that is not CUI.
Requirements: 17 practices from FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). These represent basic cyber hygiene: limiting access, controlling physical access, identifying and authenticating users, managing access permissions.
Assessment: Annual self-assessment. No third-party assessment required. Senior company official attestation submitted to SPRS (Supplier Performance Risk System).
Reality check: Most companies bidding on DoD contracts will not qualify at Level 1 alone. If you handle technical specifications, engineering drawings, research data, or anything tagged CUI, you need Level 2 or above.
Level 2: Advanced
Scope: Companies that process, store, or transmit CUI as part of defense programs.
Requirements: 110 security practices from NIST SP 800-171 Rev 2. These practices map to 14 domains covering access control, incident response, configuration management, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, system and information integrity, and more.
Assessment:
- Annual self-assessment for contracts involving non-prioritized acquisitions (lower sensitivity programs)
- Triennial C3PAO assessment for contracts involving prioritized acquisitions (higher sensitivity programs) - required in most significant defense programs
Level 2 is where the majority of defense contractors in the supply chain will operate. Companies handling technical data for major defense programs will require a C3PAO assessment.
Level 3: Expert
Scope: Companies handling CUI for the most critical DoD programs - advanced research, critical program information, the highest-sensitivity defense work.
Requirements: All 110 NIST 800-171 practices plus a subset of NIST SP 800-172 practices (enhanced security requirements for highly sensitive CUI). The exact practice count for Level 3 is defined by DoD.
Assessment: Government-led assessment by DCSA (Defense Contract Management Agency) - not a C3PAO. Level 3 assessments are more intensive and reserved for the most critical program areas.
Most defense contractors will not need to pursue Level 3. Companies working on classified programs, next-generation weapons systems, or highly sensitive research may encounter Level 3 requirements.
NIST 800-171: The Foundation of CMMC Level 2
NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," is the technical backbone of CMMC Level 2. Understanding 800-171 is essential to understanding what Level 2 actually requires.
The 14 Domains
NIST 800-171 organizes its 110 requirements across 14 families:
| Domain | Requirements | Focus |
|---|---|---|
| Access Control | 22 | Who can access what systems and data |
| Awareness and Training | 3 | Security training for all personnel |
| Audit and Accountability | 9 | Logging, monitoring, and audit trail |
| Configuration Management | 9 | Secure baseline configurations |
| Identification and Authentication | 11 | User and device identity verification |
| Incident Response | 3 | Response and reporting procedures |
| Maintenance | 6 | Controlled system maintenance |
| Media Protection | 9 | CUI handling on physical and digital media |
| Personnel Security | 2 | Screening and access termination |
| Physical Protection | 6 | Physical access to facilities and systems |
| Risk Assessment | 3 | Periodic risk assessment and remediation |
| Security Assessment | 4 | System assessment and Plan of Action |
| System and Communications Protection | 16 | Network architecture and data protection |
| System and Information Integrity | 7 | Malware protection and system monitoring |
Relationship to NIST 800-53
Organizations familiar with FedRAMP or federal security authorizations will recognize NIST 800-53. The relationship is straightforward: 800-171 is derived from 800-53 and represents the subset of 800-53 controls applicable to nonfederal systems handling CUI. 800-171 is scoped and simplified relative to 800-53's full control catalog, but it covers the same domains.
CUI: Controlled Unclassified Information
Understanding what constitutes CUI is prerequisite to scoping your CMMC program. CUI is not classified, but it is sensitive government information that requires safeguarding.
CUI Categories in Defense Contracting
Common CUI categories encountered in defense work:
- Export Controlled - Technical data subject to ITAR or EAR
- Controlled Technical Information (CTI) - Technical information with military or space application
- DoD Unclassified Controlled Nuclear Information (UCNI)
- Privacy - Personally Identifiable Information in a DoD context
- Critical Infrastructure - Information about defense critical infrastructure
CUI Identification and Marking
Under NIST 800-171 and CMMC, you cannot protect CUI you cannot identify. CUI identification requires:
- Training personnel to recognize CUI in documents and data
- Establishing processes for CUI marking and handling
- Understanding what your prime contractor or government customer considers CUI in your specific program context
Prime contractors are responsible for flowing down CUI marking and handling requirements to their subcontractors. If you receive unmarked data that appears to be CUI, request clarification - receiving unmarked CUI does not exempt you from protection requirements.
