What Is CMMC 2.0?
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense's framework for verifying that defense contractors adequately protect Controlled Unclassified Information (CUI) on their systems. Codified in the CMMC final rule at 32 CFR Part 170 (effective December 16, 2024) and the corresponding 48 CFR DFARS case 2019-D041, CMMC replaces the previous self-attestation model with a tiered verification system.
CMMC 2.0 streamlined the original five-level model into three levels, aligning directly with existing NIST standards. The rule is referenced by DFARS 252.204-7021, which is the contract clause that specifies which CMMC level a particular solicitation requires.
The Three CMMC 2.0 Levels
Level 1
Foundational
Controls: 15 (from FAR 52.204-21)
Assessment: Annual self-assessment
Applies to: Federal Contract Information (FCI) only
Source: 32 CFR 170.14
Level 2
Advanced
Controls: 110 (full NIST SP 800-171 Rev 2)
Assessment: Third-party C3PAO assessment (triennial)
Applies to: Controlled Unclassified Information (CUI)
Source: 32 CFR 170.15
This is the level most small IT contractors need.
Level 3
Expert
Controls: 110 + 24 additional from NIST SP 800-172
Assessment: Government-led (DIBCAC)
Applies to: Highest-priority CUI programs
Source: 32 CFR 170.16
Phase 2 Enforcement Timeline
CMMC enforcement rolls out in four phases per the 48 CFR DFARS case 2019-D041 phased implementation plan. Each phase adds CMMC requirements to an increasing number of DoD solicitations.
Phase 1 (starts at rule effective date)
DoD may include CMMC Level 1 self-assessment or Level 2 self-assessment as a condition of contract award. Applies to new solicitations at DoD's discretion. Self-assessment results must be posted to SPRS.
Phase 2 (1 year after Phase 1)
DoD begins requiring Level 2 C3PAO certification assessments as a condition of contract award on applicable solicitations. This is the phase that forces third-party assessment for contracts involving CUI. Per the rule, DoD has discretion on which solicitations include the requirement.
Phase 3 (1 year after Phase 2)
DoD may include Level 3 (DIBCAC assessment) requirements for the most sensitive programs. Level 2 C3PAO requirements continue expanding across solicitations.
Phase 4 (full implementation)
CMMC requirements included in all applicable DoD solicitations and contracts, including option periods on existing contracts. All contractors handling CUI must hold a valid CMMC Level 2 (or Level 3) certification.
Bottom line: The 32 CFR Part 170 final rule became effective December 16, 2024. Even before your specific contract includes the DFARS 252.204-7021 clause, DFARS 252.204-7012 already requires you to implement NIST SP 800-171. CMMC adds the verification layer. Do not wait for Phase 2 to start compliance work.
The 110 NIST SP 800-171 Controls by Family
CMMC Level 2 maps one-to-one with NIST SP 800-171 Revision 2 (per 32 CFR 170.15(b)). The 110 security requirements are organized into 14 families. Each control is identified by its family abbreviation and a sequential number (e.g., AC 3.1.1).
