Key takeaways
- CMMC is now an enforceable condition of DoD contract award: the Program Rule took effect December 16, 2024, and the Acquisition Rule (DFARS 252.204-7021) took effect November 10, 2025.
- CMMC 2.0 has three levels: Level 1 (FCI, 15 FAR safeguards, annual self-assessment), Level 2 (CUI, all 110 NIST SP 800-171 requirements, C3PAO certification for most contracts), and Level 3 (NIST SP 800-172 enhancements, government-assessed).
- Requirements phase into contracts over three years; for CUI handlers, the date to plan backward from is November 10, 2026, when third-party Level 2 certification becomes standard.
- Most organizations need 6 to 18 months to reach assessment readiness, and C3PAO capacity is a real scheduling constraint.
- A large share of NIST SP 800-171 requirements land on the storage holding CUI, which is why scoping and the data infrastructure are the highest-leverage early decisions.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense program that verifies whether defense contractors and subcontractors have implemented required cybersecurity practices before they can be awarded contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC 2.0 defines three levels of security requirements, each tied to the sensitivity of the information a contractor handles, and it is now an enforceable condition of contract award under DFARS clause 252.204-7021.
If your organization is in the Defense Industrial Base (DIB) and handles FCI or CUI on DoD contracts, CMMC applies to you. Depending on the level a solicitation requires, becoming CMMC compliant means completing a self-assessment or earning formal CMMC certification through an independent assessment. The only broad carve-out is for contracts solely for commercial off-the-shelf (COTS) items.
Why CMMC exists
DoD information does not stay inside government networks. It flows into the systems of more than 200,000 companies in the defense supply chain, and adversaries have targeted that supply chain for years to steal weapons designs, technical data, and other sensitive information. Contractors have been contractually required to implement NIST SP 800-171 safeguards since DFARS 252.204-7012 took effect, but compliance was self-attested and, in practice, inconsistent.
CMMC closes that gap. It does not invent new security controls. It adds verification, requiring contractors to prove, through self-assessment or independent assessment depending on the level, that the safeguards they have long been required to implement are actually in place.
One point of precision worth noting: CMMC applies to contractors and subcontractors in the Defense Industrial Base that handle FCI or CUI. It is not a requirement placed on government agencies themselves.
CMMC is now in force: key regulatory milestones
CMMC moved from policy discussion to contract requirement through two separate rulemakings. On December 16, 2024, the CMMC Program Rule (32 CFR Part 170) became effective, establishing the program itself: the three levels, assessment types, scoring methodology, Plan of Action and Milestones (POA&M) rules, and affirmation requirements. On November 10, 2025, the CMMC Acquisition Rule (48 CFR, amending the DFARS) took effect, making CMMC a legally enforceable contract requirement by inserting DFARS clause 252.204-7021 into applicable solicitations and contracts.
CMMC requirements are phasing into contracts over three years:
| Phase | Start date | What it requires |
|---|---|---|
| Phase 1 | November 10, 2025 | Level 1 or Level 2 self-assessments required in applicable new solicitations. DoD has discretion to require Level 2 certification (C3PAO) assessments. |
| Phase 2 | November 10, 2026 | Level 2 certification assessments by a C3PAO required in applicable solicitations. DoD has discretion to require Level 3. |
| Phase 3 | November 10, 2027 | Level 3 (government-led) assessment requirements added for applicable contracts. |
| Phase 4 | November 10, 2028 | Full implementation. CMMC requirements apply to all applicable solicitations and contracts, including option periods on existing contracts. |
The phased schedule is not a reason to wait. CMMC clauses are already appearing in new solicitations, prime contractors are flowing requirements down to their supply chains now, and most organizations need 6 to 18 months to reach assessment readiness. If your contracts involve CUI, the date to plan backward from is November 10, 2026, when third-party Level 2 certification becomes a standard condition of award.
The three CMMC levels
CMMC 2.0 streamlined the original five-level model into three levels. Each level maps to an established federal standard rather than a unique CMMC control set.
Level 1: Foundational
Level 1 applies to contractors whose systems handle FCI but not CUI. It requires the 15 basic safeguarding requirements from FAR 52.204-21, covering fundamentals such as limiting system access to authorized users, sanitizing media before disposal, and using malicious code protection.