CUI Scoping: The Single Most Important CMMC Decision
CMMC requirements apply to systems that process, store, or transmit CUI. Scoping your CUI environment - identifying exactly which systems hold CUI and drawing clear boundaries around them - is the most impactful decision in your CMMC program.
Organizations that allow CUI to exist broadly across their enterprise face the daunting task of applying 110 NIST 800-171 requirements to their entire IT environment. Organizations that clearly scope and boundary CUI to a defined enclave can focus compliance efforts on that enclave.
CUI scoping decisions affect cost, timeline, and ongoing operational burden. Work with someone who understands both the CMMC requirements and your business operations to make these decisions correctly.
C3PAO Assessments: What to Expect
Certified Third Party Assessment Organizations (C3PAOs) are the organizations authorized by the CMMC Accreditation Body (Cyber AB) to conduct CMMC Level 2 assessments. C3PAO assessments are the mechanism by which companies demonstrate they have actually implemented the required security practices.
The Assessment Process
Pre-assessment: Before the formal assessment, most C3PAOs offer or require a pre-assessment engagement. This is not the same as a readiness assessment from a consultant - it is a formal pre-assessment by the C3PAO that will conduct the certification assessment. Pre-assessment findings can be remediated before the formal assessment begins.
Assessment scope: The C3PAO will review your SSP (System Security Plan), assess each of the 110 practices through a combination of documentation review, interviews, and technical testing, and evaluate the CUI environment boundary you have defined.
Evidence and artifacts: For each of the 110 practices, you need demonstrable evidence of implementation. This includes configuration screenshots, policies and procedures, training records, audit logs, vulnerability scan results, and interview responses from personnel responsible for controls.
Assessment duration: A typical Level 2 assessment takes 3-5 days of on-site or virtual assessment activity, following documentation review and artifact submission. Larger environments take longer.
Scoring: Each practice is scored as MET or NOT MET. There is no partial credit. Met practices score 1; Not Met practices score based on the practice's weighted value in the SPRS model. The target score for certification is 110/110 (all practices MET).
What Disqualifies an Assessment
- Active Plan of Action and Milestones (POA&M) items at time of assessment
- Practices scored NOT MET with no remediation path
- System Security Plan that does not accurately describe implemented controls
- Evidence gaps - claimed controls with no demonstrable implementation
Unlike NIST 800-171 self-assessment (where POA&Ms are acceptable as a temporary measure), CMMC Level 2 triennial assessments require all 110 practices to be fully implemented. POA&Ms are not accepted for CMMC certification.
Plan of Action and Milestones (POA&M)
A POA&M is a document that records deficiencies in your security implementation, the planned remediation actions, responsible parties, and timelines.
Under DFARS 252.204-7012 and NIST 800-171 self-assessment (applicable before CMMC requirements flow into a contract), POA&Ms are accepted as evidence that identified gaps are being tracked and addressed. An organization can submit a self-assessment score reflecting their current state (including deficiencies) to SPRS and maintain a POA&M for remediation.
Under CMMC Level 2 triennial assessment requirements, all POA&M items must be closed before the assessment. Unresolved POA&M items will result in NOT MET findings.
POA&M as a Program Management Tool
Even if your contract does not yet require a CMMC Level 2 assessment, maintaining a rigorous POA&M process is essential:
- It demonstrates to DoD that you take compliance seriously
- It gives you a clear picture of your actual security posture vs. your SPRS submission
- It provides the roadmap you need to reach assessment readiness
Organizations that have been self-assessing and maintaining honest POA&Ms for two years are in significantly better shape for CMMC assessment than those that scored themselves perfect in SPRS and built nothing.
SPRS Scoring
The Supplier Performance Risk System (SPRS) is DoD's system of record for contractor security self-assessments. Under DFARS 252.204-7019, contractors must calculate their NIST 800-171 score and submit it to SPRS before receiving awards on covered contracts.
How SPRS Scores Work
The SPRS scoring model assigns values to each of the 110 NIST 800-171 practices. The starting value is 110 points. Each NOT MET practice reduces the score by a weighted amount (practices are not equally weighted - higher-impact controls like multi-factor authentication carry larger deductions).