| Family | Controls | Description |
|---|---|---|
| Access Control (AC) | 22 | Limit system access to authorized users, processes, and devices. Includes session lock, remote access, wireless access, mobile devices, and use of external systems. |
| Awareness and Training (AT) | 3 | Ensure personnel are aware of security risks and trained on policies. Covers role-based training and insider threat awareness. |
| Audit and Accountability (AU) | 9 | Create, protect, and retain audit records. Includes audit review, analysis, reporting, time stamps, and protection of audit information. |
| Configuration Management (CM) | 9 | Establish and maintain baseline configurations and inventories. Covers security configuration settings, least functionality, and change management. |
| Identification and Authentication (IA) | 11 | Identify and authenticate users, devices, and processes. Includes multi-factor authentication, identifier management, and authenticator management. |
| Incident Response (IR) | 3 | Establish incident response capability including preparation, detection, analysis, containment, recovery, and reporting. |
| Maintenance (MA) | 6 | Perform timely maintenance and provide controls on maintenance tools, remote maintenance, and maintenance personnel. |
| Media Protection (MP) | 9 | Protect, sanitize, and destroy system media containing CUI. Covers media access, marking, storage, transport, and disposal. |
| Physical Protection (PE) | 6 | Limit physical access to systems, equipment, and operating environments. Includes visitor management and monitoring physical access. |
| Personnel Security (PS) | 2 | Screen individuals before authorizing access. Protect CUI during personnel actions such as terminations and transfers. |
| Risk Assessment (RA) | 3 | Periodically assess risk to operations, assets, and individuals. Includes vulnerability scanning and remediation. |
| Security Assessment (CA) | 4 | Assess security controls periodically, monitor continuously, and develop and implement plans of action. Includes system security plans. |
| System and Communications Protection (SC) | 16 | Monitor, control, and protect communications at system boundaries. Includes encryption of CUI in transit and at rest, session authenticity, and network segmentation. |
| System and Information Integrity (SI) | 7 | Identify, report, and correct flaws in a timely manner. Includes malicious code protection, security alerts, and system monitoring. |
| Total | 110 | Per NIST SP 800-171 Rev 2 (mapped to CMMC Level 2 in 32 CFR 170.15) |
Source: NIST Special Publication 800-171 Revision 2, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" (February 2020). Control counts reflect the 110 security requirements in Chapter 3. The CMMC Level 2 assessment guide (publicly available on the DoD CIO website) maps each requirement to specific assessment objectives.
Where Small IT Firms Spend the Most Effort
Not all 14 families demand equal investment. For a typical 50-person IT services contractor, three families account for roughly 44% of the controls and the majority of remediation cost.
22
Access Control (AC)
The largest family. Requires MFA (3.5.3), session controls, remote access management, wireless restrictions, and least-privilege enforcement across all CUI systems.
16
System & Comms Protection (SC)
Encryption of CUI at rest and in transit using FIPS-validated modules (3.13.11), network segmentation, boundary protections, and session authenticity checks.
11
Identification & Auth (IA)
Multi-factor authentication for all network and remote access, identifier management, authenticator management, and replay-resistant authentication mechanisms.
What CMMC Level 2 Costs a Small IT Contractor
Total cost depends on your starting posture, the size of your CUI boundary, and whether you use consultants or internal staff. The ranges below are based on publicly reported data from the DoD Regulatory Impact Analysis for 32 CFR Part 170 and industry surveys.
| Cost Category | Estimated Range | Notes |
|---|---|---|
| Gap assessment (consultant) | $5K-$15K | Lower end if you do it internally with the NIST SP 800-171A assessment guide |
| Technology remediation | $15K-$50K | SIEM, MFA, encryption, EDR, backup. Lower if you use a managed security provider or GCC High enclave |
| Documentation (SSP, policies, procedures) | $3K-$10K | Internal labor or consultant. Templates can reduce this |
| Readiness review (RPO/consultant) | $5K-$15K | Optional but strongly recommended before the C3PAO assessment |
| C3PAO assessment | $30K-$60K | Varies by C3PAO, number of in-scope systems, and firm size. Per CMMC-AB marketplace pricing |
| Annual maintenance | $10K-$25K/year | Ongoing tool licensing, training, annual affirmation per 32 CFR 170.21(a)(2), and continuous monitoring |
Total estimate for a 50-person IT firm: $30K-$100K+ for initial certification (including the C3PAO assessment), plus $10K-$25K per year in ongoing compliance costs. The DoD Regulatory Impact Analysis for 32 CFR Part 170 estimated average costs of approximately $37K for small entities pursuing Level 2 certification, though actual costs vary widely based on starting posture.
The C3PAO Assessment Process
A CMMC Third-Party Assessment Organization (C3PAO) is an independent body authorized by the Cyber AB (formerly the CMMC Accreditation Body) to conduct Level 2 certification assessments. Here is how the process works per 32 CFR 170.15(c).
- 1Select a C3PAO: Choose from the Cyber AB Marketplace. Verify the C3PAO is authorized and has assessors with the required CMMC Certified Assessor (CCA) credential.