Assessment: annual self-assessment, with results and an affirmation of compliance by a senior company official entered into the Supplier Performance Risk System (SPRS). No third-party assessment is required, and no POA&M is permitted. All 15 requirements must be met.
Level 2: Advanced
Level 2 applies to contractors that handle CUI. It requires all 110 security requirements of NIST SP 800-171 Revision 2, the same standard contractors have been obligated to implement under DFARS 252.204-7012. The requirements span 14 control families, including access control, audit and accountability, identification and authentication, incident response, media protection, and system and communications protection.
Assessment: for most contracts involving CUI, Level 2 requires a certification assessment by a C3PAO (Certified Third-Party Assessment Organization) every three years, plus an annual affirmation of continuing compliance in SPRS. A smaller subset of contracts involving less sensitive CUI will allow triennial self-assessment instead; the solicitation specifies which applies.
Scoring: Level 2 uses the DoD scoring methodology, with a maximum score of 110. A perfect score earns final certification status. A score of at least 88, with no failed requirements that are ineligible for POA&M, earns conditional status. Conditional status gives the organization 180 days to close out its POA&M items and reach final status.
Level 3: Expert
Level 3 applies to contractors supporting the DoD’s most sensitive programs, where CUI is associated with critical technologies or where a breach would create broad risk. It builds on Level 2 by adding 24 enhanced security requirements from NIST SP 800-172, which are designed to defend against advanced persistent threats.
Assessment: a Level 3 assessment is conducted by the government’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not a C3PAO, and requires a final Level 2 certification as a prerequisite. Level 3 will apply to a relatively small portion of the DIB.
Who needs to comply
CMMC obligations attach to any organization that processes, stores, or transmits FCI or CUI in performance of a DoD contract. That includes prime contractors bidding on or holding applicable DoD contracts; subcontractors at any tier that receive FCI or CUI, since primes must flow the applicable CMMC level down through their supply chains under 32 CFR 170.23; and suppliers and service providers whose systems touch FCI or CUI, including certain managed service providers and cloud environments within the assessment scope.
Contracts solely for COTS items are generally excluded. Waivers exist under 32 CFR 170.5(d) but are rare, apply to a specific procurement rather than a company, and do not relieve contractors of underlying DFARS 252.204-7012 safeguarding and incident reporting obligations.
Without the CMMC status a solicitation requires, your organization is ineligible for award. That is the practical consequence that makes being CMMC compliant a business continuity issue, not just an IT project.
The path to CMMC certification: what implementation actually looks like
If you are beginning or in the middle of a CMMC effort, the work of achieving CMMC certification generally breaks into six stages.
1. Determine your required level and scope. Identify whether you handle FCI, CUI, or both, and which contracts require which level. Then define your assessment scope: the systems, networks, people, and facilities that process, store, or transmit that information. Scoping is the highest-leverage decision in the entire program. Many contractors reduce cost and complexity by consolidating CUI into a defined enclave rather than certifying their entire enterprise.
2. Perform a gap assessment. Score your environment against NIST SP 800-171 (for Level 2) using the DoD assessment methodology. Your current SPRS score is the starting point. Be honest here; assessors will test evidence, not intentions.
3. Remediate and document. Close technical gaps, then build the documentation an assessor will examine. The System Security Plan (SSP) is the primary assessment artifact and must describe how each requirement is implemented. Supporting policies, procedures, network diagrams, and evidence of control operation (logs, screenshots, configuration exports) need to exist before the assessment, not during it.
4. Prepare your people. Assessors interview staff. Employees within scope need to understand CUI marking and handling, incident reporting obligations (including the 72-hour DIBNet reporting requirement under DFARS 252.204-7012), and their role in the controls documented in your SSP.
5. Schedule the assessment early. For Level 2 certification, C3PAO capacity is a genuine planning constraint. Roughly 80,000 DIB companies are expected to need Level 2 certification, and assessor availability tightens as Phase 2 deadlines approach. Book your assessment window as part of implementation planning, not as a final step.
6. Stay CMMC compliant continuously. CMMC certification is valid for three years, but a senior official must affirm continuing compliance annually in SPRS, and material changes to your environment can affect your status. Treat CMMC as an operational program with an owner, not a one-time project.