A perfect score is 110. Scores can go negative for organizations with widespread gaps.
The Integrity Problem
False or inflated SPRS scores are the DoD's most pressing concern in the CMMC program. Organizations that score themselves 100+ in SPRS while implementing only basic hygiene controls are creating both legal exposure (False Claims Act) and security risk. DOJ has pursued False Claims Act cases against contractors with materially false SPRS submissions.
Submit an accurate SPRS score. If your score is negative, that is a data point - not something to hide. Pair it with a rigorous POA&M and a credible remediation timeline. An honest low score with a credible improvement plan is far less problematic than a fraudulent high score.
Building a CMMC Compliance Program
Step 1: CUI Scoping and Boundary Definition
Identify every system that touches CUI. Document data flows. Define a clear boundary that separates your CUI environment from the broader enterprise. Make scoping decisions deliberately - not by default.
Step 2: Current State Assessment (Gap Analysis)
Assess your implementation of all 110 NIST 800-171 practices against your defined CUI environment. Produce an accurate SPRS score and a detailed gap analysis with remediation priorities.
Step 3: System Security Plan Development
Document your security architecture, control implementations, system boundaries, and operational procedures in an SSP. The SSP is the primary artifact for C3PAO assessment - it is not optional.
Step 4: Remediation Program
Execute remediation in priority order. Critical deficiencies (MFA, access controls, encryption, incident response) first. Build evidence collection processes for each control as you implement it. Do not just implement - document.
Step 5: SPRS Submission
Submit an accurate SPRS score. Update it as your score improves through remediation.
Step 6: Assessment Readiness
Conduct a pre-assessment (either internally or with a third party) before formal C3PAO assessment. Identify any remaining gaps. Close all POA&M items.
Step 7: C3PAO Assessment
Engage a C3PAO, submit artifacts, and complete the formal assessment. Certification is valid for three years for triennial assessments.
How DarkRock Helps Defense Contractors
DarkRock's federal compliance practice is built on deep experience with both the technical and procedural dimensions of CMMC compliance. We work with defense contractors from small subcontractors to prime tier suppliers.
Gap Assessment and SPRS Scoring - We conduct rigorous NIST 800-171 assessments, produce accurate SPRS scores, and build honest gap analyses that give you a realistic picture of your compliance posture.
CUI Scoping - We help you define your CUI environment boundaries deliberately, making scoping decisions that balance compliance requirements with operational practicality.
System Security Plan Development - We develop SSPs that accurately describe your implemented controls and satisfy C3PAO documentation requirements.
Remediation Planning and Implementation - We prioritize and execute remediation across all 110 practices, with specific attention to technical controls that require implementation expertise, not just documentation.
C3PAO Assessment Preparation - We prepare your organization for the formal assessment process: artifact organization, evidence review, personnel preparation, and pre-assessment gap identification.
Ongoing Compliance Management - CMMC is a three-year certification cycle with continuous compliance obligations between assessments. We provide the sustained support that keeps your program current.
Defense contractors that engage DarkRock early - before a contract requires CMMC - are the ones who arrive at the assessment ready. Those who engage at the last minute face compressed timelines, rushed remediation, and the risk of assessment failure that costs them the contract.
Need to assess your CMMC readiness? Contact DarkRock's federal compliance team for a structured gap assessment and realistic path to certification.
DarkRock Federal Compliance Team
Dark Rock Cybersecurity — cybersecurity and compliance practitioners helping organizations build resilient, audit-ready security programs.
Related Articles
CMMC 2.0 Final Rule: What Defense Contractors Must Do Before Assessments Begin
The CMMC 2.0 final rule is in effect. C3PAO assessments are underway, DFARS clauses are appearing in contracts, and SPRS scores are under scrutiny. Here is what defense contractors at Level 2 need to know and do now.
Federal Compliance Landscape: FedRAMP, CMMC, NIST, and Beyond
A comprehensive overview of the federal compliance landscape for technology vendors and defense contractors: FedRAMP authorization paths, CMMC levels, NIST 800-53 vs 800-171 vs CSF, DFARS obligations, and how to build a unified federal compliance program.