- 2Pre-assessment planning: The C3PAO reviews your SSP and CUI boundary scope to plan the assessment. Expect 2-4 weeks of scheduling and preparation.
- 3Assessment execution: Assessors evaluate all 110 controls using the CMMC Level 2 assessment guide (derived from NIST SP 800-171A). Methods include examining documentation, interviewing personnel, and testing system configurations. Typically 1-2 weeks, on-site or hybrid.
- 4Findings and POA&M window: If the assessor identifies NOT MET controls, you may have a limited window to remediate or place items on a POA&M (subject to POA&M rules below).
- 5Certification decision: The C3PAO submits the assessment results to the Cyber AB for quality review. If approved, you receive a CMMC Level 2 certification valid for 3 years (per 32 CFR 170.21), subject to annual affirmation that you remain in compliance.
Total timeline from C3PAO engagement to certification: typically 4-8 weeks. C3PAO availability varies; as demand increases under Phase 2, expect longer lead times. Plan to schedule your assessment 3-6 months in advance.
POA&M Rules for Level 2
A Plan of Action and Milestones (POA&M) documents security requirements that are not yet fully implemented and the plan to close them. CMMC 2.0 allows limited use of POA&Ms during Level 2 assessments, but with strict constraints per 32 CFR 170.21(a)(3).
POA&Ms are allowed but limited
You can receive a conditional CMMC Level 2 certification with open POA&M items, but only if the deficiencies are not in a subset of controls that DoD designates as not eligible for POA&M. Per 32 CFR 170.21(a)(3), the total number of NOT MET requirements on POA&M cannot exceed a threshold, and certain high-weight controls cannot be on POA&M at all.
180-day close-out window
All POA&M items must be closed within 180 days of the conditional certification. Failure to close them within this window results in loss of the conditional certification status. The C3PAO must conduct a close-out assessment to verify remediation.
Each POA&M item must have specific milestones
A valid POA&M entry includes: the specific security requirement, the resources required for remediation, scheduled completion dates, and milestones with completion dates. Vague entries ("we will fix this later") will not satisfy assessors.
Practical guidance: Aim to close all POA&M items before your C3PAO assessment, not after. A clean assessment with zero open POA&Ms is faster, cheaper, and avoids the risk of losing conditional status. If you must use POA&Ms, limit them to low-weight controls that genuinely need additional time.
How CMMC Relates to DFARS 252.204-7012/7019/7020/7021
CMMC does not replace these DFARS clauses. It adds a verification layer on top of them. Understanding how they interlock is critical.
DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting
The foundational cybersecurity clause. Requires implementation of NIST SP 800-171 controls for any system processing, storing, or transmitting CUI. Mandates 72-hour cyber incident reporting to DoD.
DFARS 252.204-7019
Notice of NIST SP 800-171 DoD Assessment Requirements
Requires contractors to have a current NIST SP 800-171 DoD Assessment on record in the Supplier Performance Risk System (SPRS) before contract award.
DFARS 252.204-7020
NIST SP 800-171 DoD Assessment Requirements
Provides DoD the right to conduct Medium or High assessments of contractor compliance. Contractors must provide access to facilities, systems, and personnel.
DFARS 252.204-7021
Cybersecurity Maturity Model Certification Requirements
The CMMC clause itself. Specifies the required CMMC level for the contract and requires the contractor to maintain that certification for the life of the contract.
Key point: DFARS 252.204-7012 has required NIST SP 800-171 implementation since December 31, 2017. If you hold a DoD contract with this clause, you are already obligated to implement all 110 controls. CMMC (via DFARS 252.204-7021) adds the requirement for independent verification of that implementation. They are complementary, not duplicative.
What Happens If You Are Not Certified
The consequences of lacking CMMC Level 2 certification are straightforward and significant.
- !You cannot win new contracts: Once a solicitation includes DFARS 252.204-7021, CMMC Level 2 certification is a condition of contract award. No certification means your proposal is ineligible, regardless of price or technical merit.