Common challenges, and how successful contractors handle them
Underestimating scope. The most expensive mistake is discovering mid-assessment that a file share, backup system, or SaaS tool holding CUI was left out of scope. Data discovery and classification up front prevents this.
Treating documentation as an afterthought. A control that works but is not documented in the SSP will still generate a finding. Build documentation as you remediate.
Ignoring flowdown. Primes are contractually responsible for ensuring subcontractors meet the required level. If you are a sub, expect primes to ask for your SPRS score and CMMC status well before the government does. If you are a prime, start verifying your supply chain now.
Waiting for a deadline. There is no single CMMC deadline. Your real deadline is the first solicitation, award, or option period on your pipeline that carries the DFARS 7021 clause, and for CUI handlers that pressure arrives no later than November 2026.
Where your data infrastructure fits
A substantial share of NIST SP 800-171 requirements land on the systems where CUI actually lives, which for most contractors means unstructured data on file storage. Control families such as Access Control (AC), Audit and Accountability (AU), Identification and Authentication (IA), Media Protection (MP), and System and Communications Protection (SC) all have requirements that storage infrastructure either satisfies or undermines: encrypting CUI at rest with FIPS-validated cryptography, enforcing least-privilege access, logging and reviewing user activity on files, and detecting and responding to unauthorized access.
This is why many contractors evaluate their storage layer early in a CMMC program. A platform that natively provides encryption with key management, granular access controls, complete file activity auditing, and active detection of ransomware and data theft behavior can satisfy multiple control requirements in one place and simplify the evidence collection an assessor will demand. RackTop’s BrickStor SP was built for exactly this environment, providing these capabilities natively across NFS, SMB, S3, and BrickStor Web Drive, with audit-ready reporting that maps to NIST SP 800-171 control families. Consolidating CUI onto secure storage can also serve as the foundation of an enclave strategy that shrinks assessment scope.
The bottom line
CMMC has moved from a future concern to a present condition of doing business with the Department of Defense. The framework itself is not new security; it is verification of the NIST SP 800-171 safeguards contractors have been obligated to implement for years. Organizations that scope carefully, remediate deliberately, document thoroughly, and schedule assessments early will protect both their eligibility for DoD work and the sensitive information the program exists to defend. Those that wait for a deadline will find that the deadline was their next contract award.
Frequently asked questions
- Yes. As of November 10, 2025, DFARS 252.204-7021 appears in applicable new DoD solicitations. During Phase 1 most requirements are self-assessments, but DoD can require third-party Level 2 certification at its discretion, and Phase 2 makes C3PAO certification standard for applicable CUI contracts starting November 10, 2026.
- Level 2 and Level 3 certifications are valid for three years, subject to an annual affirmation of continuing compliance by a senior official in SPRS. Level 1 requires a self-assessment and affirmation every year to remain CMMC compliant.
- Certification assessments recur every three years at Levels 2 and 3, and Level 1 self-assessments recur annually. Between assessments you remain accountable in two ways: a senior official must affirm continuing compliance in SPRS every year, and that affirmation must be truthful, which puts false statements squarely in False Claims Act territory. When your environment changes materially between assessments, such as a migration, an acquisition, a new system that touches CUI, or a change to your enclave boundary, evaluate whether the change affects your certified assessment scope, update the System Security Plan and its evidence to match, and close any control gaps before the next affirmation. Operations outside the scope that was assessed are not covered by your certification, and significant scope changes can require a new assessment, so involve your C3PAO early when the boundary moves. The pattern that works in practice: give the SSP a named owner, review it on a schedule, and log changes as they happen instead of reconstructing a year of history at affirmation time.
- In many cases you can submit a proposal while working toward CMMC certification, but you must hold the required CMMC status at the time of contract award. Given C3PAO scheduling lead times, waiting until a solicitation drops is risky.
- Not at Level 1. At Level 2, a limited POA&M is allowed if you score at least 88 out of 110 and the open items are eligible requirements; you then have 180 days to close them and convert conditional status to final status.
- Subcontractors need the CMMC level appropriate to the information they receive. If a sub handles CUI under the contract, Level 2 applies to the sub as well. Primes are responsible for flowing down and verifying the requirement.
Go deeper
