CMMC 2.0 Compliance: What Defense Contractors Need to Know

The Cybersecurity Maturity Model Certification 2.0 framework has reshaped compliance obligations for tens of thousands of organizations in the defense supply chain. Here's what you need to understand before your next contract award.

The Department of Defense's Cybersecurity Maturity Model Certification (CMMC) 2.0 framework has fundamentally changed how defense contractors approach cybersecurity compliance. Unlike its predecessor, CMMC 2.0 streamlines the model from five maturity levels to three and aligns directly with established NIST standards — making the path to certification more predictable, though no less demanding.

Under CMMC 2.0, organizations handling Federal Contract Information (FCI) must meet Level 1 requirements based on 17 practices from FAR 52.204-21. Those handling Controlled Unclassified Information (CUI) — the most common scenario for prime and sub-contractors — must achieve Level 2 compliance, which maps to the full 110 practices of NIST SP 800-171. Level 3 applies to a small set of contractors working on the most sensitive DoD programs and incorporates additional controls from NIST SP 800-172.

One of the most significant changes in CMMC 2.0 is the conditional allowance for self-assessment at Level 2 for certain contracts — however, DoD has made clear that most Level 2 contracts will require a third-party Certified CMMC Assessment Organization (C3PAO) assessment. Organizations that have relied on self-attestation under the interim rule should reassess their readiness for formal assessment now, not at contract award time.

A practical path to CMMC Level 2 begins with a gap assessment against all 110 NIST SP 800-171 controls, followed by a documented System Security Plan (SSP) and Plan of Action and Milestones (POA&M). Organizations that have not yet completed a formal assessment should prioritize high-impact control families — Access Control, Incident Response, Risk Assessment, and System and Communications Protection — as these areas most frequently reveal gaps. AmericaTech's security practice supports organizations at every stage of the CMMC readiness journey, from initial gap assessment through evidence collection and assessment preparation.