- !Existing contracts at risk: As CMMC requirements are incorporated into option periods and follow-on contracts, failure to certify can mean losing incumbency on current work.
- !Subcontract flowdown: Prime contractors will require their subcontractors to hold the appropriate CMMC level. If you cannot certify, you lose your position in the supply chain.
- !False Claims Act exposure: Representing that you comply with NIST SP 800-171 when you do not can create liability under the False Claims Act (31 U.S.C. 3729). DOJ has pursued cases against contractors for cybersecurity misrepresentation. CMMC removes the ambiguity by requiring third-party verification.
12-Month Compliance Roadmap for a 50-Person IT Shop
This timeline assumes you are starting from a partial compliance posture (typical for IT services firms that already follow reasonable security practices but have not formally documented or assessed against NIST SP 800-171).
Phase 1: Gap Assessment
- Conduct a full NIST SP 800-171 self-assessment against all 110 controls
- Identify all systems that process, store, or transmit CUI (define your CUI boundary)
- Document your current SPRS score (methodology per NIST SP 800-171 DoD Assessment v1.2.1)
- Inventory all hardware, software, cloud services, and third-party connections in scope
- Identify gaps between current state and full 110-control implementation
Phase 2: Remediation Planning
- Develop or update your System Security Plan (SSP) per NIST SP 800-171 3.12.4
- Create a Plan of Action and Milestones (POA&M) for every unmet control
- Evaluate CUI boundary scoping: can you reduce scope by isolating CUI-handling systems?
- Select tooling and technology solutions (SIEM, MFA, endpoint protection, encryption)
- Budget for remediation: technology, labor, and consulting costs
Phase 3: Technical Implementation
- Implement MFA on all accounts accessing CUI systems (NIST 800-171 3.5.3)
- Deploy FIPS 140-2 validated encryption for CUI at rest and in transit (3.13.11)
- Configure SIEM/log aggregation for audit requirements (3.3.1 through 3.3.2)
- Establish network segmentation between CUI and non-CUI environments (3.13.1)
- Deploy endpoint detection and response (EDR) on all in-scope endpoints (3.14.2, 3.14.6)
- Implement role-based access control aligned to least privilege (3.1.1, 3.1.2, 3.1.5)
Phase 4: Documentation and Training
- Finalize SSP with all control implementation descriptions and diagrams
- Document all policies and procedures referenced by the SSP
- Conduct security awareness training for all personnel (3.2.1, 3.2.2)
- Conduct role-based training for IT staff and system administrators
- Test incident response procedures and document the test results (3.6.3)
- Update your SPRS score to reflect remediated controls
Phase 5: Pre-Assessment Readiness
- Conduct an internal mock assessment using the CMMC Level 2 assessment guide (NIST SP 800-171A)
- Engage a Registered Practitioner Organization (RPO) for an optional readiness review
- Close all POA&M items that are closeable before assessment (open POA&Ms are allowed but limited)
- Ensure all evidence artifacts are organized and accessible for assessors
- Select and schedule a C3PAO from the CMMC-AB marketplace
Phase 6: C3PAO Assessment
- C3PAO conducts the Level 2 certification assessment (typically 1-2 weeks on-site or hybrid)
- Provide evidence of implementation for all 110 controls
- Address any findings during the assessment window
- Receive the CMMC Level 2 certification (valid for 3 years per 32 CFR 170.21)
- Upload certification status to SPRS (the C3PAO handles submission to the CMMC-AB)
Scope reduction tip: The single most effective way to reduce cost and timeline is to minimize your CUI boundary. If you can isolate CUI processing to a defined enclave (e.g., a GCC High tenant, a segmented VLAN with dedicated workstations), you reduce the number of systems the C3PAO must assess. This is especially relevant for IT services firms where most internal systems do not touch CUI.
Have a specific CMMC or DFARS question?
ClariFAR searches the full regulatory corpus, including DFARS clauses, NIST SP 800-171, and the CMMC rule at 32 CFR Part 170, and returns the exact section with a plain-English explanation